Normalize certificate name verification across all platforms

This brings Linux/ChromeOS, iOS, and Windows in line with the Android/OS X
implementations by using Chromium's internal RFC 6125 name validation
routines, rather than the platform-specific routines.

In particular, this adds support for iPAddress subjectAltName matching
on Windows, ignores trailing dots for dNSNames, and on Windows, removes
support for matching against non-IDNA commonNames when no subjectAltName
is present.

BUG=72726, 91072
R=wtc@chromium.org

Review URL: https://chromiumcodereview.appspot.com/22893021

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@218121 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 4 insertions, 5 deletions

diff --git a/net/cert/cert_verify_proc_nss.cc b/net/cert/cert_verify_proc_nss.cc
index f63297e..0a0743c 100644
--- a/net/cert/cert_verify_proc_nss.cc
+++ b/net/cert/cert_verify_proc_nss.cc
@@ -764,8 +764,7 @@ int CertVerifyProcNSS::VerifyInternal(
 #endif  // defined(OS_IOS)
 
   // Make sure that the hostname matches with the common name of the cert.
-  SECStatus status = CERT_VerifyCertName(cert_handle, hostname.c_str());
-  if (status != SECSuccess)
+  if (!cert->VerifyNameMatch(hostname))
     verify_result->cert_status |= CERT_STATUS_COMMON_NAME_INVALID;
 
   // Make sure that the cert is valid now.
@@ -805,9 +804,9 @@ int CertVerifyProcNSS::VerifyInternal(
         CertificateListToCERTCertList(additional_trust_anchors));
   }
 
-  status = PKIXVerifyCert(cert_handle, check_revocation, false,
-                          cert_io_enabled, NULL, 0, trust_anchors.get(),
-                          cvout);
+  SECStatus status = PKIXVerifyCert(cert_handle, check_revocation, false,
+                                    cert_io_enabled, NULL, 0,
+                                    trust_anchors.get(), cvout);
 
   if (status == SECSuccess &&
       (flags & CertVerifier::VERIFY_REV_CHECKING_REQUIRED_LOCAL_ANCHORS) &&