Add X509Certificate::IsIssuedByEncoded()

net/base/x509_util_nss.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/base/x509_util.h"
 #include "net/base/x509_util_nss.h"
 
 #include <cert.h>
 #include <cryptohi.h>
 #include <nss.h>
@@ skipping 255 matching lines @@
   for (int i = 0; i < num_certs; ++i) {
     X509Certificate::OSCertHandle handle =
         X509Certificate::CreateOSCertHandleFromBytes(
             reinterpret_cast<char*>(certs[i]->data), certs[i]->len);
     if (handle)
       results->push_back(handle);
   }
 
   return SECSuccess;
 }
+
+typedef scoped_ptr_malloc<CERTName,
+        crypto::NSSDestroyer<CERTName, CERT_DestroyName> > ScopedCERTName;

[Ryan Sleevi, 2012/12/21 22:09:50]

style nit: This indenting is wrong

typedef scoped_ptr_malloc<
    CERTName,
    crypto::NSSDestroyer<CERTName, CERT_DestroyName> > ScopedCERTName;

[digit1, 2013/01/07 13:58:40]

Done.

+
+// Create a new CERTName object from its encoded representation.
+// |arena| is the allocation pool to use.
+// |data| points to a DER-encoded X.509 DistinguishedName.
+// Return a new CERTName pointer on success, or NULL.
+CERTName* CreateCertNameFromEncoded(PLArenaPool* arena,
+                                    const base::StringPiece& data) {
+    if (!arena)
+        return NULL;
+
+    ScopedCERTName name(PORT_ArenaZNew(arena, CERTName));
+    if (!name.get())
+        return NULL;
+
+    SECItem item;
+    item.len = static_cast<unsigned int>(data.length());
+    item.data = reinterpret_cast<unsigned char*>(
+        const_cast<char*>(data.data()));
+
+    SECStatus rv = SEC_ASN1DecodeItem(arena, name.get(),
+            SEC_ASN1_GET(CERT_NameTemplate), &item);

[Ryan Sleevi, 2012/12/21 22:09:50]

style: This indent is incorrect (minimally, should be exactly 4 spaces here),
but can be rewritten as follows

SECStatus rv = SEC_ASN1DecodeItem(
    arena, name.get(), SEC_ASN1_GET(CERT_NameTemplate), &item);

[digit1, 2013/01/07 13:58:40]

Done.

+    if (rv != SECSuccess)
+        return NULL;
+
+    return name.release();
+}
+
 #endif  // defined(USE_NSS) || defined(OS_IOS)
 
 }  // namespace
 
 namespace x509_util {
 
 CERTCertificate* CreateSelfSignedCert(
     SECKEYPublicKey* public_key,
     SECKEYPrivateKey* private_key,
     const std::string& subject,
@@ skipping 234 matching lines @@
       break;
     case ecKey:
       *type = X509Certificate::kPublicKeyTypeECDSA;
       break;
     default:
       *type = X509Certificate::kPublicKeyTypeUnknown;
       *size_bits = 0;
       break;
   }
 }
+
+bool GetIssuersFromEncodedList(
+    const std::vector<std::string>& encoded_issuers,
+    PLArenaPool* arena,
+    std::vector<CERTName*>* out) {
+
+  out->clear();
+  for (size_t n = 0; n < encoded_issuers.size(); ++n) {
+    CERTName* name = CreateCertNameFromEncoded(arena, encoded_issuers[n]);
+    if (name == NULL)
+      return false;
+
+    out->push_back(name);
+  }

[Ryan Sleevi, 2012/12/21 22:09:50]

RAII-safe alternative:

std::vector<CERTName*> result;
for (size_t i = 0; ...) {
  ...
}
if (result.size() == encoded_issuers.size()) {
  out->swap(result);
  return true;
}

for (size_t i = 0; i < result.size(); ++i)
  CERT_DestroyName(result[i]);
return false;

[digit1, 2013/01/07 13:58:40]

Done.

+  return true;
+}
+
+
+bool IsCertificateIssuedBy(const std::vector<CERTCertificate*>& cert_chain,
+                           const std::vector<CERTName*>& valid_issuers) {
+  for (size_t n = 0; n < cert_chain.size(); ++n) {
+    CERTName* cert_issuer = &cert_chain[n]->issuer;
+    for (size_t i = 0; i < valid_issuers.size(); ++i) {
+      if (CERT_CompareName(valid_issuers[i], cert_issuer))
+        return true;
+    }
+  }
+  return false;
+}
+
 #endif  // defined(USE_NSS) || defined(OS_IOS)
 
 } // namespace x509_util
 
 } // namespace net