Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(157)

Issues Search
    My Issues | Starred     Open | Closed | All

Issue 6612013: Add X509Certificate::VerifyCertName(string) API. This will be used... (Closed)

Created:
9 years, 9 months ago by Mike Belshe
Modified:
9 years, 5 months ago
Reviewers:
wtc
CC:
chromium-reviews, pam+watch_chromium.org, cbentzel+watch_chromium.org, darin-cc_chromium.org, Paweł Hajdan Jr.
Visibility:
Public.

Description

Add X509Certificate::VerifyCertName(string) API. This will be used to check if a name matches a cert without doing a full certificate verify. Use the API provided as part of NSS. For other platforms, provide a default implementation based on GetDNSNames. BUG=none TEST=X509CertificateTest.WebkitCertParsing Committed: http://src.chromium.org/viewvc/chrome?view=rev&revision=76824

Patch Set 1 #

Patch Set 2 : '' #

Patch Set 3 : '' #

Total comments: 8

Patch Set 4 : '' #

Unified diffs Side-by-side diffs Delta from patch set Stats (+162 lines, -125 lines) Patch
M net/base/x509_certificate.h View 1 2 3 2 chunks +21 lines, -0 lines 0 comments Download
M net/base/x509_certificate.cc View 1 2 2 chunks +129 lines, -0 lines 0 comments Download
M net/base/x509_certificate_nss.cc View 1 chunk +4 lines, -0 lines 0 comments Download
M net/base/x509_certificate_openssl.cc View 1 2 1 chunk +1 line, -1 line 0 comments Download
M net/base/x509_certificate_unittest.cc View 1 2 3 1 chunk +7 lines, -0 lines 0 comments Download
M net/base/x509_openssl_util.h View 1 2 1 chunk +0 lines, -7 lines 0 comments Download
M net/base/x509_openssl_util.cc View 1 2 3 2 chunks +0 lines, -117 lines 0 comments Download

Messages

Total messages: 4 (0 generated)
Mike Belshe
I think the NSS implementation is good. I also took a stab at a cross-platform ...
9 years, 9 months ago (2011-03-03 08:41:41 UTC) #1
Mike Belshe
Updated to use the openssl VerifyHostname() call. Promoted that function out of x509_openssl_util into x509_certificate. ...
9 years, 9 months ago (2011-03-03 18:11:50 UTC) #2
wtc
LGTM. The USE_NSS case should use CERT_VerifyCertName, which is better than our VerifyHostname function. http://codereview.chromium.org/6612013/diff/12/net/base/x509_certificate.h ...
9 years, 9 months ago (2011-03-03 19:38:46 UTC) #3
Mike Belshe
9 years, 9 months ago (2011-03-03 23:06:14 UTC) #4 
http://codereview.chromium.org/6612013/diff/12/net/base/x509_certificate.h
File net/base/x509_certificate.h (right):

http://codereview.chromium.org/6612013/diff/12/net/base/x509_certificate.h#ne...
net/base/x509_certificate.h:293: // Returns true if it matches.
On 2011/03/03 19:38:46, wtc wrote:
> IMPORTANT: Please document that this function may return false
> negatives (for example, if |hostname| is an IP address literal)
> on some platforms, so it should only be used when false
> negatives are acceptable, until this problem is fixed.

Done.

http://codereview.chromium.org/6612013/diff/12/net/base/x509_certificate.h#ne...
net/base/x509_certificate.h:325: // SAN fields of a certificate.
On 2011/03/03 19:38:46, wtc wrote:
> 
> Please document the limitation that this does not work for
> IP addresses, so |hostname| must not be an IP address literal.
> 
> IMPORTANT: can you make this a private method?

Done.

http://codereview.chromium.org/6612013/diff/12/net/base/x509_certificate_unit...
File net/base/x509_certificate_unittest.cc (right):

http://codereview.chromium.org/6612013/diff/12/net/base/x509_certificate_unit...
net/base/x509_certificate_unittest.cc:300:
EXPECT_TRUE(webkit_cert->VerifyNameMatch("webkit.org"));
On 2011/03/03 19:38:46, wtc wrote:
> 
> IMPORTANT: can you add a test case for "www.foo.webkit.org"?
> It should return false.

Done.

http://codereview.chromium.org/6612013/diff/12/net/base/x509_openssl_util.cc
File net/base/x509_openssl_util.cc (right):

http://codereview.chromium.org/6612013/diff/12/net/base/x509_openssl_util.cc#...
net/base/x509_openssl_util.cc:11: #include "base/string_util.h"
On 2011/03/03 19:38:46, wtc wrote:
> 
> Nit: Remove this header.

Done.

Powered by Google App Engine
This is Rietveld 408576698