Add policies support to VerifyCertificateChain().

Support is compliant with RFC 5280 and supports all the policy
extensions specified therein:

 * Inhibit Any Policy
 * Policy Constraints
 * Policies
 * Policy Mappings

Testing is done solely using the PKITS test suite, which has fairly good
coverage of these extensions:

  4.8 (Certificate Policies)
  4.9 (Require Explicit Policy)
  4.10 (Policy Mappings)
  4.11 (Inhibit Policy Mapping)
  4.12 (Inhibit Any Policy)

BUG=634456,634453,634452

Review-Url: https://codereview.chromium.org/2903283002
Cr-Commit-Position: refs/heads/master@{#476513}

net/cert/internal/nist_pkits_unittest.cc

@@ -57,15 +57,18 @@ PkitsTestInfo::PkitsTestInfo() {
 }
 
 void PkitsTestInfo::SetInitialExplicitPolicy(bool b) {
-  initial_explicit_policy = b;
+  initial_explicit_policy =
+      b ? InitialExplicitPolicy::kTrue : InitialExplicitPolicy::kFalse;
 }
 
 void PkitsTestInfo::SetInitialPolicyMappingInhibit(bool b) {
-  initial_policy_mapping_inhibit = b;
+  initial_policy_mapping_inhibit = b ? InitialPolicyMappingInhibit::kTrue
+                                     : InitialPolicyMappingInhibit::kFalse;
 }
 
 void PkitsTestInfo::SetInitialInhibitAnyPolicy(bool b) {
-  initial_inhibit_any_policy = b;
+  initial_inhibit_any_policy =
+      b ? InitialAnyPolicyInhibit::kTrue : InitialAnyPolicyInhibit::kFalse;
 }
 
 PkitsTestInfo::~PkitsTestInfo() = default;

net/cert/internal/nist_pkits_unittest.h

@@ -46,13 +46,15 @@ struct PkitsTestInfo {
   std::set<der::Input> initial_policy_set;
 
   // The value of "initial-explicit-policy".
-  bool initial_explicit_policy = false;
+  InitialExplicitPolicy initial_explicit_policy = InitialExplicitPolicy::kFalse;
 
   // The value of "initial-policy-mapping-inhibit".
-  bool initial_policy_mapping_inhibit = false;
+  InitialPolicyMappingInhibit initial_policy_mapping_inhibit =
+      InitialPolicyMappingInhibit::kFalse;
 
   // The value of "initial-inhibit-any-policy".
-  bool initial_inhibit_any_policy = false;
+  InitialAnyPolicyInhibit initial_inhibit_any_policy =
+      InitialAnyPolicyInhibit::kFalse;
 
   // This is the time when PKITS was published.
   der::GeneralizedTime time = {2011, 4, 15, 0, 0, 0};

net/cert/internal/path_builder.cc

@@ -604,9 +604,12 @@ void CertPathBuilder::DoGetNextPathComplete() {
 
   // Verify the entire certificate chain.
   auto result_path = base::MakeUnique<ResultPath>();
-  VerifyCertificateChain(next_path_.certs, next_path_.last_cert_trust,
-                         signature_policy_, time_, key_purpose_,
-                         &result_path->errors);
+  // TODO(eroman): don't pass placeholder for policy.
+  VerifyCertificateChain(
+      next_path_.certs, next_path_.last_cert_trust, signature_policy_, time_,
+      key_purpose_, InitialExplicitPolicy::kFalse, {AnyPolicy()},
+      InitialPolicyMappingInhibit::kFalse, InitialAnyPolicyInhibit::kFalse,
+      nullptr /*user_constrained_policy_set*/, &result_path->errors);
   bool verify_result = !result_path->errors.ContainsHighSeverityErrors();
 
   DVLOG(1) << "CertPathBuilder VerifyCertificateChain result = "

net/cert/internal/test_helpers.cc

@@ -125,7 +125,8 @@ der::Input SequenceValueFromString(const std::string* s) {
   return ::testing::AssertionSuccess();
 }
 
-VerifyCertChainTest::VerifyCertChainTest() = default;
+VerifyCertChainTest::VerifyCertChainTest()
+    : user_initial_policy_set{AnyPolicy()} {}
 VerifyCertChainTest::~VerifyCertChainTest() = default;
 
 bool VerifyCertChainTest::HasHighSeverityErrors() const {

net/cert/internal/test_helpers.h

@@ -95,6 +95,16 @@ struct VerifyCertChainTest {
   // The Key Purpose to use when verifying the chain.
   KeyPurpose key_purpose = KeyPurpose::ANY_EKU;
 
+  InitialExplicitPolicy initial_explicit_policy = InitialExplicitPolicy::kFalse;
+
+  std::set<der::Input> user_initial_policy_set;
+
+  InitialPolicyMappingInhibit initial_policy_mapping_inhibit =
+      InitialPolicyMappingInhibit::kFalse;
+
+  InitialAnyPolicyInhibit initial_any_policy_inhibit =
+      InitialAnyPolicyInhibit::kFalse;
+
   // The expected errors/warnings from verification (as a string).
   std::string expected_errors;
 

net/cert/internal/verify_certificate_chain.cc

@@ -4,6 +4,7 @@
 
 #include "net/cert/internal/verify_certificate_chain.h"
 
+#include <algorithm>
 #include <memory>
 
 #include "base/logging.h"
@@ -63,6 +64,9 @@ DEFINE_CERT_ERROR_ID(kEkuLacksClientAuth,
                      "The extended key usage does not include client auth");
 DEFINE_CERT_ERROR_ID(kCertIsNotTrustAnchor,
                      "Certificate is not a trust anchor");
+DEFINE_CERT_ERROR_ID(kNoValidPolicy, "No valid policy");
+DEFINE_CERT_ERROR_ID(kPolicyMappingAnyPolicy,
+                     "PolicyMappings must not map anyPolicy");
 
 bool IsHandledCriticalExtensionOid(const der::Input& oid) {
   if (oid == BasicConstraintsOid())
@@ -78,8 +82,19 @@ bool IsHandledCriticalExtensionOid(const der::Input& oid) {
     return true;
   if (oid == SubjectAltNameOid())
     return true;
+  // TODO(eroman): The policy qualifiers are not processed (or in some cases
+  // even parsed). This is fine when the policies extension is non-critical,
+  // however if it is critical the code should also ensure that the policy
+  // qualifiers are only recognized ones (CPS and User Notice).
+  if (oid == CertificatePoliciesOid())
+    return true;
+  if (oid == PolicyMappingsOid())
+    return true;
+  if (oid == PolicyConstraintsOid())
+    return true;
+  if (oid == InhibitAnyPolicyOid())
+    return true;
 
-  // TODO(eroman): Make this more complete.
   return false;
 }
 
@@ -120,7 +135,7 @@ WARN_UNUSED_RESULT bool IsSelfIssued(const ParsedCertificate& cert) {
 //    The validity period for a certificate is the period of time from
 //    notBefore through notAfter, inclusive.
 void VerifyTimeValidity(const ParsedCertificate& cert,
-                        const der::GeneralizedTime time,
+                        const der::GeneralizedTime& time,
                         CertErrors* errors) {
   if (time < cert.tbs().validity_not_before)
     errors->AddError(kValidityFailedNotBefore);
@@ -216,16 +231,545 @@ void VerifyExtendedKeyUsage(const ParsedCertificate& cert,
   }
 }
 
-// This function corresponds to RFC 5280 section 6.1.3's "Basic Certificate
-// Processing" procedure.
-void BasicCertificateProcessing(
+// Returns |true| if |policies| contains the OID |search_oid|.
+bool SetContains(const std::set<der::Input>& policies,
+                 const der::Input& search_oid) {
+  return policies.count(search_oid) > 0;
+}
+
+// Representation of RFC 5280's "valid_policy_tree", used to keep track of the
+// valid policies and policy re-mappings.
+//
+// ValidPolicyTree differs slightly from RFC 5280's description in that:
+//
+//  (1) It does not track "qualifier_set". This is not needed as it is not
+//      output by this implementation.
+//
+//  (2) It only stores the most recent level of the policy tree rather than
+//      the full tree of nodes.
+class ValidPolicyTree {
+ public:
+  ValidPolicyTree() {}
+
+  struct Node {
+    // |root_policy| is equivalent to |valid_policy|, but in the domain of the
+    // caller.
+    //
+    // The reason for this distinction is the Policy Mappings extension.
+    //
+    // So whereas |valid_policy| is in the remapped domain defined by the
+    // issuing certificate, |root_policy| is in the fixed domain of the caller.
+    //
+    // OIDs in "user_initial_policy_set" and "user_constrained_policy_set" are
+    // directly comparable to |root_policy| values, but not necessarily to
+    // |valid_policy|.
+    //
+    // In terms of the valid policy tree, |root_policy| can be found by
+    // starting at the node's root ancestor, and finding the first node with a
+    // valid_policy other than anyPolicy. This is effectively the same process
+    // as used during policy tree intersection in RFC 5280 6.1.5.g.iii.1
+    der::Input root_policy;
+
+    // The same as RFC 5280's "valid_policy" variable.
+    der::Input valid_policy;
+
+    // The same as RFC 5280s "expected_policy_set" variable.
+    std::set<der::Input> expected_policy_set;
+
+    // Note that RFC 5280's "qualifier_set" is omitted.
+  };
+
+  // Level represents all the nodes at depth "i" in the valid_policy_tree.
+  using Level = std::vector<Node>;
+
+  // Initializes the ValidPolicyTree for the given "user_initial_policy_set".
+  //
+  // In RFC 5280, the valid_policy_tree is initialized to a root node at depth
+  // 0 of "anyPolicy"; the intersection with the "user_initial_policy_set" is
+  // done at the end (Wrap Up) as described in section 6.1.5 step g.
+  //
+  // Whereas in this implementation, the restriction on policies is added here,
+  // and intersecting the valid policy tree during Wrap Up is no longer needed.
+  //
+  // The final "user_constrained_policy_set" obtained will be the same. The
+  // advantages of this approach is simpler code.
+  void Init(const std::set<der::Input>& user_initial_policy_set) {
+    Clear();
+    for (const der::Input& policy_oid : user_initial_policy_set)
+      AddRootNode(policy_oid);
+  }
+
+  // Returns the current level (i.e. all nodes at depth i in the valid
+  // policy tree).
+  const Level& current_level() const { return current_level_; }
+  Level& current_level() { return current_level_; }
+
+  // In RFC 5280 valid_policy_tree may be set to null. That is represented here
+  // by emptiness.
+  bool IsNull() const { return current_level_.empty(); }
+  void SetNull() { Clear(); }
+
+  // This implementation keeps only the last level of the valid policy
+  // tree. Calling StartLevel() returns the nodes for the previous
+  // level, and starts a new level.
+  Level StartLevel() {
+    Level prev_level;
+    std::swap(prev_level, current_level_);
+    return prev_level;
+  }
+
+  // Gets the set of policies (in terms of root authority's policy domain) that
+  // are valid at the curent level of the policy tree.
+  //
+  // For example:
+  //
+  //  * If the valid policy tree was initialized with anyPolicy, then this
+  //    function returns what X.509 calls "authorities-constrained-policy-set".
+  //
+  //  * If the valid policy tree was instead initialized with the
+  //    "user-initial-policy_set", then this function returns what X.509
+  //    calls "user-constrained-policy-set"
+  //    ("authorities-constrained-policy-set" intersected with the
+  //    "user-initial-policy-set").
+  void GetValidRootPolicySet(std::set<der::Input>* policy_set) {
+    policy_set->clear();
+    for (const Node& node : current_level_)
+      policy_set->insert(node.root_policy);
+
+    // If the result includes anyPolicy, simplify it to a set of size 1.
+    if (policy_set->size() > 1 && SetContains(*policy_set, AnyPolicy()))
+      *policy_set = {AnyPolicy()};
+  }
+
+  // Adds a node |n| to the current level which is a child of |parent|
+  // such that:
+  //   * n.valid_policy = policy_oid
+  //   * n.expected_policy_set = {policy_oid}
+  void AddNode(const Node& parent, const der::Input& policy_oid) {
+    AddNodeWithExpectedPolicySet(parent, policy_oid, {policy_oid});
+  }
+
+  // Adds a node |n| to the current level which is a child of |parent|
+  // such that:
+  //   * n.valid_policy = policy_oid
+  //   * n.expected_policy_set = expected_policy_set
+  void AddNodeWithExpectedPolicySet(
+      const Node& parent,
+      const der::Input& policy_oid,
+      const std::set<der::Input>& expected_policy_set) {
+    Node new_node;
+    new_node.valid_policy = policy_oid;
+    new_node.expected_policy_set = expected_policy_set;
+
+    // Consider the root policy as the first policy other than anyPolicy (or
+    // anyPolicy if it hasn't been restricted yet).
+    new_node.root_policy =
+        (parent.root_policy == AnyPolicy()) ? policy_oid : parent.root_policy;
+
+    current_level_.push_back(std::move(new_node));
+  }
+
+  // Returns the first node having valid_policy == anyPolicy in |level|, or
+  // nullptr if there is none.
+  static const Node* FindAnyPolicyNode(const Level& level) {
+    for (const Node& node : level) {
+      if (node.valid_policy == AnyPolicy())
+        return &node;
+    }
+    return nullptr;
+  }
+
+  // Deletes all nodes |n| in |level| where |n.valid_policy| matches the given
+  // |valid_policy|. This may re-order the nodes in |level|.
+  static void DeleteNodesMatchingValidPolicy(const der::Input& valid_policy,
+                                             Level* level) {
+    // This works by swapping nodes to the end of the vector, and then doing a
+    // single resize to delete them all.
+    auto cur = level->begin();
+    auto end = level->end();
+    while (cur != end) {
+      bool should_delete_node = cur->valid_policy == valid_policy;
+      if (should_delete_node) {
+        end = std::prev(end);
+        std::iter_swap(cur, end);
+      } else {
+        ++cur;
+      }
+    }
+    level->erase(end, level->end());
+  }
+
+ private:
+  // Deletes all nodes in the valid policy tree.
+  void Clear() { current_level_.clear(); }
+
+  // Adds a node to the current level for OID |policy_oid|. The current level
+  // is assumed to be the root level.
+  void AddRootNode(const der::Input& policy_oid) {
+    Node new_node;
+    new_node.root_policy = policy_oid;
+    new_node.valid_policy = policy_oid;
+    new_node.expected_policy_set = {policy_oid};
+    current_level_.push_back(std::move(new_node));
+  }
+
+  Level current_level_;
+
+  DISALLOW_COPY_AND_ASSIGN(ValidPolicyTree);
+};
+
+// Class that encapsulates the state variables used by certificate path
+// validation.
+class PathVerifier {
+ public:
+  // Same parameters and meaning as VerifyCertificateChain().
+  void Run(const ParsedCertificateList& certs,
+           const CertificateTrust& last_cert_trust,
+           const SignaturePolicy* signature_policy,
+           const der::GeneralizedTime& time,
+           KeyPurpose required_key_purpose,
+           InitialExplicitPolicy initial_explicit_policy,
+           const std::set<der::Input>& user_initial_policy_set,
+           InitialPolicyMappingInhibit initial_policy_mapping_inhibit,
+           InitialAnyPolicyInhibit initial_any_policy_inhibit,
+           std::set<der::Input>* user_constrained_policy_set,
+           CertPathErrors* errors);
+
+ private:
+  // Verifies and updates the valid policies. This corresponds with RFC 5280
+  // section 6.1.3 steps d-f.
+  void VerifyPolicies(const ParsedCertificate& cert,
+                      bool is_target_cert,
+                      CertErrors* errors);
+
+  // Applies the policy mappings. This corresponds with RFC 5280 section 6.1.4
+  // steps a-b.
+  void VerifyPolicyMappings(const ParsedCertificate& cert, CertErrors* errors);
+
+  // This function corresponds to RFC 5280 section 6.1.3's "Basic Certificate
+  // Processing" procedure.
+  void BasicCertificateProcessing(const ParsedCertificate& cert,
+                                  bool is_target_cert,
+                                  const SignaturePolicy* signature_policy,
+                                  const der::GeneralizedTime& time,
+                                  KeyPurpose required_key_purpose,
+                                  CertErrors* errors);
+
+  // This function corresponds to RFC 5280 section 6.1.4's "Preparation for
+  // Certificate i+1" procedure. |cert| is expected to be an intermediate.
+  void PrepareForNextCertificate(const ParsedCertificate& cert,
+                                 CertErrors* errors);
+
+  // This function corresponds with RFC 5280 section 6.1.5's "Wrap-Up
+  // Procedure". It does processing for the final certificate (the target cert).
+  void WrapUp(const ParsedCertificate& cert, CertErrors* errors);
+
+  // Enforces trust anchor constraints compatibile with RFC 5937.
+  //
+  // Note that the anchor constraints are encoded via the attached certificate
+  // itself.
+  void ApplyTrustAnchorConstraints(const ParsedCertificate& cert,
+                                   KeyPurpose required_key_purpose,
+                                   CertErrors* errors);
+
+  // Initializes the path validation algorithm given anchor constraints. This
+  // follows the description in RFC 5937
+  void ProcessRootCertificate(const ParsedCertificate& cert,
+                              const CertificateTrust& trust,
+                              KeyPurpose required_key_purpose,
+                              CertErrors* errors);
+
+  ValidPolicyTree valid_policy_tree_;
+
+  // Will contain a NameConstraints for each previous cert in the chain which
+  // had nameConstraints. This corresponds to the permitted_subtrees and
+  // excluded_subtrees state variables from RFC 5280.
+  std::vector<const NameConstraints*> name_constraints_list_;
+
+  // |explicit_policy_| corresponds with the same named variable from RFC 5280
+  // section 6.1.2:
+  //
+  //   explicit_policy:  an integer that indicates if a non-NULL
+  //   valid_policy_tree is required.  The integer indicates the
+  //   number of non-self-issued certificates to be processed before
+  //   this requirement is imposed.  Once set, this variable may be
+  //   decreased, but may not be increased.  That is, if a certificate in the
+  //   path requires a non-NULL valid_policy_tree, a later certificate cannot
+  //   remove this requirement.  If initial-explicit-policy is set, then the
+  //   initial value is 0, otherwise the initial value is n+1.
+  size_t explicit_policy_;
+
+  // |inhibit_any_policy_| corresponds with the same named variable from RFC
+  // 5280 section 6.1.2:
+  //
+  //   inhibit_anyPolicy:  an integer that indicates whether the
+  //   anyPolicy policy identifier is considered a match.  The
+  //   integer indicates the number of non-self-issued certificates
+  //   to be processed before the anyPolicy OID, if asserted in a
+  //   certificate other than an intermediate self-issued
+  //   certificate, is ignored.  Once set, this variable may be
+  //   decreased, but may not be increased.  That is, if a
+  //   certificate in the path inhibits processing of anyPolicy, a
+  //   later certificate cannot permit it.  If initial-any-policy-
+  //   inhibit is set, then the initial value is 0, otherwise the
+  //   initial value is n+1.
+  size_t inhibit_any_policy_;
+
+  // |policy_mapping_| corresponds with the same named variable from RFC 5280
+  // section 6.1.2:
+  //
+  //   policy_mapping:  an integer that indicates if policy mapping
+  //   is permitted.  The integer indicates the number of non-self-
+  //   issued certificates to be processed before policy mapping is
+  //   inhibited.  Once set, this variable may be decreased, but may
+  //   not be increased.  That is, if a certificate in the path
+  //   specifies that policy mapping is not permitted, it cannot be
+  //   overridden by a later certificate.  If initial-policy-
+  //   mapping-inhibit is set, then the initial value is 0,
+  //   otherwise the initial value is n+1.
+  size_t policy_mapping_;
+
+  // |working_spki_| is an amalgamation of 3 separate variables from RFC 5280:
+  //    * working_public_key
+  //    * working_public_key_algorithm
+  //    * working_public_key_parameters
+  //
+  // They are combined for simplicity since the signature verification takes an
+  // SPKI, and the parameter inheritence is not applicable for the supported
+  // key types.
+  //
+  // An approximate explanation of |working_spki| is this description from RFC
+  // 5280 section 6.1.2:
+  //
+  //    working_public_key:  the public key used to verify the
+  //    signature of a certificate.
+  der::Input working_spki_;
+
+  // |working_normalized_issuer_name_| is the normalized value of the
+  // working_issuer_name variable in RFC 5280 section 6.1.2:
+  //
+  //    working_issuer_name:  the issuer distinguished name expected
+  //    in the next certificate in the chain.
+  der::Input working_normalized_issuer_name_;
+
+  // |max_path_length_| corresponds with the same named variable in RFC 5280
+  // section 6.1.2.
+  //
+  //    max_path_length:  this integer is initialized to n, is
+  //    decremented for each non-self-issued certificate in the path,
+  //    and may be reduced to the value in the path length constraint
+  //    field within the basic constraints extension of a CA
+  //    certificate.
+  size_t max_path_length_;
+};
+
+void PathVerifier::VerifyPolicies(const ParsedCertificate& cert,
+                                  bool is_target_cert,
+                                  CertErrors* errors) {
+  // From RFC 5280 section 6.1.3:
+  //
+  //  (d)  If the certificate policies extension is present in the
+  //       certificate and the valid_policy_tree is not NULL, process
+  //       the policy information by performing the following steps in
+  //       order:
+  if (cert.has_policy_oids() && !valid_policy_tree_.IsNull()) {
+    ValidPolicyTree::Level previous_level = valid_policy_tree_.StartLevel();
+
+    // Identify if there was a node with valid_policy == anyPolicy at depth i-1.
+    const ValidPolicyTree::Node* any_policy_node_prev_level =
+        ValidPolicyTree::FindAnyPolicyNode(previous_level);
+
+    //     (1)  For each policy P not equal to anyPolicy in the
+    //          certificate policies extension, let P-OID denote the OID
+    //          for policy P and P-Q denote the qualifier set for policy
+    //          P.  Perform the following steps in order:
+    bool cert_has_any_policy = false;
+    for (const der::Input& p_oid : cert.policy_oids()) {
+      if (p_oid == AnyPolicy()) {
+        cert_has_any_policy = true;
+        continue;
+      }
+
+      //        (i)   For each node of depth i-1 in the valid_policy_tree
+      //              where P-OID is in the expected_policy_set, create a
+      //              child node as follows: set the valid_policy to P-OID,
+      //              set the qualifier_set to P-Q, and set the
+      //              expected_policy_set to {P-OID}.
+      bool found_match = false;
+      for (const ValidPolicyTree::Node& prev_node : previous_level) {
+        if (SetContains(prev_node.expected_policy_set, p_oid)) {
+          valid_policy_tree_.AddNode(prev_node, p_oid);
+          found_match = true;
+        }
+      }
+
+      //        (ii)  If there was no match in step (i) and the
+      //              valid_policy_tree includes a node of depth i-1 with
+      //              the valid_policy anyPolicy, generate a child node with
+      //              the following values: set the valid_policy to P-OID,
+      //              set the qualifier_set to P-Q, and set the
+      //              expected_policy_set to  {P-OID}.
+      if (!found_match && any_policy_node_prev_level)
+        valid_policy_tree_.AddNode(*any_policy_node_prev_level, p_oid);
+    }
+
+    //     (2)  If the certificate policies extension includes the policy
+    //          anyPolicy with the qualifier set AP-Q and either (a)
+    //          inhibit_anyPolicy is greater than 0 or (b) i<n and the
+    //          certificate is self-issued, then:
+    //
+    //          For each node in the valid_policy_tree of depth i-1, for
+    //          each value in the expected_policy_set (including
+    //          anyPolicy) that does not appear in a child node, create a
+    //          child node with the following values: set the valid_policy
+    //          to the value from the expected_policy_set in the parent
+    //          node, set the qualifier_set to AP-Q, and set the
+    //          expected_policy_set to the value in the valid_policy from
+    //          this node.
+    if (cert_has_any_policy && ((inhibit_any_policy_ > 0) ||
+                                (!is_target_cert && IsSelfIssued(cert)))) {
+      // Keep track of the existing policies at depth i.
+      std::set<der::Input> child_node_policies;
+      for (const ValidPolicyTree::Node& node :
+           valid_policy_tree_.current_level())
+        child_node_policies.insert(node.valid_policy);
+
+      for (const ValidPolicyTree::Node& prev_node : previous_level) {
+        for (const der::Input& expected_policy :
+             prev_node.expected_policy_set) {
+          if (!SetContains(child_node_policies, expected_policy)) {
+            child_node_policies.insert(expected_policy);
+            valid_policy_tree_.AddNode(prev_node, expected_policy);
+          }
+        }
+      }
+    }
+
+    //     (3)  If there is a node in the valid_policy_tree of depth i-1
+    //          or less without any child nodes, delete that node.  Repeat
+    //          this step until there are no nodes of depth i-1 or less
+    //          without children.
+    //
+    // Nothing needs to be done for this step, since this implementation only
+    // stores the nodes at depth i, and the entire level has already been
+    // calculated.
+  }
+
+  //  (e)  If the certificate policies extension is not present, set the
+  //       valid_policy_tree to NULL.
+  if (!cert.has_policy_oids())
+    valid_policy_tree_.SetNull();
+
+  //  (f)  Verify that either explicit_policy is greater than 0 or the
+  //       valid_policy_tree is not equal to NULL;
+  if (!((explicit_policy_ > 0) || !valid_policy_tree_.IsNull()))
+    errors->AddError(kNoValidPolicy);
+}
+
+void PathVerifier::VerifyPolicyMappings(const ParsedCertificate& cert,
+                                        CertErrors* errors) {
+  if (!cert.has_policy_mappings())
+    return;
+
+  // From RFC 5280 section 6.1.4:
+  //
+  //  (a)  If a policy mappings extension is present, verify that the
+  //       special value anyPolicy does not appear as an
+  //       issuerDomainPolicy or a subjectDomainPolicy.
+  for (const ParsedPolicyMapping& mapping : cert.policy_mappings()) {
+    if (mapping.issuer_domain_policy == AnyPolicy() ||
+        mapping.subject_domain_policy == AnyPolicy()) {
+      // Because this implementation continues processing certificates after
+      // this error, clear the valid policy tree to ensure the
+      // "user_constrained_policy_set" output upon failure is empty.
+      valid_policy_tree_.SetNull();
+      errors->AddError(kPolicyMappingAnyPolicy);
+    }
+  }
+
+  //  (b)  If a policy mappings extension is present, then for each
+  //       issuerDomainPolicy ID-P in the policy mappings extension:
+  //
+  //     (1)  If the policy_mapping variable is greater than 0, for each
+  //          node in the valid_policy_tree of depth i where ID-P is the
+  //          valid_policy, set expected_policy_set to the set of
+  //          subjectDomainPolicy values that are specified as
+  //          equivalent to ID-P by the policy mappings extension.
+  //
+  //          If no node of depth i in the valid_policy_tree has a
+  //          valid_policy of ID-P but there is a node of depth i with a
+  //          valid_policy of anyPolicy, then generate a child node of
+  //          the node of depth i-1 that has a valid_policy of anyPolicy
+  //          as follows:
+  //
+  //        (i)    set the valid_policy to ID-P;
+  //
+  //        (ii)   set the qualifier_set to the qualifier set of the
+  //               policy anyPolicy in the certificate policies
+  //               extension of certificate i; and
+  //
+  //        (iii)  set the expected_policy_set to the set of
+  //               subjectDomainPolicy values that are specified as
+  //               equivalent to ID-P by the policy mappings extension.
+  //
+  if (policy_mapping_ > 0) {
+    const ValidPolicyTree::Node* any_policy_node =
+        ValidPolicyTree::FindAnyPolicyNode(valid_policy_tree_.current_level());
+
+    // Group mappings by issuer domain policy.
+    std::map<der::Input, std::set<der::Input>> mappings;
+    for (const ParsedPolicyMapping& mapping : cert.policy_mappings()) {
+      mappings[mapping.issuer_domain_policy].insert(
+          mapping.subject_domain_policy);
+    }
+
+    for (const auto& it : mappings) {
+      const der::Input& issuer_domain_policy = it.first;
+      const std::set<der::Input>& subject_domain_policies = it.second;
+      bool found_node = false;
+
+      for (ValidPolicyTree::Node& node : valid_policy_tree_.current_level()) {
+        if (node.valid_policy == issuer_domain_policy) {
+          node.expected_policy_set = subject_domain_policies;
+          found_node = true;
+        }
+      }
+
+      if (!found_node && any_policy_node) {
+        valid_policy_tree_.AddNodeWithExpectedPolicySet(
+            *any_policy_node, issuer_domain_policy, subject_domain_policies);
+      }
+    }
+  }
+
+  //  (b)  If a policy mappings extension is present, then for each
+  //       issuerDomainPolicy ID-P in the policy mappings extension:
+  //
+  //  ...
+  //
+  //     (2)  If the policy_mapping variable is equal to 0:
+  //
+  //        (i)    delete each node of depth i in the valid_policy_tree
+  //               where ID-P is the valid_policy.
+  //
+  //        (ii)   If there is a node in the valid_policy_tree of depth
+  //               i-1 or less without any child nodes, delete that
+  //               node.  Repeat this step until there are no nodes of
+  //               depth i-1 or less without children.
+  if (policy_mapping_ == 0) {
+    for (const ParsedPolicyMapping& mapping : cert.policy_mappings()) {
+      ValidPolicyTree::DeleteNodesMatchingValidPolicy(
+          mapping.issuer_domain_policy, &valid_policy_tree_.current_level());
+    }
+  }
+}
+
+void PathVerifier::BasicCertificateProcessing(
     const ParsedCertificate& cert,
     bool is_target_cert,
     const SignaturePolicy* signature_policy,
     const der::GeneralizedTime& time,
-    const der::Input& working_spki,
-    const der::Input& working_normalized_issuer_name,
-    const std::vector<const NameConstraints*>& name_constraints_list,
+    KeyPurpose required_key_purpose,
     CertErrors* errors) {
   // Check that the signature algorithms in Certificate vs TBSCertificate
   // match. This isn't part of RFC 5280 section 6.1.3, but is mandated by
@@ -235,7 +779,7 @@ void BasicCertificateProcessing(
   // Verify the digital signature using the previous certificate's key (RFC
   // 5280 section 6.1.3 step a.1).
   if (!VerifySignedData(cert.signature_algorithm(), cert.tbs_certificate_tlv(),
-                        cert.signature_value(), working_spki, signature_policy,
+                        cert.signature_value(), working_spki_, signature_policy,
                         errors)) {
     errors->AddError(kVerifySignedDataFailed);
   }
@@ -249,15 +793,15 @@ void BasicCertificateProcessing(
 
   // Verify the certificate's issuer name matches the issuing certificate's
   // subject name. (RFC 5280 section 6.1.3 step a.4)
-  if (cert.normalized_issuer() != working_normalized_issuer_name)
+  if (cert.normalized_issuer() != working_normalized_issuer_name_)
     errors->AddError(kSubjectDoesNotMatchIssuer);
 
   // Name constraints (RFC 5280 section 6.1.3 step b & c)
   // If certificate i is self-issued and it is not the final certificate in the
   // path, skip this step for certificate i.
-  if (!name_constraints_list.empty() &&
+  if (!name_constraints_list_.empty() &&
       (!IsSelfIssued(cert) || is_target_cert)) {
-    for (const NameConstraints* nc : name_constraints_list) {
+    for (const NameConstraints* nc : name_constraints_list_) {
       if (!nc->IsPermittedCert(cert.normalized_subject(),
                                cert.subject_alt_names())) {
         errors->AddError(kNotPermittedByNameConstraints);
@@ -265,31 +809,30 @@ void BasicCertificateProcessing(
     }
   }
 
-  // TODO(eroman): Steps d-f are omitted, as policy constraints are not yet
-  // implemented.
+  // RFC 5280 section 6.1.3 step d - f.
+  VerifyPolicies(cert, is_target_cert, errors);
+
+  // The key purpose is checked not just for the end-entity certificate, but
+  // also interpreted as a constraint when it appears in intermediates. This
+  // goes beyond what RFC 5280 describes, but is the de-facto standard. See
+  // https://wiki.mozilla.org/CA:CertificatePolicyV2.1#Frequently_Asked_Questions
+  VerifyExtendedKeyUsage(cert, required_key_purpose, errors);
 }
 
-// This function corresponds to RFC 5280 section 6.1.4's "Preparation for
-// Certificate i+1" procedure. |cert| is expected to be an intermediate.
-void PrepareForNextCertificate(
-    const ParsedCertificate& cert,
-    size_t* max_path_length_ptr,
-    der::Input* working_spki,
-    der::Input* working_normalized_issuer_name,
-    std::vector<const NameConstraints*>* name_constraints_list,
+void PathVerifier::PrepareForNextCertificate(const ParsedCertificate& cert,
                                              CertErrors* errors) {
-  // TODO(crbug.com/634456): Steps a-b are omitted, as policy mappings are not
-  // yet implemented.
+  // RFC 5280 section 6.1.4 step a-b
+  VerifyPolicyMappings(cert, errors);
 
   // From RFC 5280 section 6.1.4 step c:
   //
   //    Assign the certificate subject name to working_normalized_issuer_name.
-  *working_normalized_issuer_name = cert.normalized_subject();
+  working_normalized_issuer_name_ = cert.normalized_subject();
 
   // From RFC 5280 section 6.1.4 step d:
   //
   //    Assign the certificate subjectPublicKey to working_public_key.
-  *working_spki = cert.tbs().spki_tlv;
+  working_spki_ = cert.tbs().spki_tlv;
 
   // Note that steps e and f are omitted as they are handled by
   // the assignment to |working_spki| above. See the definition
@@ -297,10 +840,53 @@ void PrepareForNextCertificate(
 
   // From RFC 5280 section 6.1.4 step g:
   if (cert.has_name_constraints())
-    name_constraints_list->push_back(&cert.name_constraints());
+    name_constraints_list_.push_back(&cert.name_constraints());
 
-  // TODO(eroman): Steps h-j are omitted as policy
-  // constraints/mappings/inhibitAnyPolicy are not yet implemented.
+  //     (h)  If certificate i is not self-issued:
+  if (!IsSelfIssued(cert)) {
+    //         (1)  If explicit_policy is not 0, decrement explicit_policy by
+    //              1.
+    if (explicit_policy_ > 0)
+      explicit_policy_ -= 1;
+
+    //         (2)  If policy_mapping is not 0, decrement policy_mapping by 1.
+    if (policy_mapping_ > 0)
+      policy_mapping_ -= 1;
+
+    //         (3)  If inhibit_anyPolicy is not 0, decrement inhibit_anyPolicy
+    //              by 1.
+    if (inhibit_any_policy_ > 0)
+      inhibit_any_policy_ -= 1;
+  }
+
+  //      (i)  If a policy constraints extension is included in the
+  //           certificate, modify the explicit_policy and policy_mapping
+  //           state variables as follows:
+  if (cert.has_policy_constraints()) {
+    //         (1)  If requireExplicitPolicy is present and is less than
+    //              explicit_policy, set explicit_policy to the value of
+    //              requireExplicitPolicy.
+    if (cert.policy_constraints().has_require_explicit_policy &&
+        cert.policy_constraints().require_explicit_policy < explicit_policy_) {
+      explicit_policy_ = cert.policy_constraints().require_explicit_policy;
+    }
+
+    //         (2)  If inhibitPolicyMapping is present and is less than
+    //              policy_mapping, set policy_mapping to the value of
+    //              inhibitPolicyMapping.
+    if (cert.policy_constraints().has_inhibit_policy_mapping &&
+        cert.policy_constraints().inhibit_policy_mapping < policy_mapping_) {
+      policy_mapping_ = cert.policy_constraints().inhibit_policy_mapping;
+    }
+  }
+
+  //      (j)  If the inhibitAnyPolicy extension is included in the
+  //           certificate and is less than inhibit_anyPolicy, set
+  //           inhibit_anyPolicy to the value of inhibitAnyPolicy.
+  if (cert.has_inhibit_any_policy() &&
+      cert.inhibit_any_policy() < inhibit_any_policy_) {
+    inhibit_any_policy_ = cert.inhibit_any_policy();
+  }
 
   // From RFC 5280 section 6.1.4 step k:
   //
@@ -327,10 +913,10 @@ void PrepareForNextCertificate(
   //    max_path_length is greater than zero and decrement
   //    max_path_length by 1.
   if (!IsSelfIssued(cert)) {
-    if (*max_path_length_ptr == 0) {
+    if (max_path_length_ == 0) {
       errors->AddError(kMaxPathLengthViolated);
     } else {
-      --(*max_path_length_ptr);
+      --max_path_length_;
     }
   }
 
@@ -340,8 +926,8 @@ void PrepareForNextCertificate(
   //    less than max_path_length, set max_path_length to the value
   //    of pathLenConstraint.
   if (cert.has_basic_constraints() && cert.basic_constraints().has_path_len &&
-      cert.basic_constraints().path_len < *max_path_length_ptr) {
-    *max_path_length_ptr = cert.basic_constraints().path_len;
+      cert.basic_constraints().path_len < max_path_length_) {
+    max_path_length_ = cert.basic_constraints().path_len;
   }
 
   // From RFC 5280 section 6.1.4 step n:
@@ -408,13 +994,22 @@ void VerifyTargetCertHasConsistentCaBits(const ParsedCertificate& cert,
   }
 }
 
-// This function corresponds with RFC 5280 section 6.1.5's "Wrap-Up Procedure".
-// It does processing for the final certificate (the target cert).
-void WrapUp(const ParsedCertificate& cert, CertErrors* errors) {
-  // TODO(crbug.com/634452): Steps a-b are omitted as policy constraints are not
-  // yet implemented.
+void PathVerifier::WrapUp(const ParsedCertificate& cert, CertErrors* errors) {
+  // From RFC 5280 section 6.1.5:
+  //      (a)  If explicit_policy is not 0, decrement explicit_policy by 1.
+  if (explicit_policy_ > 0)
+    explicit_policy_ -= 1;
+
+  //      (b)  If a policy constraints extension is included in the
+  //           certificate and requireExplicitPolicy is present and has a
+  //           value of 0, set the explicit_policy state variable to 0.
+  if (cert.has_policy_constraints() &&
+      cert.policy_constraints().has_require_explicit_policy &&
+      cert.policy_constraints().require_explicit_policy == 0) {
+    explicit_policy_ = 0;
+  }
 
-  // Note step c-e are omitted the verification function does
+  // Note step c-e are omitted as the verification function does
   // not output the working public key.
 
   // From RFC 5280 section 6.1.5 step f:
@@ -428,23 +1023,23 @@ void WrapUp(const ParsedCertificate& cert, CertErrors* errors) {
   // directly match the procedures in RFC 5280's section 6.1.
   VerifyNoUnconsumedCriticalExtensions(cert, errors);
 
-  // TODO(eroman): Step g is omitted, as policy constraints are not yet
-  // implemented.
+  // RFC 5280 section 6.1.5 step g is skipped, as the intersection of valid
+  // policies was computed during previous steps.
+  //
+  //    If either (1) the value of explicit_policy variable is greater than
+  //    zero or (2) the valid_policy_tree is not NULL, then path processing
+  //   has succeeded.
+  if (!(explicit_policy_ > 0 || !valid_policy_tree_.IsNull())) {
+    errors->AddError(kNoValidPolicy);
+  }
 
   // The following check is NOT part of RFC 5280 6.1.5's "Wrap-Up Procedure",
   // however is implied by RFC 5280 section 4.2.1.9.
   VerifyTargetCertHasConsistentCaBits(cert, errors);
 }
 
-// Enforces trust anchor constraints compatibile with RFC 5937.
-//
-// Note that the anchor constraints are encoded via the attached certificate
-// itself.
-void ApplyTrustAnchorConstraints(
-    const ParsedCertificate& cert,
+void PathVerifier::ApplyTrustAnchorConstraints(const ParsedCertificate& cert,
                                                KeyPurpose required_key_purpose,
-    size_t* max_path_length_ptr,
-    std::vector<const NameConstraints*>* name_constraints_list,
                                                CertErrors* errors) {
   // This is not part of RFC 5937 nor RFC 5280, but matches the EKU handling
   // done for intermediates (described in Web PKI's Baseline Requirements).
@@ -454,7 +1049,7 @@ void ApplyTrustAnchorConstraints(
 
   // Initialize name constraints initial-permitted/excluded-subtrees.
   if (cert.has_name_constraints())
-    name_constraints_list->push_back(&cert.name_constraints());
+    name_constraints_list_.push_back(&cert.name_constraints());
 
   // TODO(eroman): Initialize user-initial-policy-set based on anchor
   // constraints.
@@ -477,7 +1072,7 @@ void ApplyTrustAnchorConstraints(
   // NOTE: RFC 5937 does not say to enforce the CA=true part of basic
   // constraints.
   if (cert.has_basic_constraints() && cert.basic_constraints().has_path_len)
-    *max_path_length_ptr = cert.basic_constraints().path_len;
+    max_path_length_ = cert.basic_constraints().path_len;
 
   // From RFC 5937 section 2:
   //
@@ -487,22 +1082,15 @@ void ApplyTrustAnchorConstraints(
   VerifyNoUnconsumedCriticalExtensions(cert, errors);
 }
 
-// Initializes the path validation algorithm given anchor constraints. This
-// follows the description in RFC 5937
-void ProcessRootCertificate(
-    const ParsedCertificate& cert,
+void PathVerifier::ProcessRootCertificate(const ParsedCertificate& cert,
                                           const CertificateTrust& trust,
                                           KeyPurpose required_key_purpose,
-    size_t* max_path_length_ptr,
-    std::vector<const NameConstraints*>* name_constraints_list,
-    der::Input* working_spki,
-    der::Input* working_normalized_issuer_name,
                                           CertErrors* errors) {
   // Use the certificate's SPKI and subject when verifying the next certificate.
   // Note this is initialized even in the case of untrusted roots (they already
   // emit an error for the distrust).
-  *working_spki = cert.tbs().spki_tlv;
-  *working_normalized_issuer_name = cert.normalized_subject();
+  working_spki_ = cert.tbs().spki_tlv;
+  working_normalized_issuer_name_ = cert.normalized_subject();
 
   switch (trust.type) {
     case CertificateTrustType::UNSPECIFIED:
@@ -517,24 +1105,26 @@ void ProcessRootCertificate(
     case CertificateTrustType::TRUSTED_ANCHOR_WITH_CONSTRAINTS:
       // If the trust anchor has constraints, enforce them.
       if (trust.type == CertificateTrustType::TRUSTED_ANCHOR_WITH_CONSTRAINTS) {
-        ApplyTrustAnchorConstraints(cert, required_key_purpose,
-                                    max_path_length_ptr, name_constraints_list,
-                                    errors);
+        ApplyTrustAnchorConstraints(cert, required_key_purpose, errors);
       }
       break;
   }
 }
 
-}  // namespace
-
-// This implementation is structured to mimic the description of certificate
-// path verification given by RFC 5280 section 6.1.
-void VerifyCertificateChain(const ParsedCertificateList& certs,
+void PathVerifier::Run(
+    const ParsedCertificateList& certs,
     const CertificateTrust& last_cert_trust,
     const SignaturePolicy* signature_policy,
     const der::GeneralizedTime& time,
     KeyPurpose required_key_purpose,
+    InitialExplicitPolicy initial_explicit_policy,
+    const std::set<der::Input>& user_initial_policy_set,
+    InitialPolicyMappingInhibit initial_policy_mapping_inhibit,
+    InitialAnyPolicyInhibit initial_any_policy_inhibit,
+    std::set<der::Input>* user_constrained_policy_set,
     CertPathErrors* errors) {
+  // This implementation is structured to mimic the description of certificate
+  // path verification given by RFC 5280 section 6.1.
   DCHECK(signature_policy);
   DCHECK(errors);
 
@@ -551,50 +1141,48 @@ void VerifyCertificateChain(const ParsedCertificateList& certs,
     return;
   }
 
-  // Will contain a NameConstraints for each previous cert in the chain which
-  // had nameConstraints. This corresponds to the permitted_subtrees and
-  // excluded_subtrees state variables from RFC 5280.
-  std::vector<const NameConstraints*> name_constraints_list;
+  // RFC 5280's "n" variable is the length of the path, which does not count
+  // the trust anchor. (Although in practice it doesn't really change behaviors
+  // if n is used in place of n+1).
+  const size_t n = certs.size() - 1;
 
-  // |working_spki| is an amalgamation of 3 separate variables from RFC 5280:
-  //    * working_public_key
-  //    * working_public_key_algorithm
-  //    * working_public_key_parameters
-  //
-  // They are combined for simplicity since the signature verification takes an
-  // SPKI, and the parameter inheritence is not applicable for the supported
-  // key types.
-  //
-  // An approximate explanation of |working_spki| is this description from RFC
-  // 5280 section 6.1.2:
+  valid_policy_tree_.Init(user_initial_policy_set);
+
+  // RFC 5280 section section 6.1.2:
   //
-  //    working_public_key:  the public key used to verify the
-  //    signature of a certificate.
-  der::Input working_spki;
+  // If initial-explicit-policy is set, then the initial value
+  // [of explicit_policy] is 0, otherwise the initial value is n+1.
+  explicit_policy_ =
+      initial_explicit_policy == InitialExplicitPolicy::kTrue ? 0 : n + 1;
 
-  // |working_normalized_issuer_name| is the normalized value of the
-  // working_issuer_name variable in RFC 5280 section 6.1.2:
+  // RFC 5280 section section 6.1.2:
   //
-  //    working_issuer_name:  the issuer distinguished name expected
-  //    in the next certificate in the chain.
-  der::Input working_normalized_issuer_name;
+  // If initial-any-policy-inhibit is set, then the initial value
+  // [of inhibit_anyPolicy] is 0, otherwise the initial value is n+1.
+  inhibit_any_policy_ =
+      initial_any_policy_inhibit == InitialAnyPolicyInhibit::kTrue ? 0 : n + 1;
 
-  // |max_path_length| corresponds with the same named variable in RFC 5280
-  // section 6.1.2:
+  // RFC 5280 section section 6.1.2:
   //
-  //    max_path_length:  this integer is initialized to n, is
-  //    decremented for each non-self-issued certificate in the path,
-  //    and may be reduced to the value in the path length constraint
-  //    field within the basic constraints extension of a CA
-  //    certificate.
-  size_t max_path_length = certs.size();
+  // If initial-policy-mapping-inhibit is set, then the initial value
+  // [of policy_mapping] is 0, otherwise the initial value is n+1.
+  policy_mapping_ =
+      initial_policy_mapping_inhibit == InitialPolicyMappingInhibit::kTrue
+          ? 0
+          : n + 1;
+
+  // RFC 5280 section section 6.1.2:
+  //
+  // max_path_length:  this integer is initialized to n, ...
+  max_path_length_ = n;
 
   // Iterate over all the certificates in the reverse direction: starting from
   // the root certificate and progressing towards the target certificate.
   //
   //   * i=0  :  Root certificate (i.e. trust anchor)
-  //   * i=1               :  Certificated signed by the root certificate
-  //   * i=certs.size()-1  :  Target certificate.
+  //   * i=1  :  Certificate issued by root
+  //   * i=x  :  Certificate i=x is issued by certificate i=x-1
+  //   * i=n  :  Target certificate.
   for (size_t i = 0; i < certs.size(); ++i) {
     const size_t index_into_certs = certs.size() - i - 1;
 
@@ -612,8 +1200,6 @@ void VerifyCertificateChain(const ParsedCertificateList& certs,
 
     if (is_root_cert) {
       ProcessRootCertificate(cert, last_cert_trust, required_key_purpose,
-                             &max_path_length, &name_constraints_list,
-                             &working_spki, &working_normalized_issuer_name,
                              cert_errors);
 
       // Don't do any other checks for root certificates.
@@ -626,28 +1212,45 @@ void VerifyCertificateChain(const ParsedCertificateList& certs,
     //     - Then run "Wrap up"
     //     - Otherwise run "Prepare for Next cert"
     BasicCertificateProcessing(cert, is_target_cert, signature_policy, time,
-                               working_spki, working_normalized_issuer_name,
-                               name_constraints_list, cert_errors);
-
-    // The key purpose is checked not just for the end-entity certificate, but
-    // also interpreted as a constraint when it appears in intermediates. This
-    // goes beyond what RFC 5280 describes, but is the de-facto standard. See
-    // https://wiki.mozilla.org/CA:CertificatePolicyV2.1#Frequently_Asked_Questions
-    VerifyExtendedKeyUsage(cert, required_key_purpose, cert_errors);
-
+                               required_key_purpose, cert_errors);
     if (!is_target_cert) {
-      PrepareForNextCertificate(cert, &max_path_length, &working_spki,
-                                &working_normalized_issuer_name,
-                                &name_constraints_list, cert_errors);
+      PrepareForNextCertificate(cert, cert_errors);
     } else {
       WrapUp(cert, cert_errors);
     }
   }
 
+  if (user_constrained_policy_set) {
+    // valid_policy_tree_ already contains the intersection of valid policies
+    // with user_initial_policy_set.
+    valid_policy_tree_.GetValidRootPolicySet(user_constrained_policy_set);
+  }
+
   // TODO(eroman): RFC 5280 forbids duplicate certificates per section 6.1:
   //
   //    A certificate MUST NOT appear more than once in a prospective
   //    certification path.
 }
 
+}  // namespace
+
+void VerifyCertificateChain(
+    const ParsedCertificateList& certs,
+    const CertificateTrust& last_cert_trust,
+    const SignaturePolicy* signature_policy,
+    const der::GeneralizedTime& time,
+    KeyPurpose required_key_purpose,
+    InitialExplicitPolicy initial_explicit_policy,
+    const std::set<der::Input>& user_initial_policy_set,
+    InitialPolicyMappingInhibit initial_policy_mapping_inhibit,
+    InitialAnyPolicyInhibit initial_any_policy_inhibit,
+    std::set<der::Input>* user_constrained_policy_set,
+    CertPathErrors* errors) {
+  PathVerifier verifier;
+  verifier.Run(certs, last_cert_trust, signature_policy, time,
+               required_key_purpose, initial_explicit_policy,
+               user_initial_policy_set, initial_policy_mapping_inhibit,
+               initial_any_policy_inhibit, user_constrained_policy_set, errors);
+}
+
 }  // namespace net

net/cert/internal/verify_certificate_chain.h

@@ -5,7 +5,7 @@
 #ifndef NET_CERT_INTERNAL_VERIFY_CERTIFICATE_CHAIN_H_
 #define NET_CERT_INTERNAL_VERIFY_CERTIFICATE_CHAIN_H_
 
-#include <vector>
+#include <set>
 
 #include "base/compiler_specific.h"
 #include "base/memory/ref_counted.h"
@@ -30,72 +30,160 @@ enum class KeyPurpose {
   CLIENT_AUTH,
 };
 
+enum class InitialExplicitPolicy {
+  kFalse,
+  kTrue,
+};
+
+enum class InitialPolicyMappingInhibit {
+  kFalse,
+  kTrue,
+};
+
+enum class InitialAnyPolicyInhibit {
+  kFalse,
+  kTrue,
+};
+
 // VerifyCertificateChain() verifies an ordered certificate path in accordance
-// with RFC 5280 (with some modifications [1]).
+// with RFC 5280's "Certification Path Validation" algorithm (section 6).
 //
-// [1] Deviations from RFC 5280:
+// -----------------------------------------
+// Deviations from RFC 5280
+// -----------------------------------------
 //
-//   * If Extended Key Usage appears on intermediates it is treated as a
-//     restriction on subordinate certificates.
+//   * If Extended Key Usage appears on intermediates, it is treated as
+//     a restriction on subordinate certificates.
 //
-// The caller is responsible for additionally checking:
-//
-//  * The end-entity's KeyUsage before using its SPKI.
-//  * The end-entity's name/subjectAltName (note that name constraints from
-//    intermediates will have already been applied, so just need to check
-//    the end-entity for a match).
-//  * Policies
+// -----------------------------------------
+// Additional responsibilities of the caller
+// -----------------------------------------
 //
-// WARNING: This implementation is in progress, and is currently incomplete.
-// Consult an OWNER before using it.
+// After successful path verification, the caller is responsible for
+// subsequently checking:
 //
-// TODO(eroman): Take a CertPath instead of ParsedCertificateList +
-//               TrustAnchor.
+//  * The end-entity's KeyUsage before using its SPKI.
+//  * The end-entity's name/subjectAltName. Name constraints from intermediates
+//    will have already been applied, so it is sufficient to check the
+//    end-entity for a match.
 //
 // ---------
 // Inputs
 // ---------
 //
-//   cert_chain:
-//     A non-empty chain of N DER-encoded certificates, listed in the
-//     "forward" direction. The first certificate is the target certificate to
-//     verify, and the last certificate has trustedness given by
-//     |last_cert_trust|.
+//   certs:
+//     A non-empty chain of DER-encoded certificates, listed in the
+//     "forward" direction. The first certificate is the target
+//     certificate to verify, and the last certificate has trustedness
+//     given by |last_cert_trust| (generally a trust anchor).
+//
+//      * certs[0] is the target certificate to verify.
+//      * certs[i+1] holds the certificate that issued cert_chain[i].
+//      * certs[N-1] the root certificate
 //
-//      * cert_chain[0] is the target certificate to verify.
-//      * cert_chain[i+1] holds the certificate that issued cert_chain[i].
-//      * cert_chain[N-1] the root certificate
+//     Note that THIS IS NOT identical in meaning to the same named
+//     "certs" input defined in RFC 5280 section 6.1.1.a. The differences
+//     are:
+//
+//      * The order of certificates is reversed
+//      * In RFC 5280 "certs" DOES NOT include the trust anchor
 //
 //   last_cert_trust:
-//     Trustedness of certs.back(). The trustedness of certs.back() MUST BE
-//     decided by the caller -- this function takes it purely as an input.
-//     Moreover, the CertificateTrust can be used to specify trust anchor
-//     constraints [1]
+//     Trustedness of |certs.back()|. The trustedness of |certs.back()|
+//     MUST BE decided by the caller -- this function takes it purely as
+//     an input. Moreover, the CertificateTrust can be used to specify
+//     trust anchor constraints.
+//
+//     This combined with |certs.back()| (the root certificate) fills a
+//     similar role to "trust anchor information" defined in RFC 5280
+//     section 6.1.1.d.
 //
 //   signature_policy:
 //     The policy to use when verifying signatures (what hash algorithms are
 //     allowed, what length keys, what named curves, etc).
 //
 //   time:
-//     The UTC time to use for expiration checks.
+//     The UTC time to use for expiration checks. This is equivalent to
+//     the input from RFC 5280 section 6.1.1:
 //
-//   key_purpose:
+//       (b)  the current date/time.
+//
+//   required_key_purpose:
 //     The key purpose that the target certificate needs to be valid for.
 //
+//   user_initial_policy_set:
+//     This is equivalent to the same named input in RFC 5280 section
+//     6.1.1:
+//
+//       (c)  user-initial-policy-set: A set of certificate policy
+//            identifiers naming the policies that are acceptable to the
+//            certificate user. The user-initial-policy-set contains the
+//            special value any-policy if the user is not concerned about
+//            certificate policy.
+//
+//   initial_policy_mapping_inhibit:
+//     This is equivalent to the same named input in RFC 5280 section
+//     6.1.1:
+//
+//       (e)  initial-policy-mapping-inhibit, which indicates if policy
+//            mapping is allowed in the certification path.
+//
+//   initial_explicit_policy:
+//     This is equivalent to the same named input in RFC 5280 section
+//     6.1.1:
+//
+//       (f)  initial-explicit-policy, which indicates if the path must be
+//            valid for at least one of the certificate policies in the
+//            user-initial-policy-set.
+//
+//   initial_any_policy_inhibit:
+//     This is equivalent to the same named input in RFC 5280 section
+//     6.1.1:
+//
+//       (g)  initial-any-policy-inhibit, which indicates whether the
+//            anyPolicy OID should be processed if it is included in a
+//            certificate.
+//
 // ---------
 // Outputs
 // ---------
+//
+//   user_constrained_policy_set:
+//     Can be null. If non-null, |user_constrained_policy_set| will be filled
+//     with the matching policies (intersected with user_initial_policy_set).
+//     This is equivalent to the same named output in X.509 section 10.2.
+//     Note that it is OK for this to point to input user_initial_policy_set.
+//
 //   errors:
 //     Must be non-null. The set of errors/warnings encountered while
 //     validating the path are appended to this structure. If verification
 //     failed, then there is guaranteed to be at least 1 high severity error
 //     written to |errors|.
 //
-// [1] Conceptually VerifyCertificateChain() sets RFC 5937's
-// "enforceTrustAnchorConstraints" to true. And one specifies whether to
-// interpret a root certificate as having trust anchor constraints through the
-// |last_cert_trust| parameter. The constraints are just a subset of the
-// extensions present in the certificate:
+// -------------------------
+// Trust Anchor constraints
+// -------------------------
+//
+// Conceptually, VerifyCertificateChain() sets RFC 5937's
+// "enforceTrustAnchorConstraints" to true.
+//
+// One specifies trust anchor constraints using the |last_cert_trust|
+// parameter in conjunction with extensions appearing in |certs.back()|.
+//
+// The trust anchor |certs.back()| is always passed as a certificate to
+// this function, however the manner in which that certificate is
+// interpreted depends on |last_cert_trust|:
+//
+// TRUSTED_ANCHOR:
+//
+// No properties from the root certificate, other than its Subject and
+// SPKI, are checked during verification. This is the usual
+// interpretation for a "trust anchor".
+//
+// TRUSTED_ANCHOR_WITH_CONSTRAINTS:
+//
+// Only a subset of extensions and properties from the certificate are checked,
+// as described by RFC 5937.
 //
 //  * Signature:             No
 //  * Validity (expiration): No
@@ -104,16 +192,23 @@ enum class KeyPurpose {
 //  * Basic constraints:     Yes, but only the pathlen (CA=false is accepted)
 //  * Name constraints:      Yes
 //  * Certificate policies:  Not currently, TODO(crbug.com/634453)
+//  * Policy Mappings:       No
 //  * inhibitAnyPolicy:      Not currently, TODO(crbug.com/634453)
 //  * PolicyConstraints:     Not currently, TODO(crbug.com/634452)
 //
 // The presence of any other unrecognized extension marked as critical fails
 // validation.
-NET_EXPORT void VerifyCertificateChain(const ParsedCertificateList& certs,
+NET_EXPORT void VerifyCertificateChain(
+    const ParsedCertificateList& certs,
     const CertificateTrust& last_cert_trust,
     const SignaturePolicy* signature_policy,
     const der::GeneralizedTime& time,
     KeyPurpose required_key_purpose,
+    InitialExplicitPolicy initial_explicit_policy,
+    const std::set<der::Input>& user_initial_policy_set,
+    InitialPolicyMappingInhibit initial_policy_mapping_inhibit,
+    InitialAnyPolicyInhibit initial_any_policy_inhibit,
+    std::set<der::Input>* user_constrained_policy_set,
     CertPathErrors* errors);
 
 // TODO(crbug.com/634443): Move exported errors to a central location?

net/cert/internal/verify_certificate_chain_pkits_unittest.cc

@@ -67,12 +67,19 @@ class VerifyCertificateChainPkitsTestDelegate {
 
     SimpleSignaturePolicy signature_policy(1024);
 
+    std::set<der::Input> user_constrained_policy_set;
+
     CertPathErrors path_errors;
-    VerifyCertificateChain(input_chain, CertificateTrust::ForTrustAnchor(),
-                           &signature_policy, info.time, KeyPurpose::ANY_EKU,
+    VerifyCertificateChain(
+        input_chain, CertificateTrust::ForTrustAnchor(), &signature_policy,
+        info.time, KeyPurpose::ANY_EKU, info.initial_explicit_policy,
+        info.initial_policy_set, info.initial_policy_mapping_inhibit,
+        info.initial_inhibit_any_policy, &user_constrained_policy_set,
         &path_errors);
     bool did_succeed = !path_errors.ContainsHighSeverityErrors();
 
+    EXPECT_EQ(info.user_constrained_policy_set, user_constrained_policy_set);
+
     //  TODO(crbug.com/634443): Test errors on failure?
     if (info.should_validate != did_succeed) {
       ASSERT_EQ(info.should_validate, did_succeed)
@@ -221,6 +228,21 @@ INSTANTIATE_TYPED_TEST_CASE_P(VerifyCertificateChain,
 INSTANTIATE_TYPED_TEST_CASE_P(VerifyCertificateChain,
                               PkitsTest07KeyUsage,
                               VerifyCertificateChainPkitsTestDelegate);
+INSTANTIATE_TYPED_TEST_CASE_P(VerifyCertificateChain,
+                              PkitsTest08CertificatePolicies,
+                              VerifyCertificateChainPkitsTestDelegate);
+INSTANTIATE_TYPED_TEST_CASE_P(VerifyCertificateChain,
+                              PkitsTest09RequireExplicitPolicy,
+                              VerifyCertificateChainPkitsTestDelegate);
+INSTANTIATE_TYPED_TEST_CASE_P(VerifyCertificateChain,
+                              PkitsTest10PolicyMappings,
+                              VerifyCertificateChainPkitsTestDelegate);
+INSTANTIATE_TYPED_TEST_CASE_P(VerifyCertificateChain,
+                              PkitsTest11InhibitPolicyMapping,
+                              VerifyCertificateChainPkitsTestDelegate);
+INSTANTIATE_TYPED_TEST_CASE_P(VerifyCertificateChain,
+                              PkitsTest12InhibitAnyPolicy,
+                              VerifyCertificateChainPkitsTestDelegate);
 INSTANTIATE_TYPED_TEST_CASE_P(VerifyCertificateChain,
                               PkitsTest13NameConstraints,
                               VerifyCertificateChainPkitsTestDelegate);
@@ -232,8 +254,4 @@ INSTANTIATE_TYPED_TEST_CASE_P(VerifyCertificateChain,
 // PkitsTest05VerifyingPathswithSelfIssuedCertificates,
 // PkitsTest14DistributionPoints, PkitsTest15DeltaCRLs
 
-// TODO(mattm): Certificate Policies support: PkitsTest08CertificatePolicies,
-// PkitsTest09RequireExplicitPolicy PkitsTest10PolicyMappings,
-// PkitsTest11InhibitPolicyMapping, PkitsTest12InhibitAnyPolicy
-
 }  // namespace net

net/cert/internal/verify_certificate_chain_unittest.cc

@@ -19,8 +19,13 @@ class VerifyCertificateChainDelegate {
     SimpleSignaturePolicy signature_policy(1024);
 
     CertPathErrors errors;
-    VerifyCertificateChain(test.chain, test.last_cert_trust, &signature_policy,
-                           test.time, test.key_purpose, &errors);
+    // TODO(eroman): Check user_constrained_policy_set.
+    VerifyCertificateChain(
+        test.chain, test.last_cert_trust, &signature_policy, test.time,
+        test.key_purpose, test.initial_explicit_policy,
+        test.user_initial_policy_set, test.initial_policy_mapping_inhibit,
+        test.initial_any_policy_inhibit,
+        nullptr /*user_constrained_policy_set*/, &errors);
     EXPECT_EQ(test.expected_errors, errors.ToDebugString(test.chain))
         << "Test file: " << test_file_path;
   }

net/third_party/nist-pkits/generate_tests.py

@@ -688,6 +688,17 @@ TEST_OVERRIDES = {
              user_constrained_policy_set=[]),
   ],
 
+  '4.10.7': [ # Invalid Mapping From anyPolicy Test7 
+    # Procedure: Validate Invalid Mapping From anyPolicy Test7 EE using the
+    # default settings or open and verify Signed Test Message 6.2.2.100 using
+    # the default settings.
+    #
+    # Expected Result: The path should not validate successfully since the
+    # intermediate certificate includes a policy mapping extension in which
+    # anyPolicy appears as an issuerDomainPolicy. 
+    TestInfo(False, user_constrained_policy_set=[]),
+  ],
+
   '4.10.8': [ # Invalid Mapping To anyPolicy Test8
     # Procedure: Validate Invalid Mapping To anyPolicy Test8 EE using the
     # default settings or open and verify Signed Test Message 6.2.2.101 using
@@ -696,8 +707,6 @@ TEST_OVERRIDES = {
     # Expected Result: The path should not validate successfully since the
     # intermediate certificate includes a policy mapping extension in which
     # anyPolicy appears as an subjectDomainPolicy.
-    #
-    # TODO(eroman): What should user_constrained_policy_set be?
     TestInfo(False, user_constrained_policy_set=[]),
   ],
 

net/third_party/nist-pkits/pkits_testcases-inl.h

@@ -2113,6 +2113,7 @@ WRAPPED_TYPED_TEST_P(PkitsTest10PolicyMappings,
                               "MappingFromanyPolicyCACRL"};
   PkitsTestInfo info;
   info.should_validate = false;
+  info.SetUserConstrainedPolicySet("");
 
   this->RunTest(certs, crls, info);
 }