Address remaining RFC 5280 TODOs in certificate chain verification

This change fixes the remaining TODOs for supporting basic Cast
certificate chain verification according to RFC 5280.

Bug: openscreen:58
Change-Id: Ie779b052470b3872b029ce7a8050dbe2cf1240e8
Reviewed-on: https://chromium-review.googlesource.com/c/openscreen/+/1737531
Reviewed-by: Ryan Keane <rwkeane@google.com>
Reviewed-by: Max Yakimakha <yakimakha@chromium.org>
Commit-Queue: Brandon Tolsch <btolsch@chromium.org>

4 files changed, 158 insertions, 0 deletions

diff --git a/test/data/cast/common/certificate/certificates/README.md b/test/data/cast/common/certificate/certificates/README.md
new file mode 100644
index 00000000..6060388d
--- /dev/null
+++ b/test/data/cast/common/certificate/certificates/README.md
@@ -0,0 +1,21 @@
+# Generating Certificates
+
+## Name Constraints Examples
+
+The following commands were used along with `extensions.conf` to generate the
+certificates in `nc.pem` and `nc_fail.pem`.
+
+``` bash
+# Once for each certificate.
+$ openssl genrsa -out keyN.pem 2048
+$ openssl req -new -key keyN.pem -out certN.csr
+
+# <extension> will be v3_ca_nc for the intermediate and v3_req for the device.
+$ openssl x509 -req -in certN.csr -CA certN-1.pem -CAkey keyN-1.pem
+    -CAcreateserial -extensions <extension> -extfile extensions.conf -out
+    certN.pem -days 365 -sha256
+```
+
+Note: it looks like `openssl req` also accepts extensions via `-reqexts` but
+there is a known bug in openssl where extensions are transferred between CSRs
+and X509 certs.
diff --git a/test/data/cast/common/certificate/certificates/extensions.conf b/test/data/cast/common/certificate/certificates/extensions.conf
new file mode 100644
index 00000000..e536ac6c
--- /dev/null
+++ b/test/data/cast/common/certificate/certificates/extensions.conf
@@ -0,0 +1,13 @@
+[v3_ca_nc]
+basicConstraints=CA:TRUE
+keyUsage=digitalSignature, keyEncipherment, keyCertSign
+nameConstraints=permitted;dirName:dn
+
+[dn]
+C=US
+ST=California
+O=Google Inc
+
+[v3_req]
+basicConstraints=CA:FALSE
+keyUsage=digitalSignature, keyEncipherment
diff --git a/test/data/cast/common/certificate/certificates/nc.pem b/test/data/cast/common/certificate/certificates/nc.pem
new file mode 100644
index 00000000..bee2ae8a
--- /dev/null
+++ b/test/data/cast/common/certificate/certificates/nc.pem
@@ -0,0 +1,62 @@
+-----BEGIN CERTIFICATE-----
+MIIDNzCCAh+gAwIBAgIUaF+tYp/hmPb2cjFbuBNTiyEw9jAwDQYJKoZIhvcNAQEL
+BQAwRzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExEzARBgNVBAoM
+Ckdvb2dsZSBJbmMxDjAMBgNVBAMMBUludGVyMB4XDTE5MDgwNjAwMTIzNloXDTIw
+MDgwNTAwMTIzNlowSDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWEx
+EzARBgNVBAoMCkdvb2dsZSBJbmMxDzANBgNVBAMMBkRldmljZTCCASIwDQYJKoZI
+hvcNAQEBBQADggEPADCCAQoCggEBAMzdSv58B3VeDrXMPi707OC5dsTcipVoVbb6
+3Jyz8whV+1GmMhyepoIL9ta4O18J7WgpMpvjYBrjzjkQIUgqxWwqovZBXnQ1D4EY
+OveDHnbC125HiJWoA07Yil/Vc+TmnK+eoR1EXY6LbfsrA8BfjD+kbUbyFKa1f5No
+x/A4ALV7fqCM0llww9AEEnXWPBGWVIxXTDHM7gJknRZE4wNxl++Xad1CNjbWW3PB
+zLm26SqKtkh/aVhKxaYAfcMnN+8JlQ3lS0caNCB8N3/jqFLeAucjtyI1gq70m0SL
+VhDnJjWBCY7fJPOfyJQ/J9E3te4aUj6xW1Z3uq1MWj7lZiLe0aMCAwEAAaMaMBgw
+CQYDVR0TBAIwADALBgNVHQ8EBAMCBaAwDQYJKoZIhvcNAQELBQADggEBAEYuudUx
+wPaLD/nHg/gb09l2kugZuwZHjLT/+eO6x5RhVC6UfajCJOwRkhm01EZbbj1wvIoT
+fJaBBTFlg4Ac3kiu+AD6fZO6y3HXVj4PB8Gv4Eps9ZdmjCCh9AlL1etozIeEZj9/
+8tKGbcqvJWhnecCSpdTBBk0MLWuCfOl2CrZnHx3dT/g3zBwYZ9bCLvUJsLpvLcsE
+ZNs7txmnA7GalqTSssPPXpWmEA58xw302AvueWI9gVK9moB4uFYm7LHf7a97lNgB
+jaiZBVgksLeo97lRD7Pb8cn2k/TuvxiQRr/YOgkKTVAUzQ9b0lmfqEDae3MXcZ23
+Ad8nzgaPgQFhd9I=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIDfzCCAmegAwIBAgIUZ/OxvKAECjI257V5oss81xnc2XAwDQYJKoZIhvcNAQEL
+BQAwQzELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRMwEQYDVQQKDApHb29nbGUg
+SW5jMRIwEAYDVQQDDAlDYXN0IFJvb3QwHhcNMTkwODA2MDAxMTQ1WhcNMjAwODA1
+MDAxMTQ1WjBHMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTETMBEG
+A1UECgwKR29vZ2xlIEluYzEOMAwGA1UEAwwFSW50ZXIwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQC952VfCxoOegDWMs8xSuWFR13T05YPLFJnKGcyV7Bx
+uAkekUKiHTaKIa6rC9Ewbd0ypN4+zDkF0rp9yMQ4tDbbda5T270ZP34qkNUyD8Uk
+0DOfYqr6viNqjW74ju1zx/3FsH1e3B0cPY0iW5oLonp2Q+0T7EBPDcu7zajnydYc
+bttzMwT6yJU7yQyEKsCNzCQPWiTHOmES2miZ+Gz15orSfwNuhoBiXNQ4A1ykIC1Y
+wjXj41Sb+eWJ2sjuvm3Nn5juNJ6IowHb5AEyDUI0wVZWBA2xq1KO2HE+NqY4tXfv
+E/xGECEFVLkuONqAoA5hkeBvz8o8H9E5UD05f/HtigihAgMBAAGjZzBlMAwGA1Ud
+EwQFMAMBAf8wCwYDVR0PBAQDAgKkMEgGA1UdHgRBMD+gPTA7pDkwNzELMAkGA1UE
+BhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExEzARBgNVBAoMCkdvb2dsZSBJbmMw
+DQYJKoZIhvcNAQELBQADggEBAJ7xX5PtwrZqomPgzXvQ5eK3R2NPeOyHUZBLjXPw
+Fj4G/0nXVhTjr0i+W2a2qFSz410jze7iFTSO0Q1ERgx8RMXblDbIz4j9sQ7N/IZW
+RmZm4F2uL0n5h/d0Qiox8GcbNf6fF0rNkVor9WQ/6WWWdi8zaMK4vLEG5AIXSuwZ
+ajFJuw60T8wo+Z9zH6vURiQ6y9LiWE9/rdotNKL3+hTErdBzjoPGNs+H/NenV0cN
+Xg/L8LJZ4Ga/AYgE6ropu2KFHgVCDhkPAkKzYM0j7XcuSBhbuVJHDyz6lgGmmris
+uXbxKKCP3kfmYWyW7kLvfxNx33JNDQA8blaMjGGtTp9ExKE=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIDZzCCAk+gAwIBAgIUDPf4B2sjkZwIF6Y52sSwuJ4vVM0wDQYJKoZIhvcNAQEL
+BQAwQzELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRMwEQYDVQQKDApHb29nbGUg
+SW5jMRIwEAYDVQQDDAlDYXN0IFJvb3QwHhcNMTkwODA1MjMyNDAxWhcNMjAwODA0
+MjMyNDAxWjBDMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExEzARBgNVBAoMCkdv
+b2dsZSBJbmMxEjAQBgNVBAMMCUNhc3QgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBAMMVKzwrle/8d5Zk+pHXYDEf4PPhzH9pHYo1GqZfT3MPwzBy
+/Eic0OvDOALvW3uKvG1mHCwVCpA0U2ca04vNfpuJO40aM6qboK+FRAQvIOOMcqct
+IkEO2Kpdi1EbNMdiK+q0Y3NZE4sj/KQPLsbZDDWZwZnOZ0O+/lKPQgCLxhcd4NA8
+BxtSRYT91eKhuTxT3b2D2RkQXgXeipZcUbhxWPghSw7RJBzZgYVTy0KTgEMNa4MR
+s004npf85OY0KI8jMVvL0k8qDWrycBmxdfGnq/v4PEmF+/509YdL3xBmy/oWkv/U
+r7L5t54VCoJxV8ctO+ENYhzwDoJ+hBmetc0xxX0CAwEAAaNTMFEwHQYDVR0OBBYE
+FPfGZ1MjpJ9JBm0gzEPjCBAsUU7eMB8GA1UdIwQYMBaAFPfGZ1MjpJ9JBm0gzEPj
+CBAsUU7eMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAIXNSXFB
+SlhsWvzWcO6OEXPqLfhbfaRoRep6AKB8qKOOZy4FG7IldsKFdcwtgBMb2zyNsy1v
+NqdTSTsmeSuDftVlfB7HZjtYf1tPIu8YSY4434a6C1V9MzsOdXiyTDuQsP0uXQ6a
+3zlF1Hcg7vvsKHbzMUVyDlrW3zFAoq56o/Sr4IYDdbF0pY1F35Q9QMrzV2g6ojBN
+geC02ZVNHR+gXcKQNS0K2DoARL3YXsR16LYHuExjr4jVo52xGUQuhksz+6BxNgRa
+z0SBA/MVy49PyoNg249Fk7qERCPFZblYums9gOr+ugEzKLEb0GKqFGY30sGVrca9
+iJM3zymJBA5WzzM=
+-----END CERTIFICATE-----
diff --git a/test/data/cast/common/certificate/certificates/nc_fail.pem b/test/data/cast/common/certificate/certificates/nc_fail.pem
new file mode 100644
index 00000000..ef9348db
--- /dev/null
+++ b/test/data/cast/common/certificate/certificates/nc_fail.pem
@@ -0,0 +1,62 @@
+-----BEGIN CERTIFICATE-----
+MIIDNzCCAh+gAwIBAgIUaF+tYp/hmPb2cjFbuBNTiyEw9i8wDQYJKoZIhvcNAQEL
+BQAwRzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExEzARBgNVBAoM
+Ckdvb2dsZSBJbmMxDjAMBgNVBAMMBUludGVyMB4XDTE5MDgwNjAwMTIyNloXDTIw
+MDgwNTAwMTIyNlowSDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24x
+EzARBgNVBAoMCkdvb2dsZSBJbmMxDzANBgNVBAMMBkRldmljZTCCASIwDQYJKoZI
+hvcNAQEBBQADggEPADCCAQoCggEBAMzdSv58B3VeDrXMPi707OC5dsTcipVoVbb6
+3Jyz8whV+1GmMhyepoIL9ta4O18J7WgpMpvjYBrjzjkQIUgqxWwqovZBXnQ1D4EY
+OveDHnbC125HiJWoA07Yil/Vc+TmnK+eoR1EXY6LbfsrA8BfjD+kbUbyFKa1f5No
+x/A4ALV7fqCM0llww9AEEnXWPBGWVIxXTDHM7gJknRZE4wNxl++Xad1CNjbWW3PB
+zLm26SqKtkh/aVhKxaYAfcMnN+8JlQ3lS0caNCB8N3/jqFLeAucjtyI1gq70m0SL
+VhDnJjWBCY7fJPOfyJQ/J9E3te4aUj6xW1Z3uq1MWj7lZiLe0aMCAwEAAaMaMBgw
+CQYDVR0TBAIwADALBgNVHQ8EBAMCBaAwDQYJKoZIhvcNAQELBQADggEBADx7HAgT
+nWOMvbYPzReenQpo5QbTKyhnazgLsuRZX/bgrdGfhEU7045fWWtbcGknd112Wqzq
+PpV9mobkmmzrQ7TfMJq3hARSSvQEiByZuvO3+lteK7BUZonDTNGE4aNeVYXeNpNt
+Ud3PTF4wK5Gw4euwl9Zf818HWjqn16XrYR0/jFb3MAGl1mFTyjQixqHR7bNMgxPL
+z8NklTWi9jexaiM5HV7ZilhXAoUXy7I1kTp9saqXtiLZ1iP7KiIBHeXUN8WXt+3x
+FXjEr+5b7Av5PuQyFnKorEiCRFh0gHmTK7/zvby4HDGMq9uPx38zYQ+/ZTNHvM98
+awZ4PHf/zljpzwA=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIDfzCCAmegAwIBAgIUZ/OxvKAECjI257V5oss81xnc2XAwDQYJKoZIhvcNAQEL
+BQAwQzELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRMwEQYDVQQKDApHb29nbGUg
+SW5jMRIwEAYDVQQDDAlDYXN0IFJvb3QwHhcNMTkwODA2MDAxMTQ1WhcNMjAwODA1
+MDAxMTQ1WjBHMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTETMBEG
+A1UECgwKR29vZ2xlIEluYzEOMAwGA1UEAwwFSW50ZXIwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQC952VfCxoOegDWMs8xSuWFR13T05YPLFJnKGcyV7Bx
+uAkekUKiHTaKIa6rC9Ewbd0ypN4+zDkF0rp9yMQ4tDbbda5T270ZP34qkNUyD8Uk
+0DOfYqr6viNqjW74ju1zx/3FsH1e3B0cPY0iW5oLonp2Q+0T7EBPDcu7zajnydYc
+bttzMwT6yJU7yQyEKsCNzCQPWiTHOmES2miZ+Gz15orSfwNuhoBiXNQ4A1ykIC1Y
+wjXj41Sb+eWJ2sjuvm3Nn5juNJ6IowHb5AEyDUI0wVZWBA2xq1KO2HE+NqY4tXfv
+E/xGECEFVLkuONqAoA5hkeBvz8o8H9E5UD05f/HtigihAgMBAAGjZzBlMAwGA1Ud
+EwQFMAMBAf8wCwYDVR0PBAQDAgKkMEgGA1UdHgRBMD+gPTA7pDkwNzELMAkGA1UE
+BhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExEzARBgNVBAoMCkdvb2dsZSBJbmMw
+DQYJKoZIhvcNAQELBQADggEBAJ7xX5PtwrZqomPgzXvQ5eK3R2NPeOyHUZBLjXPw
+Fj4G/0nXVhTjr0i+W2a2qFSz410jze7iFTSO0Q1ERgx8RMXblDbIz4j9sQ7N/IZW
+RmZm4F2uL0n5h/d0Qiox8GcbNf6fF0rNkVor9WQ/6WWWdi8zaMK4vLEG5AIXSuwZ
+ajFJuw60T8wo+Z9zH6vURiQ6y9LiWE9/rdotNKL3+hTErdBzjoPGNs+H/NenV0cN
+Xg/L8LJZ4Ga/AYgE6ropu2KFHgVCDhkPAkKzYM0j7XcuSBhbuVJHDyz6lgGmmris
+uXbxKKCP3kfmYWyW7kLvfxNx33JNDQA8blaMjGGtTp9ExKE=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIDZzCCAk+gAwIBAgIUDPf4B2sjkZwIF6Y52sSwuJ4vVM0wDQYJKoZIhvcNAQEL
+BQAwQzELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRMwEQYDVQQKDApHb29nbGUg
+SW5jMRIwEAYDVQQDDAlDYXN0IFJvb3QwHhcNMTkwODA1MjMyNDAxWhcNMjAwODA0
+MjMyNDAxWjBDMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExEzARBgNVBAoMCkdv
+b2dsZSBJbmMxEjAQBgNVBAMMCUNhc3QgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBAMMVKzwrle/8d5Zk+pHXYDEf4PPhzH9pHYo1GqZfT3MPwzBy
+/Eic0OvDOALvW3uKvG1mHCwVCpA0U2ca04vNfpuJO40aM6qboK+FRAQvIOOMcqct
+IkEO2Kpdi1EbNMdiK+q0Y3NZE4sj/KQPLsbZDDWZwZnOZ0O+/lKPQgCLxhcd4NA8
+BxtSRYT91eKhuTxT3b2D2RkQXgXeipZcUbhxWPghSw7RJBzZgYVTy0KTgEMNa4MR
+s004npf85OY0KI8jMVvL0k8qDWrycBmxdfGnq/v4PEmF+/509YdL3xBmy/oWkv/U
+r7L5t54VCoJxV8ctO+ENYhzwDoJ+hBmetc0xxX0CAwEAAaNTMFEwHQYDVR0OBBYE
+FPfGZ1MjpJ9JBm0gzEPjCBAsUU7eMB8GA1UdIwQYMBaAFPfGZ1MjpJ9JBm0gzEPj
+CBAsUU7eMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAIXNSXFB
+SlhsWvzWcO6OEXPqLfhbfaRoRep6AKB8qKOOZy4FG7IldsKFdcwtgBMb2zyNsy1v
+NqdTSTsmeSuDftVlfB7HZjtYf1tPIu8YSY4434a6C1V9MzsOdXiyTDuQsP0uXQ6a
+3zlF1Hcg7vvsKHbzMUVyDlrW3zFAoq56o/Sr4IYDdbF0pY1F35Q9QMrzV2g6ojBN
+geC02ZVNHR+gXcKQNS0K2DoARL3YXsR16LYHuExjr4jVo52xGUQuhksz+6BxNgRa
+z0SBA/MVy49PyoNg249Fk7qERCPFZblYums9gOr+ugEzKLEb0GKqFGY30sGVrca9
+iJM3zymJBA5WzzM=
+-----END CERTIFICATE-----