Mac: Make client-cert picker only show certs the server will accept.

net/base/x509_cert_types.h

+// Copyright (c) 2006-2010 The Chromium Authors. All rights reserved.

[wtc, 2010/03/24 23:52:05]

Nit: the copyright notice should just say 2010.  If you like
a range of years better, it should start in 2007 because none
of the code in this file existed before the summer of 2007.

+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef NET_BASE_X509_TYPES_H_
+#define NET_BASE_X509_TYPES_H_
+
+#include <string.h>
+
+#include <iostream>
+#include <map>
+#include <set>
+#include <string>
+#include <vector>
+
+#include "base/ref_counted.h"
+#include "base/singleton.h"
+#include "base/time.h"
+#include "testing/gtest/include/gtest/gtest_prod.h"
+
+#if defined(OS_WIN)
+#include <windows.h>
+#include <wincrypt.h>
+#elif defined(OS_MACOSX)
+#include <Security/x509defs.h>
+#elif defined(USE_NSS)
+// Forward declaration; real one in <cert.h>
+struct CERTCertificateStr;
+#endif
+
+namespace net {
+
+  class X509Certificate;

[wtc, 2010/03/24 23:52:05]

Nit: don't indent the contents of a namespace.

http://google-styleguide.googlecode.com/svn/trunk/cppguide.xml#Namespace_Form...

+
+  // SHA-1 fingerprint (160 bits) of a certificate.
+  struct SHA1Fingerprint {
+    bool Equals(const SHA1Fingerprint& other) const {
+      return memcmp(data, other.data, sizeof(data)) == 0;
+    }
+
+    unsigned char data[20];
+  };
+
+  class SHA1FingerprintLessThan
+      : public std::binary_function<SHA1Fingerprint, SHA1Fingerprint, bool> {
+   public:
+    bool operator() (const SHA1Fingerprint& lhs, const SHA1Fingerprint& rhs) const;
+  };
+
+  // Principal represent an X.509 principal.

[wtc, 2010/03/24 23:52:05]

Nit: let's change this comment to:

  // CertPrincipal represents the issuer or subject field of an X.509
certificate.

+  struct CertPrincipal {
+    CertPrincipal() { }
+    explicit CertPrincipal(const std::string& name) : common_name(name) { }
+
+    // Parses a BER-format X.509 DistinguishedName.

[wtc, 2010/03/24 23:52:05]

Nit: remove "X.509" because DistinguishedName comes from X.500.

Similarly remove "x509_" from the input parameter's name.

+    bool ParseDistinguishedName(const void* x509_name_data, size_t length);
+
+#if defined(OS_MACOSX)
+    // Parses a CSSM_X509_NAME struct.
+    void Parse(const CSSM_X509_NAME* name);
+#endif
+
+    // Returns true if all non-empty components of |against| match the
+    // corresponding components of the receiver, where "match" is defined

[wtc, 2010/03/24 23:52:05]

Nit: receiver => object?

I still think we should just do a binary comparison, because
our CertPrincipal type does not have all the possible members.
RFC 5280 page 21 lists the following attribute types:

      * country,
      * organization,
      * organizational unit,
      * distinguished name qualifier,
      * state or province name,
      * common name (e.g., "Susan Housley"), and
      * serial number.
and
      * locality,
      * title,
      * surname,
      * given name,
      * initials,
      * pseudonym, and
      * generation qualifier (e.g., "Jr.", "3rd", or "IV").

Some of them don't apply to CA certificates, but you can
see that our CertPrincipal type is missing distinguished
name qualifier and serial number.

+    // in RFC 5280 sec. 7.1.
+    bool Matches(const CertPrincipal& against) const;
+
+    // The different attributes for a principal.  They may be "".
+    // Note that some of them can have several values.
+
+    std::string common_name;
+    std::string locality_name;
+    std::string state_or_province_name;
+    std::string country_name;
+
+    std::vector<std::string> street_addresses;
+    std::vector<std::string> organization_names;
+    std::vector<std::string> organization_unit_names;
+    std::vector<std::string> domain_components;
+  };
+
+  // Writes a human-readable description of a Principal, for debugging.

[wtc, 2010/03/24 23:52:05]

Nit: Principal => CertPrincipal

+  std::ostream& operator<<(std::ostream& s, const CertPrincipal& p);
+
+  // This class is useful for maintaining policies about which certificates are
+  // permitted or forbidden for a particular purpose.
+  class CertPolicy {
+   public:
+    // The judgments this policy can reach.
+    enum Judgment {
+      // We don't have policy information for this certificate.
+      UNKNOWN,
+
+      // This certificate is allowed.
+      ALLOWED,
+
+      // This certificate is denied.
+      DENIED,
+    };
+
+    // Returns the judgment this policy makes about this certificate.
+    Judgment Check(X509Certificate* cert) const;
+
+    // Causes the policy to allow this certificate.
+    void Allow(X509Certificate* cert);
+
+    // Causes the policy to deny this certificate.
+    void Deny(X509Certificate* cert);
+
+    // Returns true if this policy has allowed at least one certificate.
+    bool HasAllowedCert() const;
+
+    // Returns true if this policy has denied at least one certificate.
+    bool HasDeniedCert() const;
+
+   private:
+    // The set of fingerprints of allowed certificates.
+    std::set<SHA1Fingerprint, SHA1FingerprintLessThan> allowed_;
+
+    // The set of fingerprints of denied certificates.
+    std::set<SHA1Fingerprint, SHA1FingerprintLessThan> denied_;
+  };
+
+#if defined(OS_MACOSX)
+  // Compares two OIDs by value.
+  inline bool CSSMOIDEqual(const CSSM_OID* oid1, const CSSM_OID* oid2) {
+    return oid1->Length == oid2->Length &&
+    (memcmp(oid1->Data, oid2->Data, oid1->Length) == 0);
+  }
+#endif
+
+}  // namespace net
+
+#endif  // NET_BASE_X509_TYPES_H_