Bring in the core of chromium certificate verifier as libpki

Initially this leaves the canonical source in chrome, Additions
and fillins are committed directly, the chrome files are coverted
using the IMPORT script run from the pki directory for the moment.

The intention here is to continue frequent automatic conversion
(and avoid wholesale cosmetic changes in here for now) until
chrome converts to use these files in place of it's versions.
At that point these will become the definiative files, and the
IMPORT script can be tossed out.

A middle step along the way will be to change google3's verify.cc
in third_party/chromium_certificate_verifier to use this instead
of it's own extracted copy.

Status (and what is not done yet) being roughly tracked in README.md

Bug: chromium:1322914

Change-Id: Ibdb5479bc68985fa61ce6b10f98f31f6b3a7cbdf
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/60285
Commit-Queue: Bob Beck <bbe@google.com>
Reviewed-by: Adam Langley <agl@google.com>

Author: Bob Beck

CMakeLists.txt

@@ -139,7 +139,8 @@ set(CMAKE_C_STANDARD_REQUIRED ON)
 if(CMAKE_COMPILER_IS_GNUCXX OR CLANG)
   # Note clang-cl is odd and sets both CLANG and MSVC. We base our configuration
   # primarily on our normal Clang one.
-  set(C_CXX_FLAGS "-Werror -Wformat=2 -Wsign-compare -Wmissing-field-initializers -Wwrite-strings -Wvla -Wshadow -Wtype-limits")
+  # TODO(bbe) took out -Wmissing-field-initializers for pki - fix and put back or disable only for pki
+  set(C_CXX_FLAGS "-Werror -Wformat=2 -Wsign-compare -Wwrite-strings -Wvla -Wshadow -Wtype-limits")
   if(MSVC)
     # clang-cl sets different default warnings than clang. It also treats -Wall
     # as -Weverything, to match MSVC. Instead -W3 is the alias for -Wall.
@@ -518,6 +519,7 @@ add_subdirectory(tool)
 add_subdirectory(util/fipstools)
 add_subdirectory(util/fipstools/acvp/modulewrapper)
 add_subdirectory(decrepit)
+add_subdirectory(pki)
 
 if(FUZZ)
   if(LIBFUZZER_FROM_DEPS)

pki/CMakeLists.txt

@@ -0,0 +1,103 @@
+project(pki)
+cmake_minimum_required(VERSION 3.25)
+set(CMAKE_CXX_STANDARD 17)
+
+add_library(
+  pki
+
+  fillins/ip_address.cc
+  fillins/utf_string_conversions.cc
+  fillins/string_util.cc
+  fillins/base64.cc
+  fillins/openssl_util.cc
+  string_util.cc
+  trust_store.cc
+  trust_store_collection.cc
+  parse_certificate.cc
+  parsed_certificate.cc
+  parser.cc
+  parse_values.cc
+  parse_name.cc
+  parsed_certificate.cc
+  name_constraints.cc
+  input.cc
+  tag.cc
+  cert_errors.cc
+  general_names.cc
+  pem.cc
+  crl.cc
+  revocation_util.cc
+  encode_values.cc
+  verify_name_match.cc
+  cert_errors.cc
+  common_cert_errors.cc
+  parse_certificate.cc
+  parsed_certificate.cc
+  extended_key_usage.cc
+  certificate_policies.cc
+  verify_certificate_chain.cc
+  verify_signed_data.cc
+  signature_algorithm.cc
+  cert_error_id.cc
+  cert_error_params.cc
+  trust_store.cc
+  trust_store_collection.cc
+  trust_store_in_memory.cc
+  simple_path_builder_delegate.cc
+  cert_issuer_source_static.cc
+  path_builder.cc
+)
+# Although libpki also provides headers that require an include directory, the
+# flag is already specified by libcrypto, so we omit target_include_directories
+# here.
+install_if_enabled(TARGETS pki EXPORT OpenSSLTargets ${INSTALL_DESTINATION_DEFAULT})
+set_property(TARGET pki PROPERTY EXPORT_NAME PKI)
+set_property(TARGET pki PROPERTY CXX_STANDARD 17)
+set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -D_BORINGSSL_LIBPKI_")
+if (APPLE)
+   set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fno-aligned-new")
+endif()
+target_link_libraries(pki ssl crypto)
+
+add_executable(
+  pki_test
+
+  fillins/path_service.cc
+  fillins/file_util.cc
+  test_helpers.cc
+  string_util_unittest.cc
+  parser_unittest.cc
+  parse_values_unittest.cc
+  input_unittest.cc
+  signature_algorithm_unittest.cc
+  extended_key_usage_unittest.cc
+  parse_name_unittest.cc
+  verify_name_match_unittest.cc
+  verify_signed_data_unittest.cc
+  parse_certificate_unittest.cc
+  parsed_certificate_unittest.cc
+  simple_path_builder_delegate_unittest.cc
+  trust_store_collection_unittest.cc
+  certificate_policies_unittest.cc
+  verify_certificate_chain_unittest.cc
+  nist_pkits_unittest.cc
+  path_builder_pkits_unittest.cc
+  name_constraints_unittest.cc
+  cert_issuer_source_static_unittest.cc
+  path_builder_unittest.cc
+  mock_signature_verify_cache.cc
+  path_builder_verify_certificate_chain_unittest.cc
+  verify_certificate_chain_pkits_unittest.cc
+#  encode_values_unittest.cc  # Currently does a bunch of time goo..
+#  ocsp_unittest.cc           # Not sure we will keep this here.. 
+)
+target_link_libraries(pki_test test_support_lib boringssl_gtest_main pki ssl crypto)
+set_property(TARGET pki_test PROPERTY CXX_STANDARD 17)
+set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -D_BORINGSSL_LIBPKI_")
+set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -D_BORINGSSL_PKI_SRCDIR_=${CMAKE_CURRENT_SOURCE_DIR}")
+if (APPLE)
+   set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fno-aligned-new")
+endif()
+add_dependencies(all_tests pki_test)
+
+

pki/IMPORT

@@ -0,0 +1,23 @@
+#!/bin/sh
+
+# Set this to be the location of a chromium checkout, and 
+# apply the patches in ./patches with "git am" first 
+# before running this script.
+CHROMIUM_SRC=~/chromium/src
+
+mkdir -p ./testdata
+cp $CHROMIUM_SRC/net/test/test_certificate_data.h ./testdata
+
+tar -C $CHROMIUM_SRC/net/third_party -cf -  nist-pkits | tar -C ./testdata -xf - 
+tar -C $CHROMIUM_SRC/net/data -cf -  cert_issuer_source_static_unittest \
+    ssl/certificates \
+    certificate_policies_unittest \
+    name_constraints_unittest \
+    ocsp_unittest \
+    parse_certificate_unittest \
+    path_builder_unittest \
+    verify_certificate_chain_unittest \
+    verify_name_match_unittest \
+    verify_signed_data_unittest | tar -C ./testdata -xf -
+
+go run ./import_tool.go -spec import_spec.json --source-base $CHROMIUM_SRC -dest-base .

pki/README.md

@@ -0,0 +1,32 @@
+# BoringSSL pki - Web PKI Certificate path building and verification library
+
+This directory and library should be considered experimental and should not be
+depended upon not to change without notice.  You should not use this.
+
+It contains an extracted and modified copy of chrome's certificate
+verifier core logic.
+
+It is for the moment, intended to be synchronized from a checkout of chrome's
+head with the IMPORT script run in this directory. The eventual goal is to
+make both chrome and google3 consume this.
+
+## Current status:
+ * Some of the Path Builder tests depending on chrome testing classes and
+   SavedUserData are disabled. These probably need either a mimicing
+   SaveUserData class here, or be pulled out into chrome only.
+ * This contains a copy of der as bssl:der - a consideration for
+   re-integrating with chromium. the encode_values part of der does not include
+   the base::time or absl::time based stuff as they are not used within the
+   library, this should probably be split out for chrome, or chrome's der could
+   be modified (along with this one and eventually merged together) to not use
+   base::time for encoding GeneralizedTimes, but rather use boringssl posix
+   times as does the rest of this library.
+ * The Name Constraint limitation code is modified to remove clamped_math
+   and mimic BoringSSL's overall limits - Some of the tests that test
+   for specific edge cases for chrome's limits have been disabled. The
+   tests need to be changed to reflect the overall limit, or ignored
+   and we make name constraints subquadratic and stop caring about this.
+ * Fuzzer targets are not yet hooked up.
+ 
+
+