Add a command line switch to cert_verify_tool to specify order of verifications.

Specifically this adds the --impls switch as a way of specifying the order to run verifiers. To run the platform verifier and then the builtin verifier you would use: --impls=platform,builtin To run just the builtin verifier: --impls=builtin This is relevant when testing because there can be global sideffects for running the platform verifier that affect the subsequent runs (notably NSS's temporary cache of intermediates). Change-Id: I1cb47fff745f3ade03a4885803f9fdab2240f2e5 Reviewed-on: https://chromium-review.googlesource.com/1161394Reviewed-by: Matt Mueller <mattm@chromium.org> Commit-Queue: Eric Roman <eroman@chromium.org> Cr-Commit-Position: refs/heads/master@{#580376}

Add a command line switch to cert_verify_tool to specify order of verifications.
Specifically this adds the --impls switch as a way of specifying the order to run verifiers. To run the platform verifier and then the builtin verifier you would use: --impls=platform,builtin To run just the builtin verifier: --impls=builtin This is relevant when testing because there can be global sideffects for running the platform verifier that affect the subsequent runs (notably NSS's temporary cache of intermediates). Change-Id: I1cb47fff745f3ade03a4885803f9fdab2240f2e5 Reviewed-on: https://chromium-review.googlesource.com/1161394Reviewed-by: Matt Mueller <mattm@chromium.org> Commit-Queue: Eric Roman <eroman@chromium.org> Cr-Commit-Position: refs/heads/master@{#580376}
aac51288 · Eric Roman · Commit Bot · 2e975480 · aac51288
Commit aac51288 authored Aug 02, 2018 by Eric Roman Committed by Commit Bot Aug 02, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 42 additions and 7 deletions

net/tools/cert_verify_tool/cert_verify_tool.cc net/tools/cert_verify_tool/cert_verify_tool.cc +42 -7

No files found.
--- a/net/tools/cert_verify_tool/cert_verify_tool.cc
+++ b/net/tools/cert_verify_tool/cert_verify_tool.cc
@@ -9,6 +9,7 @@
 #include "base/command_line.h"
 #include "base/logging.h"
 #include "base/message_loop/message_loop.h"
+#include "base/strings/string_split.h"
 #include "base/synchronization/waitable_event.h"
 #include "base/task_scheduler/task_scheduler.h"
 #include "base/threading/thread.h"
@@ -158,6 +159,25 @@ class CertVerifyImplUsingPathBuilder : public CertVerifyImpl {
  }
 };

+// Creates an subclass of CertVerifyImpl based on its name, or returns nullptr.
+std::unique_ptr<CertVerifyImpl> CreateCertVerifyImplFromName(
+    base::StringPiece impl_name) {
+  if (impl_name == "platform")
+    return std::make_unique<CertVerifyImplUsingProc>(
+        "CertVerifyProc (default)", net::CertVerifyProc::CreateDefault());
+
+  if (impl_name == "builtin") {
+    return std::make_unique<CertVerifyImplUsingProc>(
+        "CertVerifyProcBuiltin", net::CreateCertVerifyProcBuiltin());
+  }
+
+  if (impl_name == "pathbuilder")
+    return std::make_unique<CertVerifyImplUsingPathBuilder>();
+
+  std::cerr << "WARNING: Unrecognized impl: " << impl_name << "\n";
+  return nullptr;
+}
+
 const char kUsage[] =
    " [flags] <target/chain>\n"
    "\n"
@@ -180,6 +200,12 @@ const char kUsage[] =
    "      <certs path> is a file containing certificates [1] for use when\n"
    "      path building is looking for intermediates.\n"
    "\n"
+    " --impls=<ordered list of implementations>\n"
+    "      Ordered list of the verifier implementations to run. If omitted,\n"
+    "      will default to: \"platform,builtin,pathbuilder\".\n"
+    "      Changing this can lead to different results in cases where the\n"
+    "      platform verifier affects global caches (as in the case of NSS).\n"
+    "\n"
    " --trust-last-cert\n"
    "      Removes the final intermediate from the chain and instead adds it\n"
    "      as a root. This is useful when providing a <target/chain>\n"
@@ -318,16 +344,25 @@ int main(int argc, char** argv) {
                                &initialization_complete_event));
  initialization_complete_event.Wait();

-  // Sequentially run each of the certificate verifier implementations.
  std::vector<std::unique_ptr<CertVerifyImpl>> impls;

-  impls.push_back(
-      std::unique_ptr<CertVerifyImplUsingProc>(new CertVerifyImplUsingProc(
-          "CertVerifyProc (default)", net::CertVerifyProc::CreateDefault())));
-  impls.push_back(std::make_unique<CertVerifyImplUsingProc>(
-      "CertVerifyProcBuiltin", net::CreateCertVerifyProcBuiltin()));
-  impls.push_back(std::make_unique<CertVerifyImplUsingPathBuilder>());
+  // Parse the ordered list of CertVerifyImpl passed via command line flags into
+  // |impls|.
+  std::string impls_str = command_line.GetSwitchValueASCII("impls");
+  if (impls_str.empty())
+    impls_str = "platform,builtin,pathbuilder";  // Default value.
+
+  std::vector<std::string> impl_names = base::SplitString(
+      impls_str, ",", base::TRIM_WHITESPACE, base::SPLIT_WANT_NONEMPTY);
+
+  for (const std::string& impl_name : impl_names) {
+    auto verify_impl = CreateCertVerifyImplFromName(impl_name);
+    if (verify_impl)
+      impls.push_back(std::move(verify_impl));
+  }

+  // Sequentially run the chain with each of the selected verifier
+  // implementations.
  bool all_impls_success = true;

  for (size_t i = 0; i < impls.size(); ++i) {