1 // Copyright 2016 The Chromium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include <iostream>
6
7 #include "base/at_exit.h"
8 #include "base/command_line.h"
9 #include "base/functional/bind.h"
10 #include "base/functional/callback_helpers.h"
11 #include "base/logging.h"
12 #include "base/message_loop/message_pump_type.h"
13 #include "base/strings/string_split.h"
14 #include "base/synchronization/waitable_event.h"
15 #include "base/task/thread_pool/thread_pool_instance.h"
16 #include "base/threading/thread.h"
17 #include "base/time/time.h"
18 #include "build/build_config.h"
19 #include "net/cert/cert_net_fetcher.h"
20 #include "net/cert/cert_verify_proc.h"
21 #include "net/cert/cert_verify_proc_builtin.h"
22 #include "net/cert/crl_set.h"
23 #include "net/cert/internal/system_trust_store.h"
24 #include "net/cert/x509_util.h"
25 #include "net/cert_net/cert_net_fetcher_url_request.h"
26 #include "net/tools/cert_verify_tool/cert_verify_tool_util.h"
27 #include "net/tools/cert_verify_tool/verify_using_cert_verify_proc.h"
28 #include "net/tools/cert_verify_tool/verify_using_path_builder.h"
29 #include "net/url_request/url_request_context.h"
30 #include "net/url_request/url_request_context_builder.h"
31 #include "net/url_request/url_request_context_getter.h"
32 #include "third_party/boringssl/src/pki/trust_store.h"
33 #include "third_party/boringssl/src/pki/trust_store_collection.h"
34
35 #if BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS)
36 #include "net/proxy_resolution/proxy_config.h"
37 #include "net/proxy_resolution/proxy_config_service_fixed.h"
38 #endif
39
40 #if BUILDFLAG(CHROME_ROOT_STORE_SUPPORTED)
41 #include "net/cert/internal/trust_store_chrome.h"
42 #endif
43
44 namespace {
45
46 enum class RootStoreType {
47 // No roots other than those explicitly passed in on the command line.
48 kEmpty,
49 #if !BUILDFLAG(CHROME_ROOT_STORE_ONLY)
50 // Use the system root store.
51 kSystem,
52 #endif
53 // Use the Chrome Root Store.
54 kChrome
55 };
56
GetUserAgent()57 std::string GetUserAgent() {
58 return "cert_verify_tool/0.1";
59 }
60
SetUpOnNetworkThread(std::unique_ptr<net::URLRequestContext> * context,scoped_refptr<net::CertNetFetcherURLRequest> * cert_net_fetcher,base::WaitableEvent * initialization_complete_event)61 void SetUpOnNetworkThread(
62 std::unique_ptr<net::URLRequestContext>* context,
63 scoped_refptr<net::CertNetFetcherURLRequest>* cert_net_fetcher,
64 base::WaitableEvent* initialization_complete_event) {
65 net::URLRequestContextBuilder url_request_context_builder;
66 url_request_context_builder.set_user_agent(GetUserAgent());
67 #if BUILDFLAG(IS_LINUX) || BUILDFLAG(IS_CHROMEOS)
68 // On Linux, use a fixed ProxyConfigService, since the default one
69 // depends on glib.
70 //
71 // TODO(akalin): Remove this once http://crbug.com/146421 is fixed.
72 url_request_context_builder.set_proxy_config_service(
73 std::make_unique<net::ProxyConfigServiceFixed>(
74 net::ProxyConfigWithAnnotation()));
75 #endif
76 *context = url_request_context_builder.Build();
77
78 // TODO(mattm): add command line flag to configure using
79 // CertNetFetcher
80 *cert_net_fetcher = base::MakeRefCounted<net::CertNetFetcherURLRequest>();
81 (*cert_net_fetcher)->SetURLRequestContext(context->get());
82 initialization_complete_event->Signal();
83 }
84
ShutdownOnNetworkThread(std::unique_ptr<net::URLRequestContext> * context,scoped_refptr<net::CertNetFetcherURLRequest> * cert_net_fetcher)85 void ShutdownOnNetworkThread(
86 std::unique_ptr<net::URLRequestContext>* context,
87 scoped_refptr<net::CertNetFetcherURLRequest>* cert_net_fetcher) {
88 (*cert_net_fetcher)->Shutdown();
89 cert_net_fetcher->reset();
90 context->reset();
91 }
92
93 // Base class to abstract running a particular implementation of certificate
94 // verification.
95 class CertVerifyImpl {
96 public:
97 virtual ~CertVerifyImpl() = default;
98
99 virtual std::string GetName() const = 0;
100
101 // Does certificate verification.
102 //
103 // Note that |hostname| may be empty to indicate that no name validation is
104 // requested, and a null value of |verify_time| means to use the current time.
105 virtual bool VerifyCert(const CertInput& target_der_cert,
106 const std::string& hostname,
107 const std::vector<CertInput>& intermediate_der_certs,
108 const std::vector<CertInputWithTrustSetting>&
109 der_certs_with_trust_settings,
110 base::Time verify_time,
111 net::CRLSet* crl_set,
112 const base::FilePath& dump_prefix_path) = 0;
113 };
114
115 // Runs certificate verification using a particular CertVerifyProc.
116 class CertVerifyImplUsingProc : public CertVerifyImpl {
117 public:
CertVerifyImplUsingProc(const std::string & name,scoped_refptr<net::CertVerifyProc> proc)118 CertVerifyImplUsingProc(const std::string& name,
119 scoped_refptr<net::CertVerifyProc> proc)
120 : name_(name), proc_(std::move(proc)) {}
121
GetName() const122 std::string GetName() const override { return name_; }
123
VerifyCert(const CertInput & target_der_cert,const std::string & hostname,const std::vector<CertInput> & intermediate_der_certs,const std::vector<CertInputWithTrustSetting> & der_certs_with_trust_settings,base::Time verify_time,net::CRLSet * crl_set,const base::FilePath & dump_prefix_path)124 bool VerifyCert(const CertInput& target_der_cert,
125 const std::string& hostname,
126 const std::vector<CertInput>& intermediate_der_certs,
127 const std::vector<CertInputWithTrustSetting>&
128 der_certs_with_trust_settings,
129 base::Time verify_time,
130 net::CRLSet* crl_set,
131 const base::FilePath& dump_prefix_path) override {
132 if (!verify_time.is_null()) {
133 std::cerr << "WARNING: --time is not supported by " << GetName()
134 << ", will use current time.\n";
135 }
136
137 if (hostname.empty()) {
138 std::cerr << "ERROR: --hostname is required for " << GetName()
139 << ", skipping\n";
140 return true; // "skipping" is considered a successful return.
141 }
142
143 base::FilePath dump_path;
144 if (!dump_prefix_path.empty()) {
145 dump_path = dump_prefix_path.AddExtension(FILE_PATH_LITERAL(".pem"))
146 .InsertBeforeExtensionASCII("." + GetName());
147 }
148
149 return VerifyUsingCertVerifyProc(proc_.get(), target_der_cert, hostname,
150 intermediate_der_certs,
151 der_certs_with_trust_settings, dump_path);
152 }
153
154 private:
155 const std::string name_;
156 scoped_refptr<net::CertVerifyProc> proc_;
157 };
158
159 // Runs certificate verification using bssl::CertPathBuilder.
160 class CertVerifyImplUsingPathBuilder : public CertVerifyImpl {
161 public:
CertVerifyImplUsingPathBuilder(scoped_refptr<net::CertNetFetcher> cert_net_fetcher,std::unique_ptr<net::SystemTrustStore> system_trust_store)162 explicit CertVerifyImplUsingPathBuilder(
163 scoped_refptr<net::CertNetFetcher> cert_net_fetcher,
164 std::unique_ptr<net::SystemTrustStore> system_trust_store)
165 : cert_net_fetcher_(std::move(cert_net_fetcher)),
166 system_trust_store_(std::move(system_trust_store)) {}
167
GetName() const168 std::string GetName() const override { return "CertPathBuilder"; }
169
VerifyCert(const CertInput & target_der_cert,const std::string & hostname,const std::vector<CertInput> & intermediate_der_certs,const std::vector<CertInputWithTrustSetting> & der_certs_with_trust_settings,base::Time verify_time,net::CRLSet * crl_set,const base::FilePath & dump_prefix_path)170 bool VerifyCert(const CertInput& target_der_cert,
171 const std::string& hostname,
172 const std::vector<CertInput>& intermediate_der_certs,
173 const std::vector<CertInputWithTrustSetting>&
174 der_certs_with_trust_settings,
175 base::Time verify_time,
176 net::CRLSet* crl_set,
177 const base::FilePath& dump_prefix_path) override {
178 if (!hostname.empty()) {
179 std::cerr << "WARNING: --hostname is not verified with CertPathBuilder\n";
180 }
181
182 if (verify_time.is_null()) {
183 verify_time = base::Time::Now();
184 }
185
186 return VerifyUsingPathBuilder(target_der_cert, intermediate_der_certs,
187 der_certs_with_trust_settings, verify_time,
188 dump_prefix_path, cert_net_fetcher_,
189 system_trust_store_.get());
190 }
191
192 private:
193 scoped_refptr<net::CertNetFetcher> cert_net_fetcher_;
194 std::unique_ptr<net::SystemTrustStore> system_trust_store_;
195 };
196
197 class DummySystemTrustStore : public net::SystemTrustStore {
198 public:
GetTrustStore()199 bssl::TrustStore* GetTrustStore() override { return &trust_store_; }
200
IsKnownRoot(const bssl::ParsedCertificate * trust_anchor) const201 bool IsKnownRoot(const bssl::ParsedCertificate* trust_anchor) const override {
202 return false;
203 }
204
205 #if BUILDFLAG(CHROME_ROOT_STORE_SUPPORTED)
chrome_root_store_version() const206 int64_t chrome_root_store_version() const override { return 0; }
207 #endif
208
209 private:
210 bssl::TrustStoreCollection trust_store_;
211 };
212
CreateSystemTrustStore(base::StringPiece impl_name,RootStoreType root_store_type)213 std::unique_ptr<net::SystemTrustStore> CreateSystemTrustStore(
214 base::StringPiece impl_name,
215 RootStoreType root_store_type) {
216 switch (root_store_type) {
217 #if BUILDFLAG(IS_FUCHSIA)
218 case RootStoreType::kSystem:
219 std::cerr << impl_name
220 << ": using system roots (--roots are in addition).\n";
221 return net::CreateSslSystemTrustStore();
222 #endif
223 case RootStoreType::kChrome:
224 #if BUILDFLAG(CHROME_ROOT_STORE_SUPPORTED)
225 std::cerr << impl_name
226 << ": using Chrome Root Store (--roots are in addition).\n";
227 return net::CreateSslSystemTrustStoreChromeRoot(
228 std::make_unique<net::TrustStoreChrome>());
229 #else
230 std::cerr << impl_name << ": not supported.\n";
231 [[fallthrough]];
232 #endif
233
234 case RootStoreType::kEmpty:
235 default:
236 std::cerr << impl_name << ": only using --roots specified.\n";
237 return std::make_unique<DummySystemTrustStore>();
238 }
239 }
240
241 // Creates an subclass of CertVerifyImpl based on its name, or returns nullptr.
CreateCertVerifyImplFromName(base::StringPiece impl_name,scoped_refptr<net::CertNetFetcher> cert_net_fetcher,scoped_refptr<net::CRLSet> crl_set,RootStoreType root_store_type)242 std::unique_ptr<CertVerifyImpl> CreateCertVerifyImplFromName(
243 base::StringPiece impl_name,
244 scoped_refptr<net::CertNetFetcher> cert_net_fetcher,
245 scoped_refptr<net::CRLSet> crl_set,
246 RootStoreType root_store_type) {
247 #if !(BUILDFLAG(IS_FUCHSIA) || BUILDFLAG(CHROME_ROOT_STORE_ONLY))
248 if (impl_name == "platform") {
249 if (root_store_type != RootStoreType::kSystem) {
250 std::cerr << "WARNING: platform verifier not supported with "
251 "--no-system-roots and --use-chrome-root-store, using "
252 "system roots (--roots are in addition).\n";
253 }
254
255 return std::make_unique<CertVerifyImplUsingProc>(
256 "CertVerifyProc (system)",
257 net::CertVerifyProc::CreateSystemVerifyProc(std::move(cert_net_fetcher),
258 std::move(crl_set)));
259 }
260 #endif
261
262 if (impl_name == "builtin") {
263 return std::make_unique<CertVerifyImplUsingProc>(
264 "CertVerifyProcBuiltin",
265 net::CreateCertVerifyProcBuiltin(
266 std::move(cert_net_fetcher), std::move(crl_set),
267 CreateSystemTrustStore(impl_name, root_store_type), {}));
268 }
269
270 if (impl_name == "pathbuilder") {
271 return std::make_unique<CertVerifyImplUsingPathBuilder>(
272 std::move(cert_net_fetcher),
273 CreateSystemTrustStore(impl_name, root_store_type));
274 }
275
276 std::cerr << "WARNING: Unrecognized impl: " << impl_name << "\n";
277 return nullptr;
278 }
279
PrintCertHashAndSubject(CRYPTO_BUFFER * cert)280 void PrintCertHashAndSubject(CRYPTO_BUFFER* cert) {
281 std::cout << " " << FingerPrintCryptoBuffer(cert) << " "
282 << SubjectFromCryptoBuffer(cert) << "\n";
283 }
284
PrintInputChain(const CertInput & target,const std::vector<CertInput> & intermediates)285 void PrintInputChain(const CertInput& target,
286 const std::vector<CertInput>& intermediates) {
287 std::cout << "Input chain:\n";
288 PrintCertHashAndSubject(
289 net::x509_util::CreateCryptoBuffer(target.der_cert).get());
290 for (const auto& intermediate : intermediates) {
291 PrintCertHashAndSubject(
292 net::x509_util::CreateCryptoBuffer(intermediate.der_cert).get());
293 }
294 std::cout << "\n";
295 }
296
PrintAdditionalRoots(const std::vector<CertInputWithTrustSetting> & der_certs_with_trust_settings)297 void PrintAdditionalRoots(const std::vector<CertInputWithTrustSetting>&
298 der_certs_with_trust_settings) {
299 std::cout << "Additional roots:\n";
300 for (const auto& cert : der_certs_with_trust_settings) {
301 std::cout << " " << cert.trust.ToDebugString() << ":\n ";
302 PrintCertHashAndSubject(
303 net::x509_util::CreateCryptoBuffer(cert.cert_input.der_cert).get());
304 }
305 std::cout << "\n";
306 }
307
308 const char kUsage[] =
309 " [flags] <target/chain>\n"
310 "\n"
311 " <target/chain> is a file containing certificates [1]. Minimally it\n"
312 " contains the target certificate. Optionally it may subsequently list\n"
313 " additional certificates needed to build a chain (this is equivalent to\n"
314 " specifying them through --intermediates)\n"
315 "\n"
316 "Flags:\n"
317 "\n"
318 " --hostname=<hostname>\n"
319 " The hostname required to match the end-entity certificate.\n"
320 " Required for the CertVerifyProc implementation.\n"
321 "\n"
322 " --roots=<certs path>\n"
323 " <certs path> is a file containing certificates [1] to interpret as\n"
324 " trust anchors (without any anchor constraints).\n"
325 "\n"
326 " --no-system-roots\n"
327 " Do not use system provided trust roots, only trust roots specified\n"
328 " by --roots or --trust-last-cert will be used. Only supported by\n"
329 " the builtin and pathbuilter impls.\n"
330 "\n"
331 " --use-chrome-root-store\n"
332 " Use the Chrome Root Store. Only supported by the builtin and \n"
333 " pathbuilder impls; if set will override the --no-system-roots \n"
334 " flag.\n"
335 "\n"
336 " --intermediates=<certs path>\n"
337 " <certs path> is a file containing certificates [1] for use when\n"
338 " path building is looking for intermediates.\n"
339 "\n"
340 " --impls=<ordered list of implementations>\n"
341 " Ordered list of the verifier implementations to run. If omitted,\n"
342 " will default to: \"platform,builtin,pathbuilder\".\n"
343 " Changing this can lead to different results in cases where the\n"
344 " platform verifier affects global caches (as in the case of NSS).\n"
345 "\n"
346 " --trust-last-cert\n"
347 " Removes the final intermediate from the chain and instead adds it\n"
348 " as a root. This is useful when providing a <target/chain>\n"
349 " parameter whose final certificate is a trust anchor.\n"
350 "\n"
351 " --root-trust=<trust string>\n"
352 " Roots trusted by --roots and --trust-last-cert will be trusted\n"
353 " with the specified trust [2].\n"
354 "\n"
355 " --trust-leaf-cert=[trust string]\n"
356 " The leaf cert will be considered trusted with the specified\n"
357 " trust [2]. If [trust string] is omitted, defaults to TRUSTED_LEAF.\n"
358 "\n"
359 " --time=<time>\n"
360 " Use <time> instead of the current system time. <time> is\n"
361 " interpreted in local time if a timezone is not specified.\n"
362 " Many common formats are supported, including:\n"
363 " 1994-11-15 12:45:26 GMT\n"
364 " Tue, 15 Nov 1994 12:45:26 GMT\n"
365 " Nov 15 12:45:26 1994 GMT\n"
366 "\n"
367 " --crlset=<crlset path>\n"
368 " <crlset path> is a file containing a serialized CRLSet to use\n"
369 " during revocation checking. For example:\n"
370 " <chrome data dir>/CertificateRevocation/<number>/crl-set\n"
371 "\n"
372 " --dump=<file prefix>\n"
373 " Dumps the verified chain to PEM files starting with\n"
374 " <file prefix>.\n"
375 "\n"
376 "\n"
377 "[1] A \"file containing certificates\" means a path to a file that can\n"
378 " either be:\n"
379 " * A binary file containing a single DER-encoded RFC 5280 Certificate\n"
380 " * A PEM file containing one or more CERTIFICATE blocks (DER-encoded\n"
381 " RFC 5280 Certificate)\n"
382 "\n"
383 "[2] A \"trust string\" consists of a trust type and zero or more options\n"
384 " separated by '+' characters. Note that these trust settings are only\n"
385 " honored by the builtin & pathbuilder impls.\n"
386 " Trust types: UNSPECIFIED, DISTRUSTED, TRUSTED_ANCHOR,\n"
387 " TRUSTED_ANCHOR_OR_LEAF, TRUSTED_LEAF\n"
388 " Options: enforce_anchor_expiry, enforce_anchor_constraints,\n"
389 " require_anchor_basic_constraints, require_leaf_selfsigned\n"
390 " Ex: TRUSTED_ANCHOR+enforce_anchor_expiry+enforce_anchor_constraints\n";
391
PrintUsage(const char * argv0)392 void PrintUsage(const char* argv0) {
393 std::cerr << "Usage: " << argv0 << kUsage;
394
395 // TODO(mattm): allow <certs path> to be a directory containing DER/PEM files?
396 // TODO(mattm): allow target to specify an HTTPS URL to check the cert of?
397 // TODO(mattm): allow target to be a verify_certificate_chain_unittest .test
398 // file?
399 // TODO(mattm): allow specifying ocsp_response and sct_list inputs as well.
400 }
401
402 } // namespace
403
main(int argc,char ** argv)404 int main(int argc, char** argv) {
405 base::AtExitManager at_exit_manager;
406 if (!base::CommandLine::Init(argc, argv)) {
407 std::cerr << "ERROR in CommandLine::Init\n";
408 return 1;
409 }
410 base::ThreadPoolInstance::CreateAndStartWithDefaultParams("cert_verify_tool");
411 base::ScopedClosureRunner cleanup(
412 base::BindOnce([] { base::ThreadPoolInstance::Get()->Shutdown(); }));
413 base::CommandLine& command_line = *base::CommandLine::ForCurrentProcess();
414 logging::LoggingSettings settings;
415 settings.logging_dest =
416 logging::LOG_TO_SYSTEM_DEBUG_LOG | logging::LOG_TO_STDERR;
417 logging::InitLogging(settings);
418
419 base::CommandLine::StringVector args = command_line.GetArgs();
420 if (args.size() != 1U || command_line.HasSwitch("help")) {
421 PrintUsage(argv[0]);
422 return 1;
423 }
424
425 std::string hostname = command_line.GetSwitchValueASCII("hostname");
426
427 base::Time verify_time;
428 std::string time_flag = command_line.GetSwitchValueASCII("time");
429 if (!time_flag.empty()) {
430 if (!base::Time::FromString(time_flag.c_str(), &verify_time)) {
431 std::cerr << "Error parsing --time flag\n";
432 return 1;
433 }
434 }
435
436 #if BUILDFLAG(CHROME_ROOT_STORE_ONLY)
437 RootStoreType root_store_type = RootStoreType::kChrome;
438 #else
439 RootStoreType root_store_type = RootStoreType::kSystem;
440 #endif
441
442 if (command_line.HasSwitch("no-system-roots")) {
443 root_store_type = RootStoreType::kEmpty;
444 }
445 if (command_line.HasSwitch("use-chrome-root-store")) {
446 root_store_type = RootStoreType::kChrome;
447 }
448
449 base::FilePath roots_path = command_line.GetSwitchValuePath("roots");
450 base::FilePath intermediates_path =
451 command_line.GetSwitchValuePath("intermediates");
452 base::FilePath target_path = base::FilePath(args[0]);
453
454 base::FilePath crlset_path = command_line.GetSwitchValuePath("crlset");
455 scoped_refptr<net::CRLSet> crl_set = net::CRLSet::BuiltinCRLSet();
456 if (!crlset_path.empty()) {
457 std::string crl_set_bytes;
458 if (!ReadFromFile(crlset_path, &crl_set_bytes))
459 return 1;
460 if (!net::CRLSet::Parse(crl_set_bytes, &crl_set)) {
461 std::cerr << "Error parsing CRLSet\n";
462 return 1;
463 }
464 }
465
466 base::FilePath dump_prefix_path = command_line.GetSwitchValuePath("dump");
467
468 std::vector<CertInputWithTrustSetting> der_certs_with_trust_settings;
469 std::vector<CertInput> root_der_certs;
470 std::vector<CertInput> intermediate_der_certs;
471 CertInput target_der_cert;
472
473 if (!roots_path.empty())
474 ReadCertificatesFromFile(roots_path, &root_der_certs);
475 if (!intermediates_path.empty())
476 ReadCertificatesFromFile(intermediates_path, &intermediate_der_certs);
477
478 if (!ReadChainFromFile(target_path, &target_der_cert,
479 &intermediate_der_certs)) {
480 std::cerr << "ERROR: Couldn't read certificate chain\n";
481 return 1;
482 }
483
484 if (target_der_cert.der_cert.empty()) {
485 std::cerr << "ERROR: no target cert\n";
486 return 1;
487 }
488
489 // If --trust-last-cert was specified, move the final intermediate to the
490 // roots list.
491 if (command_line.HasSwitch("trust-last-cert")) {
492 if (intermediate_der_certs.empty()) {
493 std::cerr << "ERROR: no intermediate certificates\n";
494 return 1;
495 }
496
497 root_der_certs.push_back(intermediate_der_certs.back());
498 intermediate_der_certs.pop_back();
499 }
500
501 if (command_line.HasSwitch("trust-leaf-cert")) {
502 bssl::CertificateTrust trust = bssl::CertificateTrust::ForTrustedLeaf();
503 std::string trust_str = command_line.GetSwitchValueASCII("trust-leaf-cert");
504 if (!trust_str.empty()) {
505 absl::optional<bssl::CertificateTrust> parsed_trust =
506 bssl::CertificateTrust::FromDebugString(trust_str);
507 if (!parsed_trust) {
508 std::cerr << "ERROR: invalid leaf trust string " << trust_str << "\n";
509 return 1;
510 }
511 trust = *parsed_trust;
512 }
513 der_certs_with_trust_settings.push_back({target_der_cert, trust});
514 }
515
516 // TODO(https://crbug.com/1408473): Maybe default to the trust setting that
517 // would be used for locally added anchors on the current platform?
518 bssl::CertificateTrust root_trust = bssl::CertificateTrust::ForTrustAnchor();
519
520 if (command_line.HasSwitch("root-trust")) {
521 std::string trust_str = command_line.GetSwitchValueASCII("root-trust");
522 absl::optional<bssl::CertificateTrust> parsed_trust =
523 bssl::CertificateTrust::FromDebugString(trust_str);
524 if (!parsed_trust) {
525 std::cerr << "ERROR: invalid root trust string " << trust_str << "\n";
526 return 1;
527 }
528 root_trust = *parsed_trust;
529 }
530
531 for (const auto& cert_input : root_der_certs) {
532 der_certs_with_trust_settings.push_back({cert_input, root_trust});
533 }
534
535 PrintInputChain(target_der_cert, intermediate_der_certs);
536 if (!der_certs_with_trust_settings.empty()) {
537 PrintAdditionalRoots(der_certs_with_trust_settings);
538 }
539
540 // Create a network thread to be used for AIA fetches, and wait for a
541 // CertNetFetcher to be constructed on that thread.
542 base::Thread::Options options(base::MessagePumpType::IO, 0);
543 base::Thread thread("network_thread");
544 CHECK(thread.StartWithOptions(std::move(options)));
545 // Owned by this thread, but initialized, used, and shutdown on the network
546 // thread.
547 std::unique_ptr<net::URLRequestContext> context;
548 scoped_refptr<net::CertNetFetcherURLRequest> cert_net_fetcher;
549 base::WaitableEvent initialization_complete_event(
550 base::WaitableEvent::ResetPolicy::MANUAL,
551 base::WaitableEvent::InitialState::NOT_SIGNALED);
552 thread.task_runner()->PostTask(
553 FROM_HERE,
554 base::BindOnce(&SetUpOnNetworkThread, &context, &cert_net_fetcher,
555 &initialization_complete_event));
556 initialization_complete_event.Wait();
557
558 std::vector<std::unique_ptr<CertVerifyImpl>> impls;
559
560 // Parse the ordered list of CertVerifyImpl passed via command line flags into
561 // |impls|.
562 std::string impls_str = command_line.GetSwitchValueASCII("impls");
563 if (impls_str.empty()) {
564 // Default value.
565 #if !(BUILDFLAG(IS_FUCHSIA) || BUILDFLAG(IS_LINUX) || \
566 BUILDFLAG(IS_CHROMEOS) || BUILDFLAG(CHROME_ROOT_STORE_ONLY))
567 impls_str = "platform,";
568 #endif
569 impls_str += "builtin,pathbuilder";
570 }
571
572 std::vector<std::string> impl_names = base::SplitString(
573 impls_str, ",", base::TRIM_WHITESPACE, base::SPLIT_WANT_NONEMPTY);
574
575 for (const std::string& impl_name : impl_names) {
576 auto verify_impl = CreateCertVerifyImplFromName(impl_name, cert_net_fetcher,
577 crl_set, root_store_type);
578 if (verify_impl)
579 impls.push_back(std::move(verify_impl));
580 }
581
582 // Sequentially run the chain with each of the selected verifier
583 // implementations.
584 bool all_impls_success = true;
585
586 for (size_t i = 0; i < impls.size(); ++i) {
587 if (i != 0)
588 std::cout << "\n";
589
590 std::cout << impls[i]->GetName() << ":\n";
591 if (!impls[i]->VerifyCert(target_der_cert, hostname, intermediate_der_certs,
592 der_certs_with_trust_settings, verify_time,
593 crl_set.get(), dump_prefix_path)) {
594 all_impls_success = false;
595 }
596 }
597
598 // Clean up on the network thread and stop it (which waits for the clean up
599 // task to run).
600 thread.task_runner()->PostTask(
601 FROM_HERE,
602 base::BindOnce(&ShutdownOnNetworkThread, &context, &cert_net_fetcher));
603 thread.Stop();
604
605 return all_impls_success ? 0 : 1;
606 }
607