Add X509Certificate::VerifyCertName(string) API. This will be used...

net/base/x509_certificate.h

 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef NET_BASE_X509_CERTIFICATE_H_
 #define NET_BASE_X509_CERTIFICATE_H_
 #pragma once
 
 #include <string.h>
 
@@ skipping 269 matching lines @@
   // error is returned.
   //
   // |flags| is bitwise OR'd of VerifyFlags.
   // If VERIFY_REV_CHECKING_ENABLED is set in |flags|, certificate revocation
   // checking is performed.  If VERIFY_EV_CERT is set in |flags| too,
   // EV certificate verification is performed.
   int Verify(const std::string& hostname,
              int flags,
              CertVerifyResult* verify_result) const;
 
+  // Verifies that |hostname| matches this certificate.
+  // Does not verify that the certificate is valid, only that the certificate
+  // matches this host.
+  // Returns true if it matches.

[wtc, 2011/03/03 19:38:46]

IMPORTANT: Please document that this function may return false
negatives (for example, if |hostname| is an IP address literal)
on some platforms, so it should only be used when false
negatives are acceptable, until this problem is fixed.

[Mike Belshe, 2011/03/03 23:06:14]

Done.

+  bool VerifyNameMatch(const std::string& hostname) const;
+
   // This method returns the DER encoded certificate.
   // If the return value is true then the DER encoded certificate is available.
   // The content of the DER encoded certificate is written to |encoded|.
   bool GetDEREncoded(std::string* encoded);
 
   OSCertHandle os_cert_handle() const { return cert_handle_; }
 
   // Returns true if two OSCertHandles refer to identical certificates.
   static bool IsSameOSCert(OSCertHandle a, OSCertHandle b);
 
   // Creates an OS certificate handle from the BER-encoded representation.
   // Returns NULL on failure.
   static OSCertHandle CreateOSCertHandleFromBytes(const char* data,
                                                   int length);
 
   // Creates all possible OS certificate handles from |data| encoded in a
   // specific |format|. Returns an empty collection on failure.
   static OSCertHandles CreateOSCertHandlesFromBytes(
       const char* data, int length, Format format);
 
   // Duplicates (or adds a reference to) an OS certificate handle.
   static OSCertHandle DupOSCertHandle(OSCertHandle cert_handle);
 
   // Frees (or releases a reference to) an OS certificate handle.
   static void FreeOSCertHandle(OSCertHandle cert_handle);
 
+  // Verifies that |hostname| matches one of the names in |cert_names|, based on
+  // TLS name matching rules, specifically following http://tools.ietf.org/html/draft-saintandre-tls-server-id-check-09#section-4.4.3
+  // The members of |cert_names| must have been extracted from the Subject CN or
+  // SAN fields of a certificate.

[wtc, 2011/03/03 19:38:46]

Please document the limitation that this does not work for
IP addresses, so |hostname| must not be an IP address literal.

IMPORTANT: can you make this a private method?

[Mike Belshe, 2011/03/03 23:06:14]

Done.

+  static bool VerifyHostname(const std::string& hostname,
+                             const std::vector<std::string>& cert_names);
+
  private:
   friend class base::RefCountedThreadSafe<X509Certificate>;
   friend class TestRootCerts;  // For unit tests
   FRIEND_TEST_ALL_PREFIXES(X509CertificateTest, Cache);
   FRIEND_TEST_ALL_PREFIXES(X509CertificateTest, IntermediateCertificates);
 
   // Construct an X509Certificate from a handle to the certificate object
   // in the underlying crypto library.
   X509Certificate(OSCertHandle cert_handle, Source source,
                   const OSCertHandles& intermediates);
@@ skipping 49 matching lines @@
 
   // Where the certificate comes from.
   Source source_;
 
   DISALLOW_COPY_AND_ASSIGN(X509Certificate);
 };
 
 }  // namespace net
 
 #endif  // NET_BASE_X509_CERTIFICATE_H_