Allow the TrustStore interface to return matching intermediates, and identify distrusted certs.

net/cert/internal/verify_certificate_chain.h

 // Copyright 2015 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef NET_CERT_INTERNAL_VERIFY_CERTIFICATE_CHAIN_H_
 #define NET_CERT_INTERNAL_VERIFY_CERTIFICATE_CHAIN_H_
 
 #include <vector>
 
 #include "base/compiler_specific.h"
 #include "base/memory/ref_counted.h"
 #include "net/base/net_export.h"
 #include "net/cert/internal/cert_errors.h"
 #include "net/cert/internal/parsed_certificate.h"
 #include "net/der/input.h"
 
 namespace net {
 
 namespace der {
 struct GeneralizedTime;
 }
 
 class SignaturePolicy;
-class TrustAnchor;
+struct CertificateTrust;
 
 // The key purpose (extended key usage) to check for during verification.
 enum class KeyPurpose {
   ANY_EKU,
   SERVER_AUTH,
   CLIENT_AUTH,
 };
 
 // VerifyCertificateChain() verifies an ordered certificate path in accordance
 // with RFC 5280 (with some modifications [1]).
@@ skipping 16 matching lines @@
 //
 // TODO(eroman): Take a CertPath instead of ParsedCertificateList +
 //               TrustAnchor.
 //
 // ---------
 // Inputs
 // ---------
 //
 //   cert_chain:
 //     A non-empty chain of N DER-encoded certificates, listed in the
-//     "forward" direction.
+//     "forward" direction. The first certificate is the target certificate to
+//     verify, and the last certificate has trustedness given by
+//     |last_cert_trust|.
 //
 //      * cert_chain[0] is the target certificate to verify.
 //      * cert_chain[i+1] holds the certificate that issued cert_chain[i].
-//      * cert_chain[N-1] must be issued by the trust anchor.
+//      * cert_chain[N-1] the root certificate
 //
-//   trust_anchor:
-//     Contains the trust anchor (root) used to verify the chain. Must be
-//     non-null.
+//   last_cert_trust:
+//     Trustedness of certs.back(). The trustedness of certs.back() MUST BE
+//     decided by the caller -- this function takes it purely as an input.
+//     Moreover, the CertificateTrust can be used to specify trust anchor
+//     constraints [1]
 //
 //   signature_policy:
 //     The policy to use when verifying signatures (what hash algorithms are
 //     allowed, what length keys, what named curves, etc).
 //
 //   time:
 //     The UTC time to use for expiration checks.
 //
 //   key_purpose:
 //     The key purpose that the target certificate needs to be valid for.
 //
 // ---------
 // Outputs
 // ---------
-//
-//   Returns true if the target certificate can be verified.
-//   TODO(eroman): This return value is redundant with the |errors| parameter.
-//
 //   errors:
 //     Must be non-null. The set of errors/warnings encountered while
 //     validating the path are appended to this structure. If verification
-//     failed, then there is guaranteed to be at least 1 error written to
-//     |errors|.
-NET_EXPORT bool VerifyCertificateChain(const ParsedCertificateList& certs,
-                                       const TrustAnchor* trust_anchor,
+//     failed, then there is guaranteed to be at least 1 high severity error
+//     written to |errors|.
+//
+// [1] Conceptually VerifyCertificateChain() sets RFC 5937's
+// "enforceTrustAnchorConstraints" to true. And one specifies whether to
+// interpret a root certificate as having trust anchor constraints through the
+// |last_cert_trust| parameter. The constraints are just a subset of the
+// extensions present in the certificate:
+//
+//  * Signature:             No
+//  * Validity (expiration): No
+//  * Key usage:             No
+//  * Extended key usage:    Yes (not part of RFC 5937)
+//  * Basic constraints:     Yes, but only the pathlen (CA=false is accepted)
+//  * Name constraints:      Yes
+//  * Certificate policies:  Not currently, TODO(crbug.com/634453)
+//  * inhibitAnyPolicy:      Not currently, TODO(crbug.com/634453)
+//  * PolicyConstraints:     Not currently, TODO(crbug.com/634452)
+//
+// The presence of any other unrecognized extension marked as critical fails
+// validation.
+NET_EXPORT void VerifyCertificateChain(const ParsedCertificateList& certs,
+                                       const CertificateTrust& last_cert_trust,
                                        const SignaturePolicy* signature_policy,
                                        const der::GeneralizedTime& time,
                                        KeyPurpose required_key_purpose,
                                        CertPathErrors* errors);
 
 // TODO(crbug.com/634443): Move exported errors to a central location?
 extern CertErrorId kValidityFailedNotAfter;
 extern CertErrorId kValidityFailedNotBefore;
 
 }  // namespace net
 
 #endif  // NET_CERT_INTERNAL_VERIFY_CERTIFICATE_CHAIN_H_