On OS X, when parsing certificates, properly handle non-ASCII/UTF-8 string types.

net/base/x509_certificate_mac.cc

Index: net/base/x509_certificate_mac.cc
diff --git a/net/base/x509_certificate_mac.cc b/net/base/x509_certificate_mac.cc
index 333cd821ef9d5158ad94b1c7e4ff78bbd13b1e84..a3734a2a6ee1e6a96c61b9848f3a25cb3a5b3b63 100644
--- a/net/base/x509_certificate_mac.cc
+++ b/net/base/x509_certificate_mac.cc
@@ -258,6 +258,17 @@ class CSSMCachedCertificate {
   CSSM_HANDLE cached_cert_handle_;
 };
 
+void GetDistinguishedName(const CSSMCachedCertificate& cached_cert,

[wtc, 2011/12/21 01:10:08]

Nit: GetDistinguishedName => GetCertDistinguishedName ?

+                          const CSSM_OID* oid,
+                          CertPrincipal* result) {
+  CSSMFieldValue distinguished_name;
+  OSStatus status = cached_cert.GetField(oid, &distinguished_name);
+  if (status || !distinguished_name.field())

[wtc, 2011/12/21 01:10:08]

Can distinguished_name.field() be NULL when cached_cert.GetField() succeeds?

[Ryan Sleevi, 2011/12/21 02:14:56]

Judging by the Apple code, it is seen as a possibility.

See the method Certificate::isSelfSigned() in
http://www.opensource.apple.com/source/libsecurity_keychain/libsecurity_keych...

	issuer  = copyFirstFieldValue(CSSMOID_X509V1IssuerNameStd);
	subject = copyFirstFieldValue(CSSMOID_X509V1SubjectNameStd);
	if((issuer == NULL) || (subject == NULL)) {
		ortn = paramErr;
	}

Note that if there are any error returns (status != noErr), it will throw an
exception, so the NULL check seems clearly meant to cover a situation that does
not throw.

In practice, it shouldn't be possible (getFieldSubjectStd of 
http://www.opensource.apple.com/source/libsecurity_apple_x509_cl/libsecurity_...
always returns true as long as you're retrieving the first field value), but I'm
not sure if it's reliable to code against this implementation detail.

+    return;
+  result->ParseDistinguishedName(distinguished_name.field()->Data,
+                                 distinguished_name.field()->Length);
+}
+
 void GetCertDateForOID(const CSSMCachedCertificate& cached_cert,
                        const CSSM_OID* oid,
                        Time* result) {
@@ -677,17 +688,12 @@ void AppendPublicKeyHashes(CFArrayRef chain,
 }  // namespace
 
 void X509Certificate::Initialize() {
-  const CSSM_X509_NAME* name;
-  OSStatus status = SecCertificateGetSubject(cert_handle_, &name);
-  if (!status)
-    subject_.Parse(name);
-
-  status = SecCertificateGetIssuer(cert_handle_, &name);
-  if (!status)
-    issuer_.Parse(name);
-
   CSSMCachedCertificate cached_cert;
   if (cached_cert.Init(cert_handle_) == CSSM_OK) {
+    GetDistinguishedName(cached_cert, &CSSMOID_X509V1SubjectNameStd,
+                         &subject_);
+    GetDistinguishedName(cached_cert, &CSSMOID_X509V1IssuerNameStd,
+                         &issuer_);
     GetCertDateForOID(cached_cert, &CSSMOID_X509V1ValidityNotBefore,
                       &valid_start_);
     GetCertDateForOID(cached_cert, &CSSMOID_X509V1ValidityNotAfter,