Make the host name verification conform to rfc6125

Full IP support
Add suppport for partial wildcards in hostnames

BUG=62973
TEST=X509CertificateNameVerifyTest.VerifyHostname

(Reverted commit: http://src.chromium.org/viewvc/chrome?view=rev&revision=92006)

Review URL: http://codereview.chromium.org/7218011

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@92121 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 13 insertions, 9 deletions

diff --git a/net/base/x509_certificate.h b/net/base/x509_certificate.h
index 62b51c3..8e560980 100644
--- a/net/base/x509_certificate.h
+++ b/net/base/x509_certificate.h
@@ -342,7 +342,7 @@ class NET_API X509Certificate
   //
   // WARNING:  This function may return false negatives (for example, if
   //           |hostname| is an IP address literal) on some platforms.  Only
-  //           use in cases where some false-positives are acceptible.
+  //           use in cases where some false-negatives are acceptable.
   bool VerifyNameMatch(const std::string& hostname) const;
 
   // This method returns the DER encoded certificate.
@@ -410,15 +410,19 @@ class NET_API X509Certificate
   // (all zero) fingerprint on failure.
   static SHA1Fingerprint CalculateFingerprint(OSCertHandle cert_handle);
 
-  // Verifies that |hostname| matches one of the names in |cert_names|, based on
-  // TLS name matching rules, specifically following http://tools.ietf.org/html/draft-saintandre-tls-server-id-check-09#section-4.4.3
-  // The members of |cert_names| must have been extracted from the Subject CN or
-  // SAN fields of a certificate.
-  // WARNING:  This function may return false negatives (for example, if
-  //           |hostname| is an IP address literal) on some platforms.  Only
-  //           use in cases where some false-negatives are acceptible.
+  // Verifies that |hostname| matches one of the certificate names or IP
+  // addresses supplied, based on TLS name matching rules - specifically,
+  // following http://tools.ietf.org/html/rfc6125.
+  // |cert_common_name| is the Subject CN, e.g. from X509Certificate::subject().
+  // The members of |cert_san_dns_names| and |cert_san_ipaddrs| must be filled
+  // from the dNSName and iPAddress components of the subject alternative name
+  // extension, if present. Note these IP addresses are NOT ascii-encoded:
+  // they must be 4 or 16 bytes of network-ordered data, for IPv4 and IPv6
+  // addresses, respectively.
   static bool VerifyHostname(const std::string& hostname,
-                             const std::vector<std::string>& cert_names);
+                             const std::string& cert_common_name,
+                             const std::vector<std::string>& cert_san_dns_names,
+                             const std::vector<std::string>& cert_san_ip_addrs);
 
   // Performs the platform-dependent part of the Verify() method, verifiying
   // this certificate against the platform's root CA certificates.