Replace custom CT parsing code with BoringSSL CBS/CBB APIs.

Reuse ByteString/ByteBuilder APIs for CT parsing and serialization.

Added boolean return arguments to EncodeTreeHeadSignature and
EncodeSignedCertificateTimestamp, and updated a couple of clients to check
return value and handle failure cases as appropriate.

Bug: 634570
Change-Id: Id309470e18d0bc7316623c2f5dd7aaf3854527cf
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1465984
Commit-Queue: Kaustubha Govind <kaustubhag@chromium.org>
Reviewed-by: Emily Stark <estark@chromium.org>
Reviewed-by: David Benjamin <davidben@chromium.org>
Cr-Commit-Position: refs/heads/master@{#637879}

net/cert/ct_log_verifier.cc

@@ -108,7 +108,9 @@ bool CTLogVerifier::VerifySignedTreeHead(
     return false;
 
   std::string serialized_data;
-  ct::EncodeTreeHeadSignature(signed_tree_head, &serialized_data);
+  if (!ct::EncodeTreeHeadSignature(signed_tree_head, &serialized_data))
+    return false;
+
   if (VerifySignature(serialized_data,
                       signed_tree_head.signature.signature_data)) {
     if (signed_tree_head.tree_size == 0) {

net/cert/ct_serialization.h

@@ -64,7 +64,9 @@ NET_EXPORT_PRIVATE bool EncodeV1SCTSignedData(
 // Encodes the data signed by a Signed Tree Head (STH) |signed_tree_head| into
 // |output|. The signature included in the |signed_tree_head| can then be
 // verified over these bytes.
-NET_EXPORT_PRIVATE void EncodeTreeHeadSignature(
+// Returns true if the data could be encoded successfully, false
+// otherwise.
+NET_EXPORT_PRIVATE bool EncodeTreeHeadSignature(
     const SignedTreeHead& signed_tree_head,
     std::string* output);
 
@@ -86,7 +88,9 @@ NET_EXPORT_PRIVATE bool DecodeSignedCertificateTimestamp(
     scoped_refptr<ct::SignedCertificateTimestamp>* output);
 
 // Serializes a Signed Certificate Timestamp (SCT) into |output|.
-NET_EXPORT void EncodeSignedCertificateTimestamp(
+// Returns true if the SCT could be encoded successfully, false
+// otherwise.
+NET_EXPORT bool EncodeSignedCertificateTimestamp(
     const scoped_refptr<ct::SignedCertificateTimestamp>& input,
     std::string* output);
 

net/cert/ct_serialization_unittest.cc

@@ -161,7 +161,7 @@ TEST_F(CtSerializationTest, EncodeSignedCertificateTimestamp) {
   ASSERT_TRUE(ct::DecodeSignedCertificateTimestamp(&encoded_sct, &sct));
 
   std::string serialized;
-  ct::EncodeSignedCertificateTimestamp(sct, &serialized);
+  ASSERT_TRUE(ct::EncodeSignedCertificateTimestamp(sct, &serialized));
   EXPECT_EQ(serialized, encoded_test_sct);
 }
 
@@ -256,7 +256,7 @@ TEST_F(CtSerializationTest, EncodesValidSignedTreeHead) {
   ASSERT_TRUE(GetSampleSignedTreeHead(&signed_tree_head));
 
   std::string encoded;
-  ct::EncodeTreeHeadSignature(signed_tree_head, &encoded);
+  ASSERT_TRUE(ct::EncodeTreeHeadSignature(signed_tree_head, &encoded));
   // Expected size is 50 bytes:
   // Byte 0 is version, byte 1 is signature type
   // Bytes 2-9 are timestamp

services/network/expect_ct_reporter.cc

@@ -79,7 +79,7 @@ std::string SCTOriginToString(
   return "";
 }
 
-void AddSCT(const net::SignedCertificateTimestampAndStatus& sct,
+bool AddSCT(const net::SignedCertificateTimestampAndStatus& sct,
             base::ListValue* list) {
   std::unique_ptr<base::DictionaryValue> list_item(new base::DictionaryValue());
   // Chrome implements RFC6962, not 6962-bis, so the reports contain v1 SCTs.
@@ -102,11 +102,13 @@ void AddSCT(const net::SignedCertificateTimestampAndStatus& sct,
   list_item->SetString("status", status);
   list_item->SetString("source", SCTOriginToString(sct.sct->origin));
   std::string serialized_sct;
-  net::ct::EncodeSignedCertificateTimestamp(sct.sct, &serialized_sct);
+  if (!net::ct::EncodeSignedCertificateTimestamp(sct.sct, &serialized_sct))
+    return false;
   std::string encoded_serialized_sct;
   base::Base64Encode(serialized_sct, &encoded_serialized_sct);
   list_item->SetString("serialized_sct", encoded_serialized_sct);
   list->Append(std::move(list_item));
+  return true;
 }
 
 constexpr net::NetworkTrafficAnnotationTag kExpectCTReporterTrafficAnnotation =
@@ -176,7 +178,8 @@ void ExpectCTReporter::OnExpectCTFailed(
 
   std::unique_ptr<base::ListValue> scts(new base::ListValue());
   for (const auto& sct_and_status : signed_certificate_timestamps) {
-    AddSCT(sct_and_status, scts.get());
+    if (!AddSCT(sct_and_status, scts.get()))
+      LOG(ERROR) << "Failed to add signed certificate timestamp to list";
   }
   report->Set("scts", std::move(scts));
 

services/network/expect_ct_reporter_unittest.cc

@@ -150,8 +150,10 @@ net::ct::SignedCertificateTimestamp::Origin SCTOriginStringToOrigin(
     net::ct::SCTVerifyStatus expected_status,
     const base::ListValue& report_list) {
   std::string expected_serialized_sct;
-  net::ct::EncodeSignedCertificateTimestamp(expected_sct,
-                                            &expected_serialized_sct);
+  if (!net::ct::EncodeSignedCertificateTimestamp(expected_sct,
+                                                 &expected_serialized_sct)) {
+    return ::testing::AssertionFailure() << "Failed to serialize SCT";
+  }
 
   for (size_t i = 0; i < report_list.GetSize(); i++) {
     const base::DictionaryValue* report_sct;