summaryrefslogtreecommitdiffstats
path: root/net/base
diff options
context:
space:
mode:
authordigit@chromium.org <digit@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>2013-01-11 16:37:00 +0000
committerdigit@chromium.org <digit@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>2013-01-11 16:37:00 +0000
commit70edb1a9dd77c18b8eb1b70c2d8dd99c578d9491 (patch)
tree53ab1cffb1a0b781d98cc6ee7cdd856a7bc3f222 /net/base
parentea1d5f036926ae0c19f98daf211c5076ee50f5c3 (diff)
downloadchromium_src-70edb1a9dd77c18b8eb1b70c2d8dd99c578d9491.zip
chromium_src-70edb1a9dd77c18b8eb1b70c2d8dd99c578d9491.tar.gz
chromium_src-70edb1a9dd77c18b8eb1b70c2d8dd99c578d9491.tar.bz2
Add X509Certificate::IsIssuedByEncoded()
This new method is used to ensure that a given client certificate is issued by one of the CA names listed by the server, as they appear in the SSL Handshake "Certificate Request" message. The patch also adds two new X509CertificateTest unit tests, moves existing hard-coded DN tables to net/base/test_certificate_data.h to share them between multiple test sources, and adds a few new DN tables too. R=rsleevi@chromium.org,wtc@chromium.org,agl@chromium.org BUG=134418 NOTRY=true Review URL: https://chromiumcodereview.appspot.com/11579002 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@176371 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net/base')
-rw-r--r--net/base/test_certificate_data.h371
-rw-r--r--net/base/x509_cert_types_unittest.cc206
-rw-r--r--net/base/x509_certificate.h4
-rw-r--r--net/base/x509_certificate_ios.cc15
-rw-r--r--net/base/x509_certificate_mac.cc40
-rw-r--r--net/base/x509_certificate_nss.cc21
-rw-r--r--net/base/x509_certificate_openssl.cc57
-rw-r--r--net/base/x509_certificate_unittest.cc100
-rw-r--r--net/base/x509_certificate_win.cc41
-rw-r--r--net/base/x509_util_ios.cc6
-rw-r--r--net/base/x509_util_ios.h1
-rw-r--r--net/base/x509_util_nss.cc66
-rw-r--r--net/base/x509_util_nss.h22
13 files changed, 744 insertions, 206 deletions
diff --git a/net/base/test_certificate_data.h b/net/base/test_certificate_data.h
index 0479867..edbbc36 100644
--- a/net/base/test_certificate_data.h
+++ b/net/base/test_certificate_data.h
@@ -469,4 +469,375 @@ unsigned char VARIABLE_IS_NOT_USED paypal_null_der[] = {
0x23, 0x82, 0x6f, 0xdb, 0xb8, 0x22, 0x1c, 0x43, 0x96, 0x07, 0xa8, 0xbb
};
+// DER-encoded X.509 DistinguishedNames.
+//
+// To output the subject or issuer of a certificate:
+//
+// openssl asn1parse -i -inform DER -in <cert>
+//
+// The output will contain
+// SEQUENCE [This is the issuer name]
+// ...
+// SEQUENCE [This is the validity period]
+// UTCTIME (or GENERALTIME)
+// UTCTIME
+// SEQUENCE [This is the subject]
+// ...
+//
+// The OFFSET is the first column before the column, e.g. for '21:d=2', the
+// offset is 21 for the SEQUENCE you're interested in.
+// The LENGTH is 'hl + l'.
+//
+// To generate the table, then use the following for a DER-encoded
+// certificate:
+//
+// xxd -i -s $OFFSET -l $LENGTH <cert>
+//
+// For PEM certificates, convert them to DER before, as in:
+//
+// openssl x509 -inform PEM -outform DER -in <cert> |
+// xxd -i -s $OFFSET -l $LENGTH
+//
+
+// 0:d=0 hl=2 l= 95 cons: SEQUENCE
+// 2:d=1 hl=2 l= 11 cons: SET
+// 4:d=2 hl=2 l= 9 cons: SEQUENCE
+// 6:d=3 hl=2 l= 3 prim: OBJECT :countryName
+// 11:d=3 hl=2 l= 2 prim: PRINTABLESTRING :US
+// 15:d=1 hl=2 l= 23 cons: SET
+// 17:d=2 hl=2 l= 21 cons: SEQUENCE
+// 19:d=3 hl=2 l= 3 prim: OBJECT :organizationName
+// 24:d=3 hl=2 l= 14 prim: PRINTABLESTRING :VeriSign, Inc.
+// 40:d=1 hl=2 l= 55 cons: SET
+// 42:d=2 hl=2 l= 53 cons: SEQUENCE
+// 44:d=3 hl=2 l= 3 prim: OBJECT :organizationalUnitName
+// 49:d=3 hl=2 l= 46 prim: PRINTABLESTRING :
+// Class 1 Public Primary Certification Authority
+const uint8 VARIABLE_IS_NOT_USED VerisignDN[] = {
+ 0x30, 0x5f, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
+ 0x02, 0x55, 0x53, 0x31, 0x17, 0x30, 0x15, 0x06, 0x03, 0x55, 0x04, 0x0a,
+ 0x13, 0x0e, 0x56, 0x65, 0x72, 0x69, 0x53, 0x69, 0x67, 0x6e, 0x2c, 0x20,
+ 0x49, 0x6e, 0x63, 0x2e, 0x31, 0x37, 0x30, 0x35, 0x06, 0x03, 0x55, 0x04,
+ 0x0b, 0x13, 0x2e, 0x43, 0x6c, 0x61, 0x73, 0x73, 0x20, 0x31, 0x20, 0x50,
+ 0x75, 0x62, 0x6c, 0x69, 0x63, 0x20, 0x50, 0x72, 0x69, 0x6d, 0x61, 0x72,
+ 0x79, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74,
+ 0x69, 0x6f, 0x6e, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74,
+ 0x79
+};
+
+// 0:d=0 hl=2 l= 125 cons: SEQUENCE
+// 2:d=1 hl=2 l= 11 cons: SET
+// 4:d=2 hl=2 l= 9 cons: SEQUENCE
+// 6:d=3 hl=2 l= 3 prim: OBJECT :countryName
+// 11:d=3 hl=2 l= 2 prim: PRINTABLESTRING :IL
+// 15:d=1 hl=2 l= 22 cons: SET
+// 17:d=2 hl=2 l= 20 cons: SEQUENCE
+// 19:d=3 hl=2 l= 3 prim: OBJECT :organizationName
+// 24:d=3 hl=2 l= 13 prim: PRINTABLESTRING :StartCom Ltd.
+// 39:d=1 hl=2 l= 43 cons: SET
+// 41:d=2 hl=2 l= 41 cons: SEQUENCE
+// 43:d=3 hl=2 l= 3 prim: OBJECT :organizationalUnitName
+// 48:d=3 hl=2 l= 34 prim: PRINTABLESTRING :
+// Secure Digital Certificate Signing
+// 84:d=1 hl=2 l= 41 cons: SET
+// 86:d=2 hl=2 l= 39 cons: SEQUENCE
+// 88:d=3 hl=2 l= 3 prim: OBJECT :commonName
+// 93:d=3 hl=2 l= 32 prim: PRINTABLESTRING :
+// StartCom Certification Authority
+const uint8 VARIABLE_IS_NOT_USED StartComDN[] = {
+ 0x30, 0x7d, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
+ 0x02, 0x49, 0x4c, 0x31, 0x16, 0x30, 0x14, 0x06, 0x03, 0x55, 0x04, 0x0a,
+ 0x13, 0x0d, 0x53, 0x74, 0x61, 0x72, 0x74, 0x43, 0x6f, 0x6d, 0x20, 0x4c,
+ 0x74, 0x64, 0x2e, 0x31, 0x2b, 0x30, 0x29, 0x06, 0x03, 0x55, 0x04, 0x0b,
+ 0x13, 0x22, 0x53, 0x65, 0x63, 0x75, 0x72, 0x65, 0x20, 0x44, 0x69, 0x67,
+ 0x69, 0x74, 0x61, 0x6c, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69,
+ 0x63, 0x61, 0x74, 0x65, 0x20, 0x53, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67,
+ 0x31, 0x29, 0x30, 0x27, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x20, 0x53,
+ 0x74, 0x61, 0x72, 0x74, 0x43, 0x6f, 0x6d, 0x20, 0x43, 0x65, 0x72, 0x74,
+ 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x41, 0x75,
+ 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79
+};
+
+// 0:d=0 hl=3 l= 174 cons: SEQUENCE
+// 3:d=1 hl=2 l= 11 cons: SET
+// 5:d=2 hl=2 l= 9 cons: SEQUENCE
+// 7:d=3 hl=2 l= 3 prim: OBJECT :countryName
+// 12:d=3 hl=2 l= 2 prim: PRINTABLESTRING :US
+// 16:d=1 hl=2 l= 11 cons: SET
+// 18:d=2 hl=2 l= 9 cons: SEQUENCE
+// 20:d=3 hl=2 l= 3 prim: OBJECT :stateOrProvinceName
+// 25:d=3 hl=2 l= 2 prim: PRINTABLESTRING :UT
+// 29:d=1 hl=2 l= 23 cons: SET
+// 31:d=2 hl=2 l= 21 cons: SEQUENCE
+// 33:d=3 hl=2 l= 3 prim: OBJECT :localityName
+// 38:d=3 hl=2 l= 14 prim: PRINTABLESTRING :Salt Lake City
+// 54:d=1 hl=2 l= 30 cons: SET
+// 56:d=2 hl=2 l= 28 cons: SEQUENCE
+// 58:d=3 hl=2 l= 3 prim: OBJECT :organizationName
+// 63:d=3 hl=2 l= 21 prim: PRINTABLESTRING :The USERTRUST Network
+// 86:d=1 hl=2 l= 33 cons: SET
+// 88:d=2 hl=2 l= 31 cons: SEQUENCE
+// 90:d=3 hl=2 l= 3 prim: OBJECT :organizationalUnitName
+// 95:d=3 hl=2 l= 24 prim: PRINTABLESTRING :http://www.usertrust.com
+//121:d=1 hl=2 l= 54 cons: SET
+//123:d=2 hl=2 l= 52 cons: SEQUENCE
+//125:d=3 hl=2 l= 3 prim: OBJECT :commonName
+//130:d=3 hl=2 l= 45 prim: PRINTABLESTRING :
+// UTN-USERFirst-Client Authentication and Email
+const uint8 VARIABLE_IS_NOT_USED UserTrustDN[] = {
+ 0x30, 0x81, 0xae, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
+ 0x13, 0x02, 0x55, 0x53, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04,
+ 0x08, 0x13, 0x02, 0x55, 0x54, 0x31, 0x17, 0x30, 0x15, 0x06, 0x03, 0x55,
+ 0x04, 0x07, 0x13, 0x0e, 0x53, 0x61, 0x6c, 0x74, 0x20, 0x4c, 0x61, 0x6b,
+ 0x65, 0x20, 0x43, 0x69, 0x74, 0x79, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03,
+ 0x55, 0x04, 0x0a, 0x13, 0x15, 0x54, 0x68, 0x65, 0x20, 0x55, 0x53, 0x45,
+ 0x52, 0x54, 0x52, 0x55, 0x53, 0x54, 0x20, 0x4e, 0x65, 0x74, 0x77, 0x6f,
+ 0x72, 0x6b, 0x31, 0x21, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13,
+ 0x18, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x77, 0x77, 0x77, 0x2e,
+ 0x75, 0x73, 0x65, 0x72, 0x74, 0x72, 0x75, 0x73, 0x74, 0x2e, 0x63, 0x6f,
+ 0x6d, 0x31, 0x36, 0x30, 0x34, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x2d,
+ 0x55, 0x54, 0x4e, 0x2d, 0x55, 0x53, 0x45, 0x52, 0x46, 0x69, 0x72, 0x73,
+ 0x74, 0x2d, 0x43, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x20, 0x41, 0x75, 0x74,
+ 0x68, 0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20,
+ 0x61, 0x6e, 0x64, 0x20, 0x45, 0x6d, 0x61, 0x69, 0x6c
+};
+
+// 0:d=0 hl=3 l= 190 cons: SEQUENCE
+// 3:d=1 hl=2 l= 63 cons: SET
+// 5:d=2 hl=2 l= 61 cons: SEQUENCE
+// 7:d=3 hl=2 l= 3 prim: OBJECT :commonName
+// 12:d=3 hl=2 l= 54 prim: UTF8STRING :
+// TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı
+// 68:d=1 hl=2 l= 11 cons: SET
+// 70:d=2 hl=2 l= 9 cons: SEQUENCE
+// 72:d=3 hl=2 l= 3 prim: OBJECT :countryName
+// 77:d=3 hl=2 l= 2 prim: PRINTABLESTRING :TR
+// 81:d=1 hl=2 l= 15 cons: SET
+// 83:d=2 hl=2 l= 13 cons: SEQUENCE
+// 85:d=3 hl=2 l= 3 prim: OBJECT :localityName
+// 90:d=3 hl=2 l= 6 prim: UTF8STRING :Ankara
+// 98:d=1 hl=2 l= 93 cons: SET
+//100:d=2 hl=2 l= 91 cons: SEQUENCE
+//102:d=3 hl=2 l= 3 prim: OBJECT :organizationName
+//107:d=3 hl=2 l= 84 prim: UTF8STRING :
+// TÜRKTRUST Bilgi İletişim ve Bilişim Güvenliği Hizmetleri A.Ş.
+// (c) Kasım 2005
+const uint8 VARIABLE_IS_NOT_USED TurkTrustDN[] = {
+ 0x30, 0x81, 0xbe, 0x31, 0x3f, 0x30, 0x3d, 0x06, 0x03, 0x55, 0x04, 0x03,
+ 0x0c, 0x36, 0x54, 0xc3, 0x9c, 0x52, 0x4b, 0x54, 0x52, 0x55, 0x53, 0x54,
+ 0x20, 0x45, 0x6c, 0x65, 0x6b, 0x74, 0x72, 0x6f, 0x6e, 0x69, 0x6b, 0x20,
+ 0x53, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x6b, 0x61, 0x20, 0x48, 0x69,
+ 0x7a, 0x6d, 0x65, 0x74, 0x20, 0x53, 0x61, 0xc4, 0x9f, 0x6c, 0x61, 0x79,
+ 0xc4, 0xb1, 0x63, 0xc4, 0xb1, 0x73, 0xc4, 0xb1, 0x31, 0x0b, 0x30, 0x09,
+ 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x54, 0x52, 0x31, 0x0f, 0x30,
+ 0x0d, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c, 0x06, 0x41, 0x6e, 0x6b, 0x61,
+ 0x72, 0x61, 0x31, 0x5d, 0x30, 0x5b, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c,
+ 0x54, 0x54, 0xc3, 0x9c, 0x52, 0x4b, 0x54, 0x52, 0x55, 0x53, 0x54, 0x20,
+ 0x42, 0x69, 0x6c, 0x67, 0x69, 0x20, 0xc4, 0xb0, 0x6c, 0x65, 0x74, 0x69,
+ 0xc5, 0x9f, 0x69, 0x6d, 0x20, 0x76, 0x65, 0x20, 0x42, 0x69, 0x6c, 0x69,
+ 0xc5, 0x9f, 0x69, 0x6d, 0x20, 0x47, 0xc3, 0xbc, 0x76, 0x65, 0x6e, 0x6c,
+ 0x69, 0xc4, 0x9f, 0x69, 0x20, 0x48, 0x69, 0x7a, 0x6d, 0x65, 0x74, 0x6c,
+ 0x65, 0x72, 0x69, 0x20, 0x41, 0x2e, 0xc5, 0x9e, 0x2e, 0x20, 0x28, 0x63,
+ 0x29, 0x20, 0x4b, 0x61, 0x73, 0xc4, 0xb1, 0x6d, 0x20, 0x32, 0x30, 0x30,
+ 0x35, 0x30, 0x1e, 0x17, 0x0d, 0x30, 0x35, 0x31, 0x31, 0x30, 0x37, 0x31,
+ 0x30, 0x30, 0x37, 0x35, 0x37
+};
+
+// 33:d=2 hl=3 l= 207 cons: SEQUENCE
+// 36:d=3 hl=2 l= 11 cons: SET
+// 38:d=4 hl=2 l= 9 cons: SEQUENCE
+// 40:d=5 hl=2 l= 3 prim: OBJECT :countryName
+// 45:d=5 hl=2 l= 2 prim: PRINTABLESTRING :AT
+// 49:d=3 hl=3 l= 139 cons: SET
+// 52:d=4 hl=3 l= 136 cons: SEQUENCE
+// 55:d=5 hl=2 l= 3 prim: OBJECT :organizationName
+// 60:d=5 hl=3 l= 128 prim: BMPSTRING :
+// A-Trust Ges. für Sicherheitssysteme im elektr. Datenverkehr GmbH
+//191:d=3 hl=2 l= 24 cons: SET
+//193:d=4 hl=2 l= 22 cons: SEQUENCE
+//195:d=5 hl=2 l= 3 prim: OBJECT :organizationalUnitName
+//200:d=5 hl=2 l= 15 prim: PRINTABLESTRING :A-Trust-Qual-01
+//217:d=3 hl=2 l= 24 cons: SET
+//219:d=4 hl=2 l= 22 cons: SEQUENCE
+//221:d=5 hl=2 l= 3 prim: OBJECT :commonName
+//226:d=5 hl=2 l= 15 prim: PRINTABLESTRING :A-Trust-Qual-01
+const uint8 VARIABLE_IS_NOT_USED ATrustQual01DN[] = {
+ 0x30, 0x81, 0xcf, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
+ 0x13, 0x02, 0x41, 0x54, 0x31, 0x81, 0x8b, 0x30, 0x81, 0x88, 0x06, 0x03,
+ 0x55, 0x04, 0x0a, 0x1e, 0x81, 0x80, 0x00, 0x41, 0x00, 0x2d, 0x00, 0x54,
+ 0x00, 0x72, 0x00, 0x75, 0x00, 0x73, 0x00, 0x74, 0x00, 0x20, 0x00, 0x47,
+ 0x00, 0x65, 0x00, 0x73, 0x00, 0x2e, 0x00, 0x20, 0x00, 0x66, 0x00, 0xfc,
+ 0x00, 0x72, 0x00, 0x20, 0x00, 0x53, 0x00, 0x69, 0x00, 0x63, 0x00, 0x68,
+ 0x00, 0x65, 0x00, 0x72, 0x00, 0x68, 0x00, 0x65, 0x00, 0x69, 0x00, 0x74,
+ 0x00, 0x73, 0x00, 0x73, 0x00, 0x79, 0x00, 0x73, 0x00, 0x74, 0x00, 0x65,
+ 0x00, 0x6d, 0x00, 0x65, 0x00, 0x20, 0x00, 0x69, 0x00, 0x6d, 0x00, 0x20,
+ 0x00, 0x65, 0x00, 0x6c, 0x00, 0x65, 0x00, 0x6b, 0x00, 0x74, 0x00, 0x72,
+ 0x00, 0x2e, 0x00, 0x20, 0x00, 0x44, 0x00, 0x61, 0x00, 0x74, 0x00, 0x65,
+ 0x00, 0x6e, 0x00, 0x76, 0x00, 0x65, 0x00, 0x72, 0x00, 0x6b, 0x00, 0x65,
+ 0x00, 0x68, 0x00, 0x72, 0x00, 0x20, 0x00, 0x47, 0x00, 0x6d, 0x00, 0x62,
+ 0x00, 0x48, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13,
+ 0x0f, 0x41, 0x2d, 0x54, 0x72, 0x75, 0x73, 0x74, 0x2d, 0x51, 0x75, 0x61,
+ 0x6c, 0x2d, 0x30, 0x31, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04,
+ 0x03, 0x13, 0x0f, 0x41, 0x2d, 0x54, 0x72, 0x75, 0x73, 0x74, 0x2d, 0x51,
+ 0x75, 0x61, 0x6c, 0x2d, 0x30, 0x31, 0x30, 0x1e, 0x17
+};
+
+// 34:d=2 hl=3 l= 180 cons: SEQUENCE
+// 37:d=3 hl=2 l= 20 cons: SET
+// 39:d=4 hl=2 l= 18 cons: SEQUENCE
+// 41:d=5 hl=2 l= 3 prim: OBJECT :organizationName
+// 46:d=5 hl=2 l= 11 prim: PRINTABLESTRING :Entrust.net
+// 59:d=3 hl=2 l= 64 cons: SET
+// 61:d=4 hl=2 l= 62 cons: SEQUENCE
+// 63:d=5 hl=2 l= 3 prim: OBJECT :organizationalUnitName
+// 68:d=5 hl=2 l= 55 prim: T61STRING :
+// www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)
+//125:d=3 hl=2 l= 37 cons: SET
+//127:d=4 hl=2 l= 35 cons: SEQUENCE
+//129:d=5 hl=2 l= 3 prim: OBJECT :organizationalUnitName
+//134:d=5 hl=2 l= 28 prim: PRINTABLESTRING :
+// (c) 1999 Entrust.net Limited
+//164:d=3 hl=2 l= 51 cons: SET
+//166:d=4 hl=2 l= 49 cons: SEQUENCE
+//168:d=5 hl=2 l= 3 prim: OBJECT :commonName
+//173:d=5 hl=2 l= 42 prim: PRINTABLESTRING :
+// Entrust.net Certification Authority (2048)
+const uint8 VARIABLE_IS_NOT_USED EntrustDN[] = {
+ 0x30, 0x81, 0xb4, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a,
+ 0x13, 0x0b, 0x45, 0x6e, 0x74, 0x72, 0x75, 0x73, 0x74, 0x2e, 0x6e, 0x65,
+ 0x74, 0x31, 0x40, 0x30, 0x3e, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x14, 0x37,
+ 0x77, 0x77, 0x77, 0x2e, 0x65, 0x6e, 0x74, 0x72, 0x75, 0x73, 0x74, 0x2e,
+ 0x6e, 0x65, 0x74, 0x2f, 0x43, 0x50, 0x53, 0x5f, 0x32, 0x30, 0x34, 0x38,
+ 0x20, 0x69, 0x6e, 0x63, 0x6f, 0x72, 0x70, 0x2e, 0x20, 0x62, 0x79, 0x20,
+ 0x72, 0x65, 0x66, 0x2e, 0x20, 0x28, 0x6c, 0x69, 0x6d, 0x69, 0x74, 0x73,
+ 0x20, 0x6c, 0x69, 0x61, 0x62, 0x2e, 0x29, 0x31, 0x25, 0x30, 0x23, 0x06,
+ 0x03, 0x55, 0x04, 0x0b, 0x13, 0x1c, 0x28, 0x63, 0x29, 0x20, 0x31, 0x39,
+ 0x39, 0x39, 0x20, 0x45, 0x6e, 0x74, 0x72, 0x75, 0x73, 0x74, 0x2e, 0x6e,
+ 0x65, 0x74, 0x20, 0x4c, 0x69, 0x6d, 0x69, 0x74, 0x65, 0x64, 0x31, 0x33,
+ 0x30, 0x31, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x2a, 0x45, 0x6e, 0x74,
+ 0x72, 0x75, 0x73, 0x74, 0x2e, 0x6e, 0x65, 0x74, 0x20, 0x43, 0x65, 0x72,
+ 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x41,
+ 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x20, 0x28, 0x32, 0x30,
+ 0x34, 0x38, 0x29
+};
+
+// 46:d=2 hl=2 l= 76 cons: SEQUENCE
+// 48:d=3 hl=2 l= 11 cons: SET
+// 50:d=4 hl=2 l= 9 cons: SEQUENCE
+// 52:d=5 hl=2 l= 3 prim: OBJECT :countryName
+// 57:d=5 hl=2 l= 2 prim: PRINTABLESTRING :ZA
+// 61:d=3 hl=2 l= 37 cons: SET
+// 63:d=4 hl=2 l= 35 cons: SEQUENCE
+// 65:d=5 hl=2 l= 3 prim: OBJECT :organizationName
+// 70:d=5 hl=2 l= 28 prim: PRINTABLESTRING :
+// Thawte Consulting (Pty) Ltd.
+// 100:d=3 hl=2 l= 22 cons: SET
+// 102:d=4 hl=2 l= 20 cons: SEQUENCE
+// 104:d=5 hl=2 l= 3 prim: OBJECT :commonName
+// 109:d=5 hl=2 l= 13 prim: PRINTABLESTRING :Thawte SGC CA
+const uint8 VARIABLE_IS_NOT_USED ThawteDN[] = {
+ 0x30, 0x4C, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
+ 0x02, 0x5A, 0x41, 0x31, 0x25, 0x30, 0x23, 0x06, 0x03, 0x55, 0x04, 0x0A,
+ 0x13, 0x1C, 0x54, 0x68, 0x61, 0x77, 0x74, 0x65, 0x20, 0x43, 0x6F, 0x6E,
+ 0x73, 0x75, 0x6C, 0x74, 0x69, 0x6E, 0x67, 0x20, 0x28, 0x50, 0x74, 0x79,
+ 0x29, 0x20, 0x4C, 0x74, 0x64, 0x2E, 0x31, 0x16, 0x30, 0x14, 0x06, 0x03,
+ 0x55, 0x04, 0x03, 0x13, 0x0D, 0x54, 0x68, 0x61, 0x77, 0x74, 0x65, 0x20,
+ 0x53, 0x47, 0x43, 0x20, 0x43, 0x41
+};
+
+// 47:d=2 hl=2 l= 108 cons: SEQUENCE
+// 49:d=3 hl=2 l= 11 cons: SET
+// 51:d=4 hl=2 l= 9 cons: SEQUENCE
+// 53:d=5 hl=2 l= 3 prim: OBJECT :countryName
+// 58:d=5 hl=2 l= 2 prim: PRINTABLESTRING :US
+// 62:d=3 hl=2 l= 22 cons: SET
+// 64:d=4 hl=2 l= 20 cons: SEQUENCE
+// 66:d=5 hl=2 l= 3 prim: OBJECT :stateOrProvinceName
+// 71:d=5 hl=2 l= 13 prim: PRINTABLESTRING :Massachusetts
+// 86:d=3 hl=2 l= 46 cons: SET
+// 88:d=4 hl=2 l= 44 cons: SEQUENCE
+// 90:d=5 hl=2 l= 3 prim: OBJECT :organizationName
+// 95:d=5 hl=2 l= 37 prim: PRINTABLESTRING :
+// Massachusetts Institute of Technology
+// 134:d=3 hl=2 l= 21 cons: SET
+// 136:d=4 hl=2 l= 19 cons: SEQUENCE
+// 138:d=5 hl=2 l= 3 prim: OBJECT :organizationalUnitName
+// 143:d=5 hl=2 l= 12 prim: PRINTABLESTRING :Client CA v1
+const uint8 VARIABLE_IS_NOT_USED MITDN[] = {
+ 0x30, 0x6C, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
+ 0x02, 0x55, 0x53, 0x31, 0x16, 0x30, 0x14, 0x06, 0x03, 0x55, 0x04, 0x08,
+ 0x13, 0x0D, 0x4D, 0x61, 0x73, 0x73, 0x61, 0x63, 0x68, 0x75, 0x73, 0x65,
+ 0x74, 0x74, 0x73, 0x31, 0x2E, 0x30, 0x2C, 0x06, 0x03, 0x55, 0x04, 0x0A,
+ 0x13, 0x25, 0x4D, 0x61, 0x73, 0x73, 0x61, 0x63, 0x68, 0x75, 0x73, 0x65,
+ 0x74, 0x74, 0x73, 0x20, 0x49, 0x6E, 0x73, 0x74, 0x69, 0x74, 0x75, 0x74,
+ 0x65, 0x20, 0x6F, 0x66, 0x20, 0x54, 0x65, 0x63, 0x68, 0x6E, 0x6F, 0x6C,
+ 0x6F, 0x67, 0x79, 0x31, 0x15, 0x30, 0x13, 0x06, 0x03, 0x55, 0x04, 0x0B,
+ 0x13, 0x0C, 0x43, 0x6C, 0x69, 0x65, 0x6E, 0x74, 0x20, 0x43, 0x41, 0x20,
+ 0x76, 0x31
+};
+
+// 31:d=2 hl=2 l= 91 cons: SEQUENCE
+// 33:d=3 hl=2 l= 11 cons: SET
+// 35:d=4 hl=2 l= 9 cons: SEQUENCE
+// 37:d=5 hl=2 l= 3 prim: OBJECT :countryName
+// 42:d=5 hl=2 l= 2 prim: PRINTABLESTRING :US
+// 46:d=3 hl=2 l= 24 cons: SET
+// 48:d=4 hl=2 l= 22 cons: SEQUENCE
+// 50:d=5 hl=2 l= 3 prim: OBJECT :organizationName
+// 55:d=5 hl=2 l= 15 prim: PRINTABLESTRING :U.S. Government
+// 72:d=3 hl=2 l= 12 cons: SET
+// 74:d=4 hl=2 l= 10 cons: SEQUENCE
+// 76:d=5 hl=2 l= 3 prim: OBJECT :organizationalUnitName
+// 81:d=5 hl=2 l= 3 prim: PRINTABLESTRING :DoD
+// 86:d=3 hl=2 l= 12 cons: SET
+// 88:d=4 hl=2 l= 10 cons: SEQUENCE
+// 90:d=5 hl=2 l= 3 prim: OBJECT :organizationalUnitName
+// 95:d=5 hl=2 l= 3 prim: PRINTABLESTRING :PKI
+// 100:d=3 hl=2 l= 22 cons: SET
+// 102:d=4 hl=2 l= 20 cons: SEQUENCE
+// 104:d=5 hl=2 l= 3 prim: OBJECT :commonName
+// 109:d=5 hl=2 l= 13 prim: PRINTABLESTRING :DoD Root CA 2
+const uint8 VARIABLE_IS_NOT_USED DodRootCA2DN[] = {
+ 0x30, 0x5b, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
+ 0x02, 0x55, 0x53, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x0a,
+ 0x13, 0x0f, 0x55, 0x2e, 0x53, 0x2e, 0x20, 0x47, 0x6f, 0x76, 0x65, 0x72,
+ 0x6e, 0x6d, 0x65, 0x6e, 0x74, 0x31, 0x0c, 0x30, 0x0a, 0x06, 0x03, 0x55,
+ 0x04, 0x0b, 0x13, 0x03, 0x44, 0x6f, 0x44, 0x31, 0x0c, 0x30, 0x0a, 0x06,
+ 0x03, 0x55, 0x04, 0x0b, 0x13, 0x03, 0x50, 0x4b, 0x49, 0x31, 0x16, 0x30,
+ 0x14, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x0d, 0x44, 0x6f, 0x44, 0x20,
+ 0x52, 0x6f, 0x6f, 0x74, 0x20, 0x43, 0x41, 0x20, 0x32
+};
+
+// 33:d=2 hl=2 l= 87 cons: SEQUENCE
+// 35:d=3 hl=2 l= 11 cons: SET
+// 37:d=4 hl=2 l= 9 cons: SEQUENCE
+// 39:d=5 hl=2 l= 3 prim: OBJECT :countryName
+// 44:d=5 hl=2 l= 2 prim: PRINTABLESTRING :US
+// 48:d=3 hl=2 l= 24 cons: SET
+// 50:d=4 hl=2 l= 22 cons: SEQUENCE
+// 52:d=5 hl=2 l= 3 prim: OBJECT :organizationName
+// 57:d=5 hl=2 l= 15 prim: PRINTABLESTRING :U.S. Government
+// 74:d=3 hl=2 l= 12 cons: SET
+// 76:d=4 hl=2 l= 10 cons: SEQUENCE
+// 78:d=5 hl=2 l= 3 prim: OBJECT :organizationalUnitName
+// 83:d=5 hl=2 l= 3 prim: PRINTABLESTRING :DoD
+// 88:d=3 hl=2 l= 12 cons: SET
+// 90:d=4 hl=2 l= 10 cons: SEQUENCE
+// 92:d=5 hl=2 l= 3 prim: OBJECT :organizationalUnitName
+// 97:d=5 hl=2 l= 3 prim: PRINTABLESTRING :PKI
+// 102:d=3 hl=2 l= 18 cons: SET
+// 104:d=4 hl=2 l= 16 cons: SEQUENCE
+// 106:d=5 hl=2 l= 3 prim: OBJECT :commonName
+// 111:d=5 hl=2 l= 9 prim: PRINTABLESTRING :DOD CA-17
+const uint8 VARIABLE_IS_NOT_USED DodCA17DN[] = {
+ 0x30, 0x57, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
+ 0x02, 0x55, 0x53, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x0a,
+ 0x13, 0x0f, 0x55, 0x2e, 0x53, 0x2e, 0x20, 0x47, 0x6f, 0x76, 0x65, 0x72,
+ 0x6e, 0x6d, 0x65, 0x6e, 0x74, 0x31, 0x0c, 0x30, 0x0a, 0x06, 0x03, 0x55,
+ 0x04, 0x0b, 0x13, 0x03, 0x44, 0x6f, 0x44, 0x31, 0x0c, 0x30, 0x0a, 0x06,
+ 0x03, 0x55, 0x04, 0x0b, 0x13, 0x03, 0x50, 0x4b, 0x49, 0x31, 0x12, 0x30,
+ 0x10, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x09, 0x44, 0x4f, 0x44, 0x20,
+ 0x43, 0x41, 0x2d, 0x31, 0x37
+};
+
} // namespace
diff --git a/net/base/x509_cert_types_unittest.cc b/net/base/x509_cert_types_unittest.cc
index af1b65b..5e66267 100644
--- a/net/base/x509_cert_types_unittest.cc
+++ b/net/base/x509_cert_types_unittest.cc
@@ -3,214 +3,10 @@
// found in the LICENSE file.
#include "base/basictypes.h"
+#include "net/base/test_certificate_data.h"
#include "net/base/x509_cert_types.h"
#include "testing/gtest/include/gtest/gtest.h"
-// 0:d=0 hl=2 l= 95 cons: SEQUENCE
-// 2:d=1 hl=2 l= 11 cons: SET
-// 4:d=2 hl=2 l= 9 cons: SEQUENCE
-// 6:d=3 hl=2 l= 3 prim: OBJECT :countryName
-// 11:d=3 hl=2 l= 2 prim: PRINTABLESTRING :US
-// 15:d=1 hl=2 l= 23 cons: SET
-// 17:d=2 hl=2 l= 21 cons: SEQUENCE
-// 19:d=3 hl=2 l= 3 prim: OBJECT :organizationName
-// 24:d=3 hl=2 l= 14 prim: PRINTABLESTRING :VeriSign, Inc.
-// 40:d=1 hl=2 l= 55 cons: SET
-// 42:d=2 hl=2 l= 53 cons: SEQUENCE
-// 44:d=3 hl=2 l= 3 prim: OBJECT :organizationalUnitName
-// 49:d=3 hl=2 l= 46 prim: PRINTABLESTRING :Class 1 Public Primary Certification Authority
-static const uint8 VerisignDN[] = {
- 0x30, 0x5f, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
- 0x55, 0x53, 0x31, 0x17, 0x30, 0x15, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x0e,
- 0x56, 0x65, 0x72, 0x69, 0x53, 0x69, 0x67, 0x6e, 0x2c, 0x20, 0x49, 0x6e, 0x63,
- 0x2e, 0x31, 0x37, 0x30, 0x35, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x2e, 0x43,
- 0x6c, 0x61, 0x73, 0x73, 0x20, 0x31, 0x20, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63,
- 0x20, 0x50, 0x72, 0x69, 0x6d, 0x61, 0x72, 0x79, 0x20, 0x43, 0x65, 0x72, 0x74,
- 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x41, 0x75, 0x74,
- 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79
-};
-
-// 0:d=0 hl=2 l= 125 cons: SEQUENCE
-// 2:d=1 hl=2 l= 11 cons: SET
-// 4:d=2 hl=2 l= 9 cons: SEQUENCE
-// 6:d=3 hl=2 l= 3 prim: OBJECT :countryName
-// 11:d=3 hl=2 l= 2 prim: PRINTABLESTRING :IL
-// 15:d=1 hl=2 l= 22 cons: SET
-// 17:d=2 hl=2 l= 20 cons: SEQUENCE
-// 19:d=3 hl=2 l= 3 prim: OBJECT :organizationName
-// 24:d=3 hl=2 l= 13 prim: PRINTABLESTRING :StartCom Ltd.
-// 39:d=1 hl=2 l= 43 cons: SET
-// 41:d=2 hl=2 l= 41 cons: SEQUENCE
-// 43:d=3 hl=2 l= 3 prim: OBJECT :organizationalUnitName
-// 48:d=3 hl=2 l= 34 prim: PRINTABLESTRING :Secure Digital Certificate Signing
-// 84:d=1 hl=2 l= 41 cons: SET
-// 86:d=2 hl=2 l= 39 cons: SEQUENCE
-// 88:d=3 hl=2 l= 3 prim: OBJECT :commonName
-// 93:d=3 hl=2 l= 32 prim: PRINTABLESTRING :StartCom Certification Authority
-static const uint8 StartComDN[] = {
- 0x30, 0x7d, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
- 0x49, 0x4c, 0x31, 0x16, 0x30, 0x14, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x0d,
- 0x53, 0x74, 0x61, 0x72, 0x74, 0x43, 0x6f, 0x6d, 0x20, 0x4c, 0x74, 0x64, 0x2e,
- 0x31, 0x2b, 0x30, 0x29, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x22, 0x53, 0x65,
- 0x63, 0x75, 0x72, 0x65, 0x20, 0x44, 0x69, 0x67, 0x69, 0x74, 0x61, 0x6c, 0x20,
- 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x20, 0x53,
- 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x31, 0x29, 0x30, 0x27, 0x06, 0x03, 0x55,
- 0x04, 0x03, 0x13, 0x20, 0x53, 0x74, 0x61, 0x72, 0x74, 0x43, 0x6f, 0x6d, 0x20,
- 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e,
- 0x20, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79
-};
-
-// 0:d=0 hl=3 l= 174 cons: SEQUENCE
-// 3:d=1 hl=2 l= 11 cons: SET
-// 5:d=2 hl=2 l= 9 cons: SEQUENCE
-// 7:d=3 hl=2 l= 3 prim: OBJECT :countryName
-// 12:d=3 hl=2 l= 2 prim: PRINTABLESTRING :US
-// 16:d=1 hl=2 l= 11 cons: SET
-// 18:d=2 hl=2 l= 9 cons: SEQUENCE
-// 20:d=3 hl=2 l= 3 prim: OBJECT :stateOrProvinceName
-// 25:d=3 hl=2 l= 2 prim: PRINTABLESTRING :UT
-// 29:d=1 hl=2 l= 23 cons: SET
-// 31:d=2 hl=2 l= 21 cons: SEQUENCE
-// 33:d=3 hl=2 l= 3 prim: OBJECT :localityName
-// 38:d=3 hl=2 l= 14 prim: PRINTABLESTRING :Salt Lake City
-// 54:d=1 hl=2 l= 30 cons: SET
-// 56:d=2 hl=2 l= 28 cons: SEQUENCE
-// 58:d=3 hl=2 l= 3 prim: OBJECT :organizationName
-// 63:d=3 hl=2 l= 21 prim: PRINTABLESTRING :The USERTRUST Network
-// 86:d=1 hl=2 l= 33 cons: SET
-// 88:d=2 hl=2 l= 31 cons: SEQUENCE
-// 90:d=3 hl=2 l= 3 prim: OBJECT :organizationalUnitName
-// 95:d=3 hl=2 l= 24 prim: PRINTABLESTRING :http://www.usertrust.com
-//121:d=1 hl=2 l= 54 cons: SET
-//123:d=2 hl=2 l= 52 cons: SEQUENCE
-//125:d=3 hl=2 l= 3 prim: OBJECT :commonName
-//130:d=3 hl=2 l= 45 prim: PRINTABLESTRING :UTN-USERFirst-Client Authentication and Email
-static const uint8 UserTrustDN[] = {
- 0x30, 0x81, 0xae, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
- 0x02, 0x55, 0x53, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x08, 0x13,
- 0x02, 0x55, 0x54, 0x31, 0x17, 0x30, 0x15, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13,
- 0x0e, 0x53, 0x61, 0x6c, 0x74, 0x20, 0x4c, 0x61, 0x6b, 0x65, 0x20, 0x43, 0x69,
- 0x74, 0x79, 0x31, 0x1e, 0x30, 0x1c, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x15,
- 0x54, 0x68, 0x65, 0x20, 0x55, 0x53, 0x45, 0x52, 0x54, 0x52, 0x55, 0x53, 0x54,
- 0x20, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x31, 0x21, 0x30, 0x1f, 0x06,
- 0x03, 0x55, 0x04, 0x0b, 0x13, 0x18, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f,
- 0x77, 0x77, 0x77, 0x2e, 0x75, 0x73, 0x65, 0x72, 0x74, 0x72, 0x75, 0x73, 0x74,
- 0x2e, 0x63, 0x6f, 0x6d, 0x31, 0x36, 0x30, 0x34, 0x06, 0x03, 0x55, 0x04, 0x03,
- 0x13, 0x2d, 0x55, 0x54, 0x4e, 0x2d, 0x55, 0x53, 0x45, 0x52, 0x46, 0x69, 0x72,
- 0x73, 0x74, 0x2d, 0x43, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x20, 0x41, 0x75, 0x74,
- 0x68, 0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x61,
- 0x6e, 0x64, 0x20, 0x45, 0x6d, 0x61, 0x69, 0x6c
-};
-
-// 0:d=0 hl=3 l= 190 cons: SEQUENCE
-// 3:d=1 hl=2 l= 63 cons: SET
-// 5:d=2 hl=2 l= 61 cons: SEQUENCE
-// 7:d=3 hl=2 l= 3 prim: OBJECT :commonName
-// 12:d=3 hl=2 l= 54 prim: UTF8STRING :TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı
-// 68:d=1 hl=2 l= 11 cons: SET
-// 70:d=2 hl=2 l= 9 cons: SEQUENCE
-// 72:d=3 hl=2 l= 3 prim: OBJECT :countryName
-// 77:d=3 hl=2 l= 2 prim: PRINTABLESTRING :TR
-// 81:d=1 hl=2 l= 15 cons: SET
-// 83:d=2 hl=2 l= 13 cons: SEQUENCE
-// 85:d=3 hl=2 l= 3 prim: OBJECT :localityName
-// 90:d=3 hl=2 l= 6 prim: UTF8STRING :Ankara
-// 98:d=1 hl=2 l= 93 cons: SET
-//100:d=2 hl=2 l= 91 cons: SEQUENCE
-//102:d=3 hl=2 l= 3 prim: OBJECT :organizationName
-//107:d=3 hl=2 l= 84 prim: UTF8STRING :TÜRKTRUST Bilgi İletişim ve Bilişim Güvenliği Hizmetleri A.Ş. (c) Kasım 2005
-static const uint8 TurkTrustDN[] = {
- 0x30, 0x81, 0xbe, 0x31, 0x3f, 0x30, 0x3d, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c,
- 0x36, 0x54, 0xc3, 0x9c, 0x52, 0x4b, 0x54, 0x52, 0x55, 0x53, 0x54, 0x20, 0x45,
- 0x6c, 0x65, 0x6b, 0x74, 0x72, 0x6f, 0x6e, 0x69, 0x6b, 0x20, 0x53, 0x65, 0x72,
- 0x74, 0x69, 0x66, 0x69, 0x6b, 0x61, 0x20, 0x48, 0x69, 0x7a, 0x6d, 0x65, 0x74,
- 0x20, 0x53, 0x61, 0xc4, 0x9f, 0x6c, 0x61, 0x79, 0xc4, 0xb1, 0x63, 0xc4, 0xb1,
- 0x73, 0xc4, 0xb1, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
- 0x02, 0x54, 0x52, 0x31, 0x0f, 0x30, 0x0d, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0c,
- 0x06, 0x41, 0x6e, 0x6b, 0x61, 0x72, 0x61, 0x31, 0x5d, 0x30, 0x5b, 0x06, 0x03,
- 0x55, 0x04, 0x0a, 0x0c, 0x54, 0x54, 0xc3, 0x9c, 0x52, 0x4b, 0x54, 0x52, 0x55,
- 0x53, 0x54, 0x20, 0x42, 0x69, 0x6c, 0x67, 0x69, 0x20, 0xc4, 0xb0, 0x6c, 0x65,
- 0x74, 0x69, 0xc5, 0x9f, 0x69, 0x6d, 0x20, 0x76, 0x65, 0x20, 0x42, 0x69, 0x6c,
- 0x69, 0xc5, 0x9f, 0x69, 0x6d, 0x20, 0x47, 0xc3, 0xbc, 0x76, 0x65, 0x6e, 0x6c,
- 0x69, 0xc4, 0x9f, 0x69, 0x20, 0x48, 0x69, 0x7a, 0x6d, 0x65, 0x74, 0x6c, 0x65,
- 0x72, 0x69, 0x20, 0x41, 0x2e, 0xc5, 0x9e, 0x2e, 0x20, 0x28, 0x63, 0x29, 0x20,
- 0x4b, 0x61, 0x73, 0xc4, 0xb1, 0x6d, 0x20, 0x32, 0x30, 0x30, 0x35, 0x30, 0x1e,
- 0x17, 0x0d, 0x30, 0x35, 0x31, 0x31, 0x30, 0x37, 0x31, 0x30, 0x30, 0x37, 0x35,
- 0x37
-};
-
-// 33:d=2 hl=3 l= 207 cons: SEQUENCE
-// 36:d=3 hl=2 l= 11 cons: SET
-// 38:d=4 hl=2 l= 9 cons: SEQUENCE
-// 40:d=5 hl=2 l= 3 prim: OBJECT :countryName
-// 45:d=5 hl=2 l= 2 prim: PRINTABLESTRING :AT
-// 49:d=3 hl=3 l= 139 cons: SET
-// 52:d=4 hl=3 l= 136 cons: SEQUENCE
-// 55:d=5 hl=2 l= 3 prim: OBJECT :organizationName
-// 60:d=5 hl=3 l= 128 prim: BMPSTRING :A-Trust Ges. für Sicherheitssysteme im elektr. Datenverkehr GmbH
-//191:d=3 hl=2 l= 24 cons: SET
-//193:d=4 hl=2 l= 22 cons: SEQUENCE
-//195:d=5 hl=2 l= 3 prim: OBJECT :organizationalUnitName
-//200:d=5 hl=2 l= 15 prim: PRINTABLESTRING :A-Trust-Qual-01
-//217:d=3 hl=2 l= 24 cons: SET
-//219:d=4 hl=2 l= 22 cons: SEQUENCE
-//221:d=5 hl=2 l= 3 prim: OBJECT :commonName
-//226:d=5 hl=2 l= 15 prim: PRINTABLESTRING :A-Trust-Qual-01
-static const uint8 ATrustQual01DN[] = {
- 0x30, 0x81, 0xcf, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
- 0x02, 0x41, 0x54, 0x31, 0x81, 0x8b, 0x30, 0x81, 0x88, 0x06, 0x03, 0x55, 0x04,
- 0x0a, 0x1e, 0x81, 0x80, 0x00, 0x41, 0x00, 0x2d, 0x00, 0x54, 0x00, 0x72, 0x00,
- 0x75, 0x00, 0x73, 0x00, 0x74, 0x00, 0x20, 0x00, 0x47, 0x00, 0x65, 0x00, 0x73,
- 0x00, 0x2e, 0x00, 0x20, 0x00, 0x66, 0x00, 0xfc, 0x00, 0x72, 0x00, 0x20, 0x00,
- 0x53, 0x00, 0x69, 0x00, 0x63, 0x00, 0x68, 0x00, 0x65, 0x00, 0x72, 0x00, 0x68,
- 0x00, 0x65, 0x00, 0x69, 0x00, 0x74, 0x00, 0x73, 0x00, 0x73, 0x00, 0x79, 0x00,
- 0x73, 0x00, 0x74, 0x00, 0x65, 0x00, 0x6d, 0x00, 0x65, 0x00, 0x20, 0x00, 0x69,
- 0x00, 0x6d, 0x00, 0x20, 0x00, 0x65, 0x00, 0x6c, 0x00, 0x65, 0x00, 0x6b, 0x00,
- 0x74, 0x00, 0x72, 0x00, 0x2e, 0x00, 0x20, 0x00, 0x44, 0x00, 0x61, 0x00, 0x74,
- 0x00, 0x65, 0x00, 0x6e, 0x00, 0x76, 0x00, 0x65, 0x00, 0x72, 0x00, 0x6b, 0x00,
- 0x65, 0x00, 0x68, 0x00, 0x72, 0x00, 0x20, 0x00, 0x47, 0x00, 0x6d, 0x00, 0x62,
- 0x00, 0x48, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x0f,
- 0x41, 0x2d, 0x54, 0x72, 0x75, 0x73, 0x74, 0x2d, 0x51, 0x75, 0x61, 0x6c, 0x2d,
- 0x30, 0x31, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x0f,
- 0x41, 0x2d, 0x54, 0x72, 0x75, 0x73, 0x74, 0x2d, 0x51, 0x75, 0x61, 0x6c, 0x2d,
- 0x30, 0x31, 0x30, 0x1e, 0x17
-};
-
-// 34:d=2 hl=3 l= 180 cons: SEQUENCE
-// 37:d=3 hl=2 l= 20 cons: SET
-// 39:d=4 hl=2 l= 18 cons: SEQUENCE
-// 41:d=5 hl=2 l= 3 prim: OBJECT :organizationName
-// 46:d=5 hl=2 l= 11 prim: PRINTABLESTRING :Entrust.net
-// 59:d=3 hl=2 l= 64 cons: SET
-// 61:d=4 hl=2 l= 62 cons: SEQUENCE
-// 63:d=5 hl=2 l= 3 prim: OBJECT :organizationalUnitName
-// 68:d=5 hl=2 l= 55 prim: T61STRING :www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)
-//125:d=3 hl=2 l= 37 cons: SET
-//127:d=4 hl=2 l= 35 cons: SEQUENCE
-//129:d=5 hl=2 l= 3 prim: OBJECT :organizationalUnitName
-//134:d=5 hl=2 l= 28 prim: PRINTABLESTRING :(c) 1999 Entrust.net Limited
-//164:d=3 hl=2 l= 51 cons: SET
-//166:d=4 hl=2 l= 49 cons: SEQUENCE
-//168:d=5 hl=2 l= 3 prim: OBJECT :commonName
-//173:d=5 hl=2 l= 42 prim: PRINTABLESTRING :Entrust.net Certification Authority (2048)
-static const uint8 EntrustDN[] = {
- 0x30, 0x81, 0xb4, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13,
- 0x0b, 0x45, 0x6e, 0x74, 0x72, 0x75, 0x73, 0x74, 0x2e, 0x6e, 0x65, 0x74, 0x31,
- 0x40, 0x30, 0x3e, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x14, 0x37, 0x77, 0x77, 0x77,
- 0x2e, 0x65, 0x6e, 0x74, 0x72, 0x75, 0x73, 0x74, 0x2e, 0x6e, 0x65, 0x74, 0x2f,
- 0x43, 0x50, 0x53, 0x5f, 0x32, 0x30, 0x34, 0x38, 0x20, 0x69, 0x6e, 0x63, 0x6f,
- 0x72, 0x70, 0x2e, 0x20, 0x62, 0x79, 0x20, 0x72, 0x65, 0x66, 0x2e, 0x20, 0x28,
- 0x6c, 0x69, 0x6d, 0x69, 0x74, 0x73, 0x20, 0x6c, 0x69, 0x61, 0x62, 0x2e, 0x29,
- 0x31, 0x25, 0x30, 0x23, 0x06, 0x03, 0x55, 0x04, 0x0b, 0x13, 0x1c, 0x28, 0x63,
- 0x29, 0x20, 0x31, 0x39, 0x39, 0x39, 0x20, 0x45, 0x6e, 0x74, 0x72, 0x75, 0x73,
- 0x74, 0x2e, 0x6e, 0x65, 0x74, 0x20, 0x4c, 0x69, 0x6d, 0x69, 0x74, 0x65, 0x64,
- 0x31, 0x33, 0x30, 0x31, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x2a, 0x45, 0x6e,
- 0x74, 0x72, 0x75, 0x73, 0x74, 0x2e, 0x6e, 0x65, 0x74, 0x20, 0x43, 0x65, 0x72,
- 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x41, 0x75,
- 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x20, 0x28, 0x32, 0x30, 0x34, 0x38,
- 0x29
-};
-
namespace net {
#if defined(OS_MACOSX)
diff --git a/net/base/x509_certificate.h b/net/base/x509_certificate.h
index c8ba0bf..1bd6a4b 100644
--- a/net/base/x509_certificate.h
+++ b/net/base/x509_certificate.h
@@ -304,6 +304,10 @@ class NET_EXPORT X509Certificate
CFArrayRef CreateOSCertChainForCert() const;
#endif
+ // Do any of the given issuer names appear in this cert's chain of trust?
+ // |valid_issuers| is a list of DER-encoded X.509 DistinguishedNames.
+ bool IsIssuedByEncoded(const std::vector<std::string>& valid_issuers);
+
#if defined(OS_WIN)
// Returns a new PCCERT_CONTEXT containing this certificate and its
// intermediate certificates, or NULL on failure. The returned
diff --git a/net/base/x509_certificate_ios.cc b/net/base/x509_certificate_ios.cc
index 0286203..91ae799 100644
--- a/net/base/x509_certificate_ios.cc
+++ b/net/base/x509_certificate_ios.cc
@@ -69,6 +69,21 @@ void X509Certificate::Initialize() {
ca_fingerprint_ = CalculateCAFingerprint(intermediate_ca_certs_);
}
+bool X509Certificate::IsIssuedByEncoded(
+ const std::vector<std::string>& valid_issuers) {
+ x509_util_ios::NSSCertChain nss_chain(this);
+ // Convert to scoped CERTName* list.
+ std::vector<CERTName*> issuers;
+ crypto::ScopedPLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE));
+ if (!x509_util::GetIssuersFromEncodedList(valid_issuers,
+ arena.get(),
+ &issuers)) {
+ return false;
+ }
+ return x509_util::IsCertificateIssuedBy(
+ nss_chain.cert_chain(), issuers);
+}
+
// static
X509Certificate* X509Certificate::CreateSelfSigned(
crypto::RSAPrivateKey* key,
diff --git a/net/base/x509_certificate_mac.cc b/net/base/x509_certificate_mac.cc
index 709b2cd..f4aaf92 100644
--- a/net/base/x509_certificate_mac.cc
+++ b/net/base/x509_certificate_mac.cc
@@ -18,6 +18,7 @@
#include "base/memory/singleton.h"
#include "base/pickle.h"
#include "base/sha1.h"
+#include "base/string_piece.h"
#include "base/synchronization/lock.h"
#include "base/sys_string_conversions.h"
#include "crypto/cssm_init.h"
@@ -46,6 +47,32 @@ void GetCertDistinguishedName(
distinguished_name.field()->Length);
}
+bool IsCertIssuerInEncodedList(X509Certificate::OSCertHandle cert_handle,
+ const std::vector<std::string>& issuers) {
+ x509_util::CSSMCachedCertificate cached_cert;
+ if (cached_cert.Init(cert_handle) != CSSM_OK)
+ return false;
+
+ x509_util::CSSMFieldValue distinguished_name;
+ OSStatus status = cached_cert.GetField(&CSSMOID_X509V1IssuerNameStd,
+ &distinguished_name);
+ if (status || !distinguished_name.field())
+ return false;
+
+ base::StringPiece name_piece(
+ reinterpret_cast<const char*>(distinguished_name.field()->Data),
+ static_cast<size_t>(distinguished_name.field()->Length));
+
+ for (std::vector<std::string>::const_iterator it = issuers.begin();
+ it != issuers.end(); ++it) {
+ base::StringPiece issuer_piece(*it);
+ if (name_piece == issuer_piece)
+ return true;
+ }
+
+ return false;
+}
+
void GetCertDateForOID(const x509_util::CSSMCachedCertificate& cached_cert,
const CSSM_OID* oid,
Time* result) {
@@ -333,6 +360,19 @@ void X509Certificate::Initialize() {
ca_fingerprint_ = CalculateCAFingerprint(intermediate_ca_certs_);
}
+bool X509Certificate::IsIssuedByEncoded(
+ const std::vector<std::string>& valid_issuers) {
+ if (IsCertIssuerInEncodedList(cert_handle_, valid_issuers))
+ return true;
+
+ for (OSCertHandles::iterator it = intermediate_ca_certs_.begin();
+ it != intermediate_ca_certs_.end(); ++it) {
+ if (IsCertIssuerInEncodedList(*it, valid_issuers))
+ return true;
+ }
+ return false;
+}
+
// static
X509Certificate* X509Certificate::CreateSelfSigned(
crypto::RSAPrivateKey* key,
diff --git a/net/base/x509_certificate_nss.cc b/net/base/x509_certificate_nss.cc
index 54d2197..2fe571d 100644
--- a/net/base/x509_certificate_nss.cc
+++ b/net/base/x509_certificate_nss.cc
@@ -10,6 +10,7 @@
#include <nss.h>
#include <pk11pub.h>
#include <prtime.h>
+#include <seccomon.h>
#include <secder.h>
#include <sechash.h>
@@ -19,6 +20,7 @@
#include "base/time.h"
#include "crypto/nss_util.h"
#include "crypto/rsa_private_key.h"
+#include "crypto/scoped_nss_types.h"
#include "net/base/x509_util_nss.h"
namespace net {
@@ -154,6 +156,25 @@ bool X509Certificate::VerifyNameMatch(const std::string& hostname) const {
return CERT_VerifyCertName(cert_handle_, hostname.c_str()) == SECSuccess;
}
+bool X509Certificate::IsIssuedByEncoded(
+ const std::vector<std::string>& valid_issuers) {
+ // Get certificate chain as scoped list of CERTCertificate objects.
+ std::vector<CERTCertificate*> cert_chain;
+ cert_chain.push_back(cert_handle_);
+ for (size_t n = 0; n < intermediate_ca_certs_.size(); ++n) {
+ cert_chain.push_back(intermediate_ca_certs_[n]);
+ }
+ // Convert encoded issuers to scoped CERTName* list.
+ std::vector<CERTName*> issuers;
+ crypto::ScopedPLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE));
+ if (!x509_util::GetIssuersFromEncodedList(valid_issuers,
+ arena.get(),
+ &issuers)) {
+ return false;
+ }
+ return x509_util::IsCertificateIssuedBy(cert_chain, issuers);
+}
+
// static
bool X509Certificate::GetDEREncoded(X509Certificate::OSCertHandle cert_handle,
std::string* encoded) {
diff --git a/net/base/x509_certificate_openssl.cc b/net/base/x509_certificate_openssl.cc
index 55c11ac..13f645a 100644
--- a/net/base/x509_certificate_openssl.cc
+++ b/net/base/x509_certificate_openssl.cc
@@ -233,6 +233,11 @@ bool GetDERAndCacheIfNeeded(X509Certificate::OSCertHandle cert,
return true;
}
+// Used to free a list of X509_NAMEs and the objects it points to.
+void sk_X509_NAME_free_all(STACK_OF(X509_NAME)* sk) {
+ sk_X509_NAME_pop_free(sk, X509_NAME_free);
+}
+
} // namespace
// static
@@ -471,4 +476,56 @@ void X509Certificate::GetPublicKeyInfo(OSCertHandle cert_handle,
}
}
+bool X509Certificate::IsIssuedByEncoded(
+ const std::vector<std::string>& valid_issuers) {
+ if (valid_issuers.empty())
+ return false;
+
+ // Convert to a temporary list of X509_NAME objects.
+ // It will own the objects it points to.
+ crypto::ScopedOpenSSL<STACK_OF(X509_NAME), sk_X509_NAME_free_all>
+ issuer_names(sk_X509_NAME_new_null());
+ if (!issuer_names.get())
+ return false;
+
+ for (std::vector<std::string>::const_iterator it = valid_issuers.begin();
+ it != valid_issuers.end(); ++it) {
+ const unsigned char* p =
+ reinterpret_cast<const unsigned char*>(it->data());
+ long len = static_cast<long>(it->length());
+ X509_NAME* ca_name = d2i_X509_NAME(NULL, &p, len);
+ if (ca_name == NULL)
+ return false;
+ sk_X509_NAME_push(issuer_names.get(), ca_name);
+ }
+
+ // Create a temporary list of X509_NAME objects corresponding
+ // to the certificate chain. It doesn't own the object it points to.
+ std::vector<X509_NAME*> cert_names;
+ X509_NAME* issuer = X509_get_issuer_name(cert_handle_);
+ if (issuer == NULL)
+ return false;
+
+ cert_names.push_back(issuer);
+ for (OSCertHandles::iterator it = intermediate_ca_certs_.begin();
+ it != intermediate_ca_certs_.end(); ++it) {
+ issuer = X509_get_issuer_name(*it);
+ if (issuer == NULL)
+ return false;
+ cert_names.push_back(issuer);
+ }
+
+ // and 'cert_names'.
+ for (size_t n = 0; n < cert_names.size(); ++n) {
+ for (int m = 0; m < sk_X509_NAME_num(issuer_names.get()); ++m) {
+ X509_NAME* issuer = sk_X509_NAME_value(issuer_names.get(), m);
+ if (X509_NAME_cmp(issuer, cert_names[n]) == 0) {
+ return true;
+ }
+ }
+ }
+
+ return false;
+}
+
} // namespace net
diff --git a/net/base/x509_certificate_unittest.cc b/net/base/x509_certificate_unittest.cc
index 63f51a8..4e6c83a 100644
--- a/net/base/x509_certificate_unittest.cc
+++ b/net/base/x509_certificate_unittest.cc
@@ -731,6 +731,106 @@ TEST(X509CertificateTest, IsIssuedBy) {
#endif // defined(OS_MACOSX)
#endif // !defined(OS_IOS)
+TEST(X509CertificateTest, IsIssuedByEncoded) {
+ FilePath certs_dir = GetTestCertsDirectory();
+
+ // Test a client certificate from MIT.
+ scoped_refptr<X509Certificate> mit_davidben_cert(
+ ImportCertFromFile(certs_dir, "mit.davidben.der"));
+ ASSERT_NE(static_cast<X509Certificate*>(NULL), mit_davidben_cert);
+
+ std::string mit_issuer(reinterpret_cast<const char*>(MITDN),
+ sizeof(MITDN));
+
+ // Test a certificate from Google, issued by Thawte
+ scoped_refptr<X509Certificate> google_cert(
+ ImportCertFromFile(certs_dir, "google.single.der"));
+ ASSERT_NE(static_cast<X509Certificate*>(NULL), google_cert);
+
+ std::string thawte_issuer(reinterpret_cast<const char*>(ThawteDN),
+ sizeof(ThawteDN));
+
+ // Check that the David Ben certificate is issued by MIT, but not
+ // by Thawte.
+ std::vector<std::string> issuers;
+ issuers.clear();
+ issuers.push_back(mit_issuer);
+ EXPECT_TRUE(mit_davidben_cert->IsIssuedByEncoded(issuers));
+ EXPECT_FALSE(google_cert->IsIssuedByEncoded(issuers));
+
+ // Check that the Google certificate is issued by Thawte and not
+ // by MIT.
+ issuers.clear();
+ issuers.push_back(thawte_issuer);
+ EXPECT_FALSE(mit_davidben_cert->IsIssuedByEncoded(issuers));
+ EXPECT_TRUE(google_cert->IsIssuedByEncoded(issuers));
+
+ // Check that they both pass when given a list of the two issuers.
+ issuers.clear();
+ issuers.push_back(mit_issuer);
+ issuers.push_back(thawte_issuer);
+ EXPECT_TRUE(mit_davidben_cert->IsIssuedByEncoded(issuers));
+ EXPECT_TRUE(google_cert->IsIssuedByEncoded(issuers));
+}
+
+TEST(X509CertificateTest, IsIssuedByEncodedWithIntermediates) {
+ FilePath certs_dir = GetTestCertsDirectory();
+
+ scoped_refptr<X509Certificate> server_cert =
+ ImportCertFromFile(certs_dir, "www_us_army_mil_cert.der");
+ ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert);
+
+ // The intermediate CA certificate's policyConstraints extension has a
+ // requireExplicitPolicy field with SkipCerts=0.
+ scoped_refptr<X509Certificate> intermediate_cert =
+ ImportCertFromFile(certs_dir, "dod_ca_17_cert.der");
+ ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate_cert);
+
+ std::string dod_ca_17_issuer(reinterpret_cast<const char*>(DodCA17DN),
+ sizeof(DodCA17DN));
+
+ scoped_refptr<X509Certificate> root_cert =
+ ImportCertFromFile(certs_dir, "dod_root_ca_2_cert.der");
+
+ std::string dod_root_ca_2_issuer(
+ reinterpret_cast<const char*>(DodRootCA2DN), sizeof(DodRootCA2DN));
+
+ X509Certificate::OSCertHandles intermediates;
+ intermediates.push_back(intermediate_cert->os_cert_handle());
+ scoped_refptr<X509Certificate> cert_chain =
+ X509Certificate::CreateFromHandle(server_cert->os_cert_handle(),
+ intermediates);
+
+ std::vector<std::string> issuers;
+
+ // Check that the chain is issued by DOD CA-17.
+ issuers.clear();
+ issuers.push_back(dod_ca_17_issuer);
+ EXPECT_TRUE(cert_chain->IsIssuedByEncoded(issuers));
+
+ // Check that the chain is also issued by DoD Root CA 2.
+ issuers.clear();
+ issuers.push_back(dod_root_ca_2_issuer);
+ EXPECT_TRUE(cert_chain->IsIssuedByEncoded(issuers));
+
+ // Check that the chain is issued by either one of the two DOD issuers.
+ issuers.clear();
+ issuers.push_back(dod_ca_17_issuer);
+ issuers.push_back(dod_root_ca_2_issuer);
+ EXPECT_TRUE(cert_chain->IsIssuedByEncoded(issuers));
+
+ // Check that an empty issuers list returns false.
+ issuers.clear();
+ EXPECT_FALSE(cert_chain->IsIssuedByEncoded(issuers));
+
+ // Check that the chain is not issued by MIT
+ std::string mit_issuer(reinterpret_cast<const char*>(MITDN),
+ sizeof(MITDN));
+ issuers.clear();
+ issuers.push_back(mit_issuer);
+ EXPECT_FALSE(cert_chain->IsIssuedByEncoded(issuers));
+}
+
#if !defined(OS_IOS) // TODO(ios): Unable to create certificates.
#if defined(USE_NSS) || defined(OS_WIN) || defined(OS_MACOSX)
// This test creates a self-signed cert from a private key and then verify the
diff --git a/net/base/x509_certificate_win.cc b/net/base/x509_certificate_win.cc
index 26ebb57..3dcb2ae 100644
--- a/net/base/x509_certificate_win.cc
+++ b/net/base/x509_certificate_win.cc
@@ -122,6 +122,27 @@ X509Certificate::OSCertHandles ParsePKCS7(const char* data, size_t length) {
return results;
}
+// Given a CERT_NAME_BLOB, returns true if it appears in a given list,
+// formatted as a vector of strings holding DER-encoded X.509
+// DistinguishedName entries.
+bool IsCertNameBlobInIssuerList(
+ CERT_NAME_BLOB* name_blob,
+ const std::vector<std::string>& issuer_names) {
+ for (std::vector<std::string>::const_iterator it = issuer_names.begin();
+ it != issuer_names.end(); ++it) {
+ CERT_NAME_BLOB issuer_blob;
+ issuer_blob.pbData =
+ reinterpret_cast<BYTE*>(const_cast<char*>(it->data()));
+ issuer_blob.cbData = static_cast<DWORD>(it->length());
+
+ BOOL rb = CertCompareCertificateName(
+ X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, &issuer_blob, name_blob);
+ if (rb)
+ return true;
+ }
+ return false;
+}
+
} // namespace
void X509Certificate::Initialize() {
@@ -462,4 +483,24 @@ void X509Certificate::GetPublicKeyInfo(OSCertHandle cert_handle,
}
}
+bool X509Certificate::IsIssuedByEncoded(
+ const std::vector<std::string>& valid_issuers) {
+
+ // If the certificate's issuer in the list?
+ if (IsCertNameBlobInIssuerList(&cert_handle_->pCertInfo->Issuer,
+ valid_issuers)) {
+ return true;
+ }
+ // Otherwise, is any of the intermediate CA subjects in the list?
+ for (OSCertHandles::iterator it = intermediate_ca_certs_.begin();
+ it != intermediate_ca_certs_.end(); ++it) {
+ if (IsCertNameBlobInIssuerList(&(*it)->pCertInfo->Issuer,
+ valid_issuers)) {
+ return true;
+ }
+ }
+
+ return false;
+}
+
} // namespace net
diff --git a/net/base/x509_util_ios.cc b/net/base/x509_util_ios.cc
index f14ee10..66fc2aa 100644
--- a/net/base/x509_util_ios.cc
+++ b/net/base/x509_util_ios.cc
@@ -12,6 +12,7 @@
#include "base/mac/scoped_cftyperef.h"
#include "crypto/nss_util.h"
#include "net/base/x509_certificate.h"
+#include "net/base/x509_util_nss.h"
using base::mac::ScopedCFTypeRef;
@@ -132,6 +133,9 @@ CERTCertificate* NSSCertChain::cert_handle() const {
return certs_.empty() ? NULL : certs_.front();
}
+const std::vector<CERTCertificate*>& NSSCertChain::cert_chain() const {
+ return certs_;
+}
+
} // namespace x509_util_ios
} // namespace net
-
diff --git a/net/base/x509_util_ios.h b/net/base/x509_util_ios.h
index b8aca01..1f242ed 100644
--- a/net/base/x509_util_ios.h
+++ b/net/base/x509_util_ios.h
@@ -61,6 +61,7 @@ class NSSCertChain {
explicit NSSCertChain(X509Certificate* certificate);
~NSSCertChain();
CERTCertificate* cert_handle() const;
+ const std::vector<CERTCertificate*>& cert_chain() const;
private:
std::vector<CERTCertificate*> certs_;
};
diff --git a/net/base/x509_util_nss.cc b/net/base/x509_util_nss.cc
index c86b9c5..f4c253f 100644
--- a/net/base/x509_util_nss.cc
+++ b/net/base/x509_util_nss.cc
@@ -273,6 +273,37 @@ SECStatus PR_CALLBACK CollectCertsCallback(void* arg,
return SECSuccess;
}
+
+typedef scoped_ptr_malloc<
+ CERTName,
+ crypto::NSSDestroyer<CERTName, CERT_DestroyName> > ScopedCERTName;
+
+// Create a new CERTName object from its encoded representation.
+// |arena| is the allocation pool to use.
+// |data| points to a DER-encoded X.509 DistinguishedName.
+// Return a new CERTName pointer on success, or NULL.
+CERTName* CreateCertNameFromEncoded(PLArenaPool* arena,
+ const base::StringPiece& data) {
+ if (!arena)
+ return NULL;
+
+ ScopedCERTName name(PORT_ArenaZNew(arena, CERTName));
+ if (!name.get())
+ return NULL;
+
+ SECItem item;
+ item.len = static_cast<unsigned int>(data.length());
+ item.data = reinterpret_cast<unsigned char*>(
+ const_cast<char*>(data.data()));
+
+ SECStatus rv = SEC_ASN1DecodeItem(
+ arena, name.get(), SEC_ASN1_GET(CERT_NameTemplate), &item);
+ if (rv != SECSuccess)
+ return NULL;
+
+ return name.release();
+}
+
#endif // defined(USE_NSS) || defined(OS_IOS)
} // namespace
@@ -527,6 +558,41 @@ void GetPublicKeyInfo(CERTCertificate* handle,
break;
}
}
+
+bool GetIssuersFromEncodedList(
+ const std::vector<std::string>& encoded_issuers,
+ PLArenaPool* arena,
+ std::vector<CERTName*>* out) {
+ std::vector<CERTName*> result;
+ for (size_t n = 0; n < encoded_issuers.size(); ++n) {
+ CERTName* name = CreateCertNameFromEncoded(arena, encoded_issuers[n]);
+ if (name != NULL)
+ result.push_back(name);
+ }
+
+ if (result.size() == encoded_issuers.size()) {
+ out->swap(result);
+ return true;
+ }
+
+ for (size_t n = 0; n < result.size(); ++n)
+ CERT_DestroyName(result[n]);
+ return false;
+}
+
+
+bool IsCertificateIssuedBy(const std::vector<CERTCertificate*>& cert_chain,
+ const std::vector<CERTName*>& valid_issuers) {
+ for (size_t n = 0; n < cert_chain.size(); ++n) {
+ CERTName* cert_issuer = &cert_chain[n]->issuer;
+ for (size_t i = 0; i < valid_issuers.size(); ++i) {
+ if (CERT_CompareName(valid_issuers[i], cert_issuer) == SECEqual)
+ return true;
+ }
+ }
+ return false;
+}
+
#endif // defined(USE_NSS) || defined(OS_IOS)
} // namespace x509_util
diff --git a/net/base/x509_util_nss.h b/net/base/x509_util_nss.h
index f00c4ab..f40c503 100644
--- a/net/base/x509_util_nss.h
+++ b/net/base/x509_util_nss.h
@@ -15,6 +15,7 @@ class PickleIterator;
typedef struct CERTCertificateStr CERTCertificate;
typedef struct CERTNameStr CERTName;
+typedef struct PLArenaPool PLArenaPool;
typedef struct SECKEYPrivateKeyStr SECKEYPrivateKey;
typedef struct SECItemStr SECItem;
typedef struct SECKEYPublicKeyStr SECKEYPublicKey;
@@ -70,6 +71,27 @@ X509Certificate::OSCertHandle ReadOSCertHandleFromPickle(
void GetPublicKeyInfo(CERTCertificate* handle,
size_t* size_bits,
X509Certificate::PublicKeyType* type);
+
+// Create a list of CERTName objects from a list of DER-encoded X.509
+// DistinguishedName items. All objects are created in a given arena.
+// |encoded_issuers| is the list of encoded DNs.
+// |arena| is the arena used for all allocations.
+// |out| will receive the result list on success.
+// Return true on success. On failure, the caller must free the
+// intermediate CERTName objects pushed to |out|.
+bool GetIssuersFromEncodedList(
+ const std::vector<std::string>& issuers,
+ PLArenaPool* arena,
+ std::vector<CERTName*>* out);
+
+// Returns true iff a certificate is issued by any of the issuers listed
+// by name in |valid_issuers|.
+// |cert_chain| is the certificate's chain.
+// |valid_issuers| is a list of strings, where each string contains
+// a DER-encoded X.509 Distinguished Name.
+bool IsCertificateIssuedBy(const std::vector<CERTCertificate*>& cert_chain,
+ const std::vector<CERTName*>& valid_issuers);
+
#endif // defined(USE_NSS) || defined(OS_IOS)
} // namespace x509_util
generated by cgit v1.1 at 2025-01-13 19:23:33 +0000