Allow the TrustStore interface to return matching intermediates, and identify distrusted certs.

net/cert/internal/trust_store_mac_unittest.cc

 // Copyright 2017 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/cert/internal/trust_store_mac.h"
 
 #include "base/base_paths.h"
 #include "base/files/file_util.h"
 #include "base/files/scoped_temp_dir.h"
 #include "base/path_service.h"
@@ skipping 109 matching lines @@
   ASSERT_TRUE(ReadTestCert("multi-root-A-by-B.pem", &a_by_b));
   ASSERT_TRUE(ReadTestCert("multi-root-B-by-C.pem", &b_by_c));
   ASSERT_TRUE(ReadTestCert("multi-root-B-by-F.pem", &b_by_f));
   ASSERT_TRUE(ReadTestCert("multi-root-C-by-D.pem", &c_by_d));
   ASSERT_TRUE(ReadTestCert("multi-root-C-by-E.pem", &c_by_e));
   ASSERT_TRUE(ReadTestCert("multi-root-F-by-E.pem", &f_by_e));
   ASSERT_TRUE(ReadTestCert("multi-root-D-by-D.pem", &d_by_d));
   ASSERT_TRUE(ReadTestCert("multi-root-E-by-E.pem", &e_by_e));
 
   base::ScopedCFTypeRef<CFDataRef> normalized_name_b =
-      TrustStoreMac::GetMacNormalizedIssuer(a_by_b);
+      TrustStoreMac::GetMacNormalizedIssuer(a_by_b.get());
   ASSERT_TRUE(normalized_name_b);
   base::ScopedCFTypeRef<CFDataRef> normalized_name_c =
-      TrustStoreMac::GetMacNormalizedIssuer(b_by_c);
+      TrustStoreMac::GetMacNormalizedIssuer(b_by_c.get());
   ASSERT_TRUE(normalized_name_c);
   base::ScopedCFTypeRef<CFDataRef> normalized_name_f =
-      TrustStoreMac::GetMacNormalizedIssuer(b_by_f);
+      TrustStoreMac::GetMacNormalizedIssuer(b_by_f.get());
   ASSERT_TRUE(normalized_name_f);
   base::ScopedCFTypeRef<CFDataRef> normalized_name_d =
-      TrustStoreMac::GetMacNormalizedIssuer(c_by_d);
+      TrustStoreMac::GetMacNormalizedIssuer(c_by_d.get());
   ASSERT_TRUE(normalized_name_d);
   base::ScopedCFTypeRef<CFDataRef> normalized_name_e =
-      TrustStoreMac::GetMacNormalizedIssuer(f_by_e);
+      TrustStoreMac::GetMacNormalizedIssuer(f_by_e.get());
   ASSERT_TRUE(normalized_name_e);
 
   // Test that the matching keychain items are found, even though they aren't
   // trusted.
+  // TODO(eroman): These tests could be using TrustStore::SyncGetIssuersOf().
   {
     base::ScopedCFTypeRef<CFArrayRef> scoped_matching_items =
         TrustStoreMac::FindMatchingCertificatesForMacNormalizedSubject(
             normalized_name_b.get());
 
     EXPECT_THAT(SecCertificateArrayAsDER(scoped_matching_items),
                 UnorderedElementsAreArray(
                     ParsedCertificateListAsDER({b_by_c, b_by_f})));
   }
 
@@ skipping 26 matching lines @@
 
   {
     base::ScopedCFTypeRef<CFArrayRef> scoped_matching_items =
         TrustStoreMac::FindMatchingCertificatesForMacNormalizedSubject(
             normalized_name_e.get());
     EXPECT_THAT(
         SecCertificateArrayAsDER(scoped_matching_items),
         UnorderedElementsAreArray(ParsedCertificateListAsDER({e_by_e})));
   }
 
-  // None of the certs should return any matching TrustAnchors, since the test
-  // certs in the keychain aren't trusted (unless someone manually added and
-  // trusted the test certs on the machine the test is being run on).
+  // Verify that none of the added certificates are considered trusted (since
+  // the test certs in the keychain aren't trusted, unless someone manually
+  // added and trusted the test certs on the machine the test is being run on).
   for (const auto& cert :
        {a_by_b, b_by_c, b_by_f, c_by_d, c_by_e, f_by_e, d_by_d, e_by_e}) {
-    TrustAnchors matching_anchors;
-    trust_store.FindTrustAnchorsForCert(cert, &matching_anchors);
-    EXPECT_EQ(0u, matching_anchors.size());
+    CertificateTrust trust = CertificateTrust::ForTrustAnchor();
+    trust_store.GetTrust(cert.get(), &trust);
+    EXPECT_EQ(CertificateTrustType::UNSPECIFIED, trust.type);
   }
 }
 
 // Test against all the certificates in the default keychains. Confirms that
 // the computed trust value matches that of SecTrustEvaluate.
 TEST(TrustStoreMacTest, SystemCerts) {
   // Get the list of all certificates in the user & system keychains.
   // This may include both trusted and untrusted certificates.
   //
   // The output contains zero or more repetitions of:
@@ skipping 44 matching lines @@
     ParseCertificateOptions options;
     // For https://crt.sh/?q=D3EEFBCBBCF49867838626E23BB59CA01E305DB7:
     options.allow_invalid_serial_numbers = true;
     scoped_refptr<ParsedCertificate> cert = ParsedCertificate::Create(
         x509_util::CreateCryptoBuffer(cert_der), options, &errors);
     if (!cert) {
       LOG(WARNING) << "ParseCertificate::Create " << hash_text << " failed:\n"
                    << errors.ToDebugString();
       continue;
     }
+    // Check if this cert is considered a trust anchor by TrustStoreMac.
+    CertificateTrust cert_trust;
+    trust_store.GetTrust(cert, &cert_trust);
+    bool is_trust_anchor = cert_trust.IsTrustAnchor();
 
+    // Check if this cert is considered a trust anchor by the OS.
     base::ScopedCFTypeRef<SecCertificateRef> cert_handle(
         x509_util::CreateSecCertificateFromBytes(cert->der_cert().UnsafeData(),
                                                  cert->der_cert().Length()));
     if (!cert_handle) {
       ADD_FAILURE() << "CreateOSCertHandleFromBytes " << hash_text;
       continue;
     }
-    base::ScopedCFTypeRef<CFDataRef> mac_normalized_subject;
-    {
-      base::AutoLock lock(crypto::GetMacSecurityServicesLock());
-      mac_normalized_subject.reset(
-          SecCertificateCopyNormalizedSubjectContent(cert_handle, nullptr));
-    }
-    if (!mac_normalized_subject) {
-      ADD_FAILURE() << "SecCertificateCopyNormalizedSubjectContent "
-                    << hash_text;
-      continue;
-    }
-
-    // Check if this cert is considered a trust anchor by TrustStoreMac.
-    TrustAnchors trust_anchors;
-    trust_store.FindTrustAnchorsByMacNormalizedSubject(mac_normalized_subject,
-                                                       &trust_anchors);
-    bool is_trust_anchor = false;
-    for (const auto& anchor : trust_anchors) {
-      ASSERT_TRUE(anchor->cert());
-      if (anchor->cert()->der_cert() == cert->der_cert())
-        is_trust_anchor = true;
-    }
-
-    // Check if this cert is considered a trust anchor by the OS.
     base::ScopedCFTypeRef<SecTrustRef> trust;
     {
       base::AutoLock lock(crypto::GetMacSecurityServicesLock());
       ASSERT_EQ(noErr,
                 SecTrustCreateWithCertificates(cert_handle, sec_policy,
                                                trust.InitializeInto()));
       ASSERT_EQ(noErr,
                 SecTrustSetOptions(
                     trust,
                     kSecTrustOptionLeafIsCA | kSecTrustOptionAllowExpiredRoot));
 
       SecTrustResultType trust_result;
       ASSERT_EQ(noErr, SecTrustEvaluate(trust, &trust_result));
       bool expected_trust_anchor =
           ((trust_result == kSecTrustResultProceed) ||
            (trust_result == kSecTrustResultUnspecified)) &&
           (SecTrustGetCertificateCount(trust) == 1);
       EXPECT_EQ(expected_trust_anchor, is_trust_anchor);
     }
   }
 }
 
 }  // namespace net