On OS X, when parsing certificates, properly handle non-ASCII/UTF-8 string types.

net/base/x509_certificate_mac.cc

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/base/x509_certificate.h"
 
 #include <CommonCrypto/CommonDigest.h>
 #include <CoreServices/CoreServices.h>
 #include <Security/Security.h>
 #include <time.h>
@@ skipping 240 matching lines @@
     CSSM_CL_CertAbortQuery(cl_handle_, results_handle);
     field->Reset(cl_handle_, oid, field_ptr);
     return CSSM_OK;
   }
 
  private:
   CSSM_CL_HANDLE cl_handle_;
   CSSM_HANDLE cached_cert_handle_;
 };
 
+void GetDistinguishedName(const CSSMCachedCertificate& cached_cert,

[wtc, 2011/12/21 01:10:08]

Nit: GetDistinguishedName => GetCertDistinguishedName ?

+                          const CSSM_OID* oid,
+                          CertPrincipal* result) {
+  CSSMFieldValue distinguished_name;
+  OSStatus status = cached_cert.GetField(oid, &distinguished_name);
+  if (status || !distinguished_name.field())

[wtc, 2011/12/21 01:10:08]

Can distinguished_name.field() be NULL when cached_cert.GetField() succeeds?

[Ryan Sleevi, 2011/12/21 02:14:56]

Judging by the Apple code, it is seen as a possibility.

See the method Certificate::isSelfSigned() in
http://www.opensource.apple.com/source/libsecurity_keychain/libsecurity_keych...

	issuer  = copyFirstFieldValue(CSSMOID_X509V1IssuerNameStd);
	subject = copyFirstFieldValue(CSSMOID_X509V1SubjectNameStd);
	if((issuer == NULL) || (subject == NULL)) {
		ortn = paramErr;
	}

Note that if there are any error returns (status != noErr), it will throw an
exception, so the NULL check seems clearly meant to cover a situation that does
not throw.

In practice, it shouldn't be possible (getFieldSubjectStd of 
http://www.opensource.apple.com/source/libsecurity_apple_x509_cl/libsecurity_...
always returns true as long as you're retrieving the first field value), but I'm
not sure if it's reliable to code against this implementation detail.

+    return;
+  result->ParseDistinguishedName(distinguished_name.field()->Data,
+                                 distinguished_name.field()->Length);
+}
+
 void GetCertDateForOID(const CSSMCachedCertificate& cached_cert,
                        const CSSM_OID* oid,
                        Time* result) {
   *result = Time::Time();
 
   CSSMFieldValue field;
   OSStatus status = cached_cert.GetField(oid, &field);
   if (status)
     return;
 
@@ skipping 399 matching lines @@
 
     SHA1Fingerprint hash;
     CC_SHA1(spki_bytes.data(), spki_bytes.size(), hash.data);
     hashes->push_back(hash);
   }
 }
 
 }  // namespace
 
 void X509Certificate::Initialize() {
-  const CSSM_X509_NAME* name;
-  OSStatus status = SecCertificateGetSubject(cert_handle_, &name);
-  if (!status)
-    subject_.Parse(name);
-
-  status = SecCertificateGetIssuer(cert_handle_, &name);
-  if (!status)
-    issuer_.Parse(name);
-
   CSSMCachedCertificate cached_cert;
   if (cached_cert.Init(cert_handle_) == CSSM_OK) {
+    GetDistinguishedName(cached_cert, &CSSMOID_X509V1SubjectNameStd,
+                         &subject_);
+    GetDistinguishedName(cached_cert, &CSSMOID_X509V1IssuerNameStd,
+                         &issuer_);
     GetCertDateForOID(cached_cert, &CSSMOID_X509V1ValidityNotBefore,
                       &valid_start_);
     GetCertDateForOID(cached_cert, &CSSMOID_X509V1ValidityNotAfter,
                       &valid_expiry_);
     serial_number_ = GetCertSerialNumber(cached_cert);
   }
 
   fingerprint_ = CalculateFingerprint(cert_handle_);
   ca_fingerprint_ = CalculateCAFingerprint(intermediate_ca_certs_);
 }
@@ skipping 852 matching lines @@
       *type = kPublicKeyTypeDH;
       break;
     default:
       *type = kPublicKeyTypeUnknown;
       *size_bits = 0;
       break;
   }
 }
 
 }  // namespace net