Mac: Make client-cert picker only show certs the server will accept.

net/base/x509_cert_types.cc

Index: net/base/x509_cert_types.cc
diff --git a/net/base/x509_cert_types.cc b/net/base/x509_cert_types.cc
new file mode 100644
index 0000000000000000000000000000000000000000..8fbbb318d5dc3ef581115315c904c226396ba626
--- /dev/null
+++ b/net/base/x509_cert_types.cc
@@ -0,0 +1,111 @@
+// Copyright (c) 2006-2010 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/base/x509_cert_types.h"
+
+#include "net/base/x509_certificate.h"
+#include "base/logging.h"
+
+namespace net {
+
+bool match(const std::string &str, const std::string &against) {
+  // TODO(snej): Use the full matching rules specified in RFC 5280 sec. 7.1
+  // including trimming and case-folding: <http://www.ietf.org/rfc/rfc5280.txt>.
+  return against == str;
+}
+
+bool match(const std::vector<std::string> &rdn1,
+           const std::vector<std::string> &rdn2) {
+  // "Two relative distinguished names RDN1 and RDN2 match if they have the
+  // same number of naming attributes and for each naming attribute in RDN1
+  // there is a matching naming attribute in RDN2." --RFC 5280 sec. 7.1.
+  if (rdn1.size() != rdn2.size())
+    return false;
+  for (unsigned i1 = 0; i1 < rdn1.size(); ++i1) {
+    unsigned i2;
+    for (i2 = 0; i2 < rdn2.size(); ++i2)

[wtc, 2010/03/24 23:52:05]

Nit: add curly braces around the for loop's body because
it's too lines.

+      if (match(rdn1[i1], rdn2[i2]))
+          break;
+    if (i2 == rdn2.size())
+      return false;
+  }
+  return true;
+}
+
+
+bool CertPrincipal::Matches(const CertPrincipal& against) const {
+  return match(common_name, against.common_name) &&
+      match(common_name, against.common_name) &&
+      match(locality_name, against.locality_name) &&
+      match(state_or_province_name, against.state_or_province_name) &&
+      match(country_name, against.country_name) &&
+      match(street_addresses, against.street_addresses) &&
+      match(organization_names, against.organization_names) &&
+      match(organization_unit_names, against.organization_unit_names) &&
+      match(domain_components, against.domain_components);
+}
+
+std::ostream& operator<<(std::ostream& s, const CertPrincipal& p) {

[wtc, 2010/03/24 23:52:05]

I seem to recall domainComponent is printed as "dc=".

It would be nice to use standard abbreviations of the
attribute types, but I don't know where they're defined.

[rsleevi-old, 2010/03/25 05:34:11]

Historically, RFC1485 [1] established IANA as the register. That role was
deprecated by RFC4520 [2], by means of referencing the procedures/values
established in RFC 4514 [3] . 

By reference in RFC4514, additional name abbreviations can be found in RFC4519.

The use of the LDAPv3 RFCs as the source for generating a displayable string
from a given distinguishedName is not specified in 5280, but the inclusion of
RFC4518 in Section 7.1. does incorporate some of the string processing rules, as
a means of addressing the internationalization requirements.

To be fair, ITU-R X.520 [5] may also be considered as the authoritative source
of names, by means of the fact that RFC5280 builds on ITU-R X.509. However, as
noted in RFC5280 Section 7.1, the rules for string preparation provided by X.520
are insufficient for the needs of internationalization.

The NSS implementation can be found at [6]

[1] http://tools.ietf.org/html/rfc1485
[2] http://tools.ietf.org/html/rfc4520
[3] http://tools.ietf.org/html/rfc4514
[4] http://tools.ietf.org/html/rfc4519
[5] http://www.itu.int/rec/recommendation.asp?lang=en&parent=T-REC-X.520
[6] http://mxr.mozilla.org/mozilla/source/security/nss/lib/certdb/alg1485.c#57

+  s << "CertPrincipal[";
+  if (!p.common_name.empty())
+    s << "cn=\"" << p.common_name << "\" ";
+  for (unsigned i = 0; i < p.street_addresses.size(); ++i)
+    s << "addr=\"" << p.street_addresses[i] << "\" ";
+  if (!p.locality_name.empty())
+    s << "loc=\"" << p.locality_name << "\" ";
+  for (unsigned i = 0; i < p.organization_names.size(); ++i)
+    s << "o=\"" << p.organization_names[i] << "\" ";
+  for (unsigned i = 0; i < p.organization_unit_names.size(); ++i)
+    s << "ou=\"" << p.organization_unit_names[i] << "\" ";
+  if (!p.state_or_province_name.empty())
+    s << "state=\"" << p.state_or_province_name << "\" ";
+  if (!p.country_name.empty())
+    s << "country=\"" << p.country_name << "\" ";
+  for (unsigned i = 0; i < p.domain_components.size(); ++i)
+    s << "dom=\"" << p.domain_components[i] << "\" ";
+  return s << "]";
+}
+
+X509Certificate::Policy::Judgment X509Certificate::Policy::Check(

[wtc, 2010/03/24 23:52:05]

In the rest of the file, X509Certificate::Policy should
be changed to CertPolicy, right?

+    X509Certificate* cert) const {
+  // It shouldn't matter which set we check first, but we check denied first
+  // in case something strange has happened.
+
+  if (denied_.find(cert->fingerprint()) != denied_.end()) {
+    // DCHECK that the order didn't matter.
+    DCHECK(allowed_.find(cert->fingerprint()) == allowed_.end());
+    return DENIED;
+  }
+
+  if (allowed_.find(cert->fingerprint()) != allowed_.end()) {
+    // DCHECK that the order didn't matter.
+    DCHECK(denied_.find(cert->fingerprint()) == denied_.end());
+    return ALLOWED;
+  }
+
+  // We don't have a policy for this cert.
+  return UNKNOWN;
+}
+
+void X509Certificate::Policy::Allow(X509Certificate* cert) {
+  // Put the cert in the allowed set and (maybe) remove it from the denied set.
+  denied_.erase(cert->fingerprint());
+  allowed_.insert(cert->fingerprint());
+}
+
+void X509Certificate::Policy::Deny(X509Certificate* cert) {
+  // Put the cert in the denied set and (maybe) remove it from the allowed set.
+  allowed_.erase(cert->fingerprint());
+  denied_.insert(cert->fingerprint());
+}
+
+bool X509Certificate::Policy::HasAllowedCert() const {
+  return !allowed_.empty();
+}
+
+bool X509Certificate::Policy::HasDeniedCert() const {
+  return !denied_.empty();
+}
+
+}  // namespace net