Add tests for Cast certificate interpretation of policies.

components/cast_certificate/cast_cert_validator.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "components/cast_certificate/cast_cert_validator.h"
 
 #include <stddef.h>
 #include <stdint.h>
 
 #include <algorithm>
@@ skipping 140 matching lines @@
   for (const net::RelativeDistinguishedName& rdn : rdn_sequence) {
     for (const auto& atv : rdn) {
       if (atv.type == net::TypeCommonNameOid()) {
         return atv.ValueAsString(common_name);
       }
     }
   }
   return false;
 }
 
+// Cast device certificates use the policy 1.3.6.1.4.1.11129.2.5.2 to indicate
+// it is *restricted* to an audio-only device whereas the absence of a policy
+// means it is unrestricted.
+//
+// This is somewhat different than RFC 5280's notion of policies, so policies
+// are checked separately outside of path building.
+//
+// See the unit-tests VerifyCastDeviceCertTest.Policies* for some
+// concrete examples of how this works.
+void DetermineDeviceCertificatePolicy(
+    const net::CertPathBuilder::ResultPath* result_path,
+    CastDeviceCertPolicy* policy) {
+  // Iterate over all the certificates, including the root certificate. If any
+  // certificate contains the audio-only policy, the whole chain is considered
+  // constrained to audio-only device certificates.
+  //
+  // Policy mappings are not accounted for. The expectation is that top-level
+  // intermediates issued with audio-only will have no mappings. If subsequent
+  // certificates in the chain do, it won't matter as the chain is already
+  // restricted to being audio-only.
+  bool audio_only = false;
+  for (const auto& cert : result_path->path.certs) {
+    if (cert->has_policy_oids()) {
+      const std::vector<net::der::Input>& policies = cert->policy_oids();
+      if (std::find(policies.begin(), policies.end(), AudioOnlyPolicyOid()) !=
+          policies.end()) {
+        audio_only = true;
+        break;
+      }
+    }
+  }
+
+  *policy = audio_only ? CastDeviceCertPolicy::AUDIO_ONLY
+                       : CastDeviceCertPolicy::NONE;
+}
+
 // Checks properties on the target certificate.
 //
 //   * The Key Usage must include Digital Signature
-//   * May have the policy 1.3.6.1.4.1.11129.2.5.2 to indicate it
-//     is an audio-only device.
 WARN_UNUSED_RESULT bool CheckTargetCertificate(
     const net::ParsedCertificate* cert,
-    std::unique_ptr<CertVerificationContext>* context,
-    CastDeviceCertPolicy* policy) {
+    std::unique_ptr<CertVerificationContext>* context) {
   // Get the Key Usage extension.
   if (!cert->has_key_usage())
     return false;
 
   // Ensure Key Usage contains digitalSignature.
   if (!cert->key_usage().AssertsBit(net::KEY_USAGE_BIT_DIGITAL_SIGNATURE))
     return false;
 
-  // Check for an optional audio-only policy extension.
-  //
-  // TODO(eroman): Use |user_constrained_policy_set| that was output from
-  // verification instead. (Checking just the leaf certificate's policy
-  // assertion doesn't take into account policy restrictions on intermediates,
-  // policy constraints/inhibits, or policy re-mappings).
-  *policy = CastDeviceCertPolicy::NONE;
-  if (cert->has_policy_oids()) {
-    const std::vector<net::der::Input>& policies = cert->policy_oids();
-    // Look for an audio-only policy. Disregard any other policy found.
-    if (std::find(policies.begin(), policies.end(), AudioOnlyPolicyOid()) !=
-        policies.end()) {
-      *policy = CastDeviceCertPolicy::AUDIO_ONLY;
-    }
-  }
-
   // Get the Common Name for the certificate.
   std::string common_name;
   if (!GetCommonNameFromSubject(cert->tbs().subject_tlv, &common_name))
     return false;
 
   context->reset(
       new CertVerificationContextImpl(cert->tbs().spki_tlv, common_name));
   return true;
 }
 
@@ skipping 70 matching lines @@
       net::KeyPurpose::CLIENT_AUTH, net::InitialExplicitPolicy::kFalse,
       {net::AnyPolicy()}, net::InitialPolicyMappingInhibit::kFalse,
       net::InitialAnyPolicyInhibit::kFalse, &result);
   path_builder.AddCertIssuerSource(&intermediate_cert_issuer_source);
   path_builder.Run();
   if (!result.HasValidPath()) {
     // TODO(crbug.com/634443): Log error information.
     return false;
   }
 
-  // Check properties of the leaf certificate (key usage, policy), and construct
-  // a CertVerificationContext that uses its public key.
-  if (!CheckTargetCertificate(target_cert.get(), context, policy))
+  // Determine whether this device certificate is restricted to audio-only.
+  DetermineDeviceCertificatePolicy(result.GetBestValidPath(), policy);
+
+  // Check properties of the leaf certificate not already verified by path
+  // building (key usage), and construct a CertVerificationContext that uses
+  // its public key.
+  if (!CheckTargetCertificate(target_cert.get(), context))
     return false;
 
   // Check if a CRL is available.
   if (!crl) {
     if (crl_policy == CRLPolicy::CRL_REQUIRED) {
       return false;
     }
   } else {
     if (!crl->CheckRevocation(result.GetBestValidPath()->path, time)) {
       return false;
     }
   }
   return true;
 }
 
 std::unique_ptr<CertVerificationContext> CertVerificationContextImplForTest(
     const base::StringPiece& spki) {
   // Use a bogus CommonName, since this is just exposed for testing signature
   // verification by unittests.
   return base::MakeUnique<CertVerificationContextImpl>(net::der::Input(spki),
                                                        "CommonName");
 }
 
 }  // namespace cast_certificate