Add new functions to handle UPN and email addresses

Add new functions to handle UPN and email addresses

The existing code only handles SAN fields that are useful for verifying
website certificates (hostnames + IPs).  For CrOS wifi certs
we also need to read out email addresses and Microsoft UPN fields.

BUG=549659
TEST=`./out/Debug/net_unittests --gtest_filter="X509CertificateTest*"`

Committed: https://crrev.com/fca855226530609db4ec4400a83cf5339ae5c1e6
Cr-Commit-Position: refs/heads/master@{#378799}

[Kevin Cernekee, 2016-02-26 02:35:41]

Description was changed from

==========
Extend GetSubjectAltName to return email addresses

Currently this function only handles SAN fields that are useful for
verifying website certificates (hostnames + IPs).  For CrOS wifi
certs we also need to read out SAN email addresses.

BUG=549659
==========

to

==========
Add GetSubjectAltName() variant to handle UPN and email addresses

The existing code only handles SAN fields that are useful for verifying website
certificates (hostnames + IPs).  For CrOS wifi certs we also need to read out
email addresses and Microsoft UPN fields.

BUG=549659
==========

[Kevin Cernekee, 2016-02-26 02:36:00]

Description was changed from

==========
Add GetSubjectAltName() variant to handle UPN and email addresses

The existing code only handles SAN fields that are useful for verifying website
certificates (hostnames + IPs).  For CrOS wifi certs we also need to read out
email addresses and Microsoft UPN fields.

BUG=549659
==========

to

==========
Add GetSubjectAltName() variant to handle UPN and email addresses

The existing code only handles SAN fields that are useful for verifying
website certificates (hostnames + IPs).  For CrOS wifi certs
we also need to read out email addresses and Microsoft UPN fields.

BUG=549659
==========

[Kevin Cernekee, 2016-02-26 04:23:06]

cernekee@chromium.org changed reviewers:
+ rsleevi@chromium.org

[Kevin Cernekee, 2016-02-26 04:23:06]

I'll add test cases once we agree on the general concept.

The hardcoded OID string is not so nice - there's probably a better way. 
nsNSSCertHelper registers this OID as ms_nt_principal_name but I don't think we
can rely on it (SECOID_FindOID() still returns NULL when I try to look it up). 
Is there a simple way to do an OID lookup that doesn't involve the OID database?
 Or a central place where we inject interesting OIDs into the database?

[Ryan Sleevi, 2016-02-27 00:29:34]

Thanks for taking this on; I'm not a fan of this approach in general, but I want
to discuss more with a few other people and see if I'm being unreasonable,
before saying "no" - and especially, to discuss some design alternatives.

[Ryan Sleevi, 2016-02-27 00:38:45]

https://codereview.chromium.org/1720653002/diff/40001/net/cert/x509_certifica...
File net/cert/x509_certificate.h (right):

https://codereview.chromium.org/1720653002/diff/40001/net/cert/x509_certifica...
net/cert/x509_certificate.h:143: SAN_URI,
Concrete reasons I don't like this: Exposing RFC 822 name and URI are entirely
unnecessary for Chrome.

Exposing UPN is specific only for a very specific use case.

None of these are needed for general X509Certificate's - they only are needed
for an OSCertHandle (which suggests something perhaps suited for x509_util
working on a CERTCertificate or OSCertHandle)

And there's also the concerns about cross-platform; does this functionality need
to be cross platform (believe the answer is "No"), which would further argue
*against* putting it in X509Certificate and moreso one of the platform specific
files.

https://codereview.chromium.org/1720653002/diff/40001/net/cert/x509_util.h
File net/cert/x509_util.h (right):

https://codereview.chromium.org/1720653002/diff/40001/net/cert/x509_util.h#ne...
net/cert/x509_util.h:36: 0x82, 0x37, 0x14, 0x2, 0x3};
I don't like exposing the constant's value in the header; plus this
initialization syntax doesn't provide external linkage but instead duplicates
the constant.

https://codereview.chromium.org/1720653002/diff/40001/net/cert/x509_util_nss_...
File net/cert/x509_util_nss_certs.cc (right):

https://codereview.chromium.org/1720653002/diff/40001/net/cert/x509_util_nss_...
net/cert/x509_util_nss_certs.cc:206: SECItem alt_name;
alt_name should be zero-initialized

SECItem alt_name = { siBuffer, 0, nullptr }; (IIRC)

https://codereview.chromium.org/1720653002/diff/40001/net/cert/x509_util_nss_...
net/cert/x509_util_nss_certs.cc:212: PLArenaPool* arena =
PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
We have scopers for this.

https://codereview.chromium.org/1720653002/diff/40001/net/cert/x509_util_nss_...
net/cert/x509_util_nss_certs.cc:217: SECITEM_FreeItem(&alt_name, PR_FALSE);
This early free-ing seems unnecessary (we also have scopers to do this)

https://codereview.chromium.org/1720653002/diff/40001/net/cert/x509_util_nss_...
net/cert/x509_util_nss_certs.cc:225: (type == X509Certificate::SAN_IP_ADDRESS &&
Further concerns: Exposing IP addresses / RFC names as std::string's feels
fundamentally wrong here as well.

https://codereview.chromium.org/1720653002/diff/40001/net/cert/x509_util_nss_...
net/cert/x509_util_nss_certs.cc:225: (type == X509Certificate::SAN_IP_ADDRESS &&
Design concerns: This seems better accomplished as a switch & helper, to make
sure we're not missing cases

if (name->type != GetTypeForEnumButWithABetterNamedFunction(type))
  continue;  // OK, something better than continue

switch (name->type) {
  case foo:
  case bar:
  case baz:
    ...;
   break;
  case bat:
    ... ;
}
...

[Kevin Cernekee, 2016-02-27 19:06:24]

https://codereview.chromium.org/1720653002/diff/40001/net/cert/x509_certifica...
File net/cert/x509_certificate.h (right):

https://codereview.chromium.org/1720653002/diff/40001/net/cert/x509_certifica...
net/cert/x509_certificate.h:143: SAN_URI,
On 2016/02/27 00:38:45, Ryan Sleevi wrote:
> Concrete reasons I don't like this: Exposing RFC 822 name and URI are entirely
> unnecessary for Chrome.
> 
> Exposing UPN is specific only for a very specific use case.
> 
> None of these are needed for general X509Certificate's - they only are needed
> for an OSCertHandle (which suggests something perhaps suited for x509_util
> working on a CERTCertificate or OSCertHandle)
> 
> And there's also the concerns about cross-platform; does this functionality
need
> to be cross platform (believe the answer is "No"), which would further argue
> *against* putting it in X509Certificate and moreso one of the platform
specific
> files.

Done.

https://codereview.chromium.org/1720653002/diff/40001/net/cert/x509_util.h
File net/cert/x509_util.h (right):

https://codereview.chromium.org/1720653002/diff/40001/net/cert/x509_util.h#ne...
net/cert/x509_util.h:36: 0x82, 0x37, 0x14, 0x2, 0x3};
On 2016/02/27 00:38:45, Ryan Sleevi wrote:
> I don't like exposing the constant's value in the header; plus this
> initialization syntax doesn't provide external linkage but instead duplicates
> the constant.

Done.

https://codereview.chromium.org/1720653002/diff/40001/net/cert/x509_util_nss_...
File net/cert/x509_util_nss_certs.cc (right):

https://codereview.chromium.org/1720653002/diff/40001/net/cert/x509_util_nss_...
net/cert/x509_util_nss_certs.cc:206: SECItem alt_name;
On 2016/02/27 00:38:45, Ryan Sleevi wrote:
> alt_name should be zero-initialized
> 
> SECItem alt_name = { siBuffer, 0, nullptr }; (IIRC)

Done.

https://codereview.chromium.org/1720653002/diff/40001/net/cert/x509_util_nss_...
net/cert/x509_util_nss_certs.cc:212: PLArenaPool* arena =
PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
On 2016/02/27 00:38:45, Ryan Sleevi wrote:
> We have scopers for this.

Done.

https://codereview.chromium.org/1720653002/diff/40001/net/cert/x509_util_nss_...
net/cert/x509_util_nss_certs.cc:217: SECITEM_FreeItem(&alt_name, PR_FALSE);
On 2016/02/27 00:38:45, Ryan Sleevi wrote:
> This early free-ing seems unnecessary (we also have scopers to do this)

Done.

https://codereview.chromium.org/1720653002/diff/40001/net/cert/x509_util_nss_...
net/cert/x509_util_nss_certs.cc:225: (type == X509Certificate::SAN_IP_ADDRESS &&
On 2016/02/27 00:38:45, Ryan Sleevi wrote:
> Further concerns: Exposing IP addresses / RFC names as std::string's feels
> fundamentally wrong here as well.

What do you recommend?

https://codereview.chromium.org/1720653002/diff/40001/net/cert/x509_util_nss_...
net/cert/x509_util_nss_certs.cc:225: (type == X509Certificate::SAN_IP_ADDRESS &&
On 2016/02/27 00:38:45, Ryan Sleevi wrote:
> Design concerns: This seems better accomplished as a switch & helper, to make
> sure we're not missing cases
> 
> if (name->type != GetTypeForEnumButWithABetterNamedFunction(type))
>   continue;  // OK, something better than continue
> 
> switch (name->type) {
>   case foo:
>   case bar:
>   case baz:
>     ...;
>    break;
>   case bat:
>     ... ;
> }
> ...
>     

Done.

[Kevin Cernekee, 2016-02-27 21:54:12]

Description was changed from

==========
Add GetSubjectAltName() variant to handle UPN and email addresses

The existing code only handles SAN fields that are useful for verifying
website certificates (hostnames + IPs).  For CrOS wifi certs
we also need to read out email addresses and Microsoft UPN fields.

BUG=549659
==========

to

==========
Add GetSubjectAltName() variant to handle UPN and email addresses

The existing code only handles SAN fields that are useful for verifying
website certificates (hostnames + IPs).  For CrOS wifi certs
we also need to read out email addresses and Microsoft UPN fields.

BUG=549659
TEST=buildbots
==========

[stevenjb, 2016-02-29 22:05:02]

stevenjb@chromium.org changed reviewers:
+ stevenjb@chromium.org

[stevenjb, 2016-02-29 22:05:03]

https://codereview.chromium.org/1720653002/diff/80001/net/cert/x509_util_nss.h
File net/cert/x509_util_nss.h (right):

https://codereview.chromium.org/1720653002/diff/80001/net/cert/x509_util_nss....
net/cert/x509_util_nss.h:63: std::vector<std::string>* names);
Avoid having two identical function names with different signatures. Maybe
GetSubjectAltNameByType.

Also, for functions I believe the order should be:
NET_EXPORT void

[Kevin Cernekee, 2016-02-29 22:40:43]

Description was changed from

==========
Add GetSubjectAltName() variant to handle UPN and email addresses

The existing code only handles SAN fields that are useful for verifying
website certificates (hostnames + IPs).  For CrOS wifi certs
we also need to read out email addresses and Microsoft UPN fields.

BUG=549659
TEST=buildbots
==========

to

==========
Add GetSubjectAltNameByType() variant to handle UPN and email addresses

The existing code only handles SAN fields that are useful for verifying
website certificates (hostnames + IPs).  For CrOS wifi certs
we also need to read out email addresses and Microsoft UPN fields.

BUG=549659
TEST=buildbots
==========

[Kevin Cernekee, 2016-02-29 22:52:01]

https://codereview.chromium.org/1720653002/diff/80001/net/cert/x509_util_nss.h
File net/cert/x509_util_nss.h (right):

https://codereview.chromium.org/1720653002/diff/80001/net/cert/x509_util_nss....
net/cert/x509_util_nss.h:63: std::vector<std::string>* names);
On 2016/02/29 22:05:03, stevenjb wrote:
> Avoid having two identical function names with different signatures. Maybe
> GetSubjectAltNameByType.
> 
> Also, for functions I believe the order should be:
> NET_EXPORT void

Done.

[stevenjb, 2016-02-29 22:59:50]

lgtm fwiw (but not an owner)

[Ryan Sleevi, 2016-03-01 00:28:29]

https://codereview.chromium.org/1720653002/diff/100001/net/cert/x509_util_nss.h
File net/cert/x509_util_nss.h (right):

https://codereview.chromium.org/1720653002/diff/100001/net/cert/x509_util_nss...
net/cert/x509_util_nss.h:34: // Name).
While not wanting to seem too aggressive in this CL, I do want to highlight that
this isn't a good comment; it doesn't describe what it does or what the values
are, and instead provides an 'example usage' which is really just documenting
the existing code.

However, please see my comments below for greater context.

https://codereview.chromium.org/1720653002/diff/100001/net/cert/x509_util_nss...
net/cert/x509_util_nss.h:40: SAN_UPN,
I highlighted this in a previous CL, but I do want to restate:

1) I'm opposed to exposing SAN_URI
2) I'm not a fan of adding a separate, duplicate method of exposing DNS &
IPAddress SANs

https://codereview.chromium.org/1720653002/diff/100001/net/cert/x509_util_nss...
net/cert/x509_util_nss.h:40: SAN_UPN,
SAN_UPN explicitly is the sort of thing that should be documented. Each of these
really should be documented, ideally with a spec-citation inline

For example

// The type of subjectAltName to return.
// RFC 5280, Section 4.2.1.6 defines subjectAltName as:
//   SubjectAltName ::= GeneralNames
//   GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
//   GeneralName ::= CHOICE {
//        otherName                       [0]     OtherName,
//        rfc822Name                      [1]     IA5String,
//        dNSName                         [2]     IA5String,
//        x400Address                     [3]     ORAddress,
//        directoryName                   [4]     Name,
//        ediPartyName                    [5]     EDIPartyName,
//        uniformResourceIdentifier       [6]     IA5String,
//        iPAddress                       [7]     OCTET STRING,
//        registeredID                    [8]     OBJECT IDENTIFIER }
//   OtherName ::= SEQUENCE {
//        type-id    OBJECT IDENTIFIER,
//        value      [0] EXPLICIT ANY DEFINED BY type-id }
//
// This enum only supports the subset of types that are relevant
// to GetSubjectAltNameByType().
enum SubjectAltNameType {
  // rfc822Name                      [1]     IA5String,
  SAN_RFC822_NAME,
  //  dNSName                         [2]     IA5String,
  SAN_DNS_NAME,
  ...
  // An OtherName value whose type-id is equal to
  // 1.3.6.1.4.1.311.20.2.3 (known as either id-ms-san-sc-logon-upn,
  // as described in RFC 4556, or as szOID_NT_PRINCIPAL_NAME, as
  // documented in Microsoft KB287547).
  // The value field is a UTF8String literal.
  // For more information:
  //   https://www.ietf.org/mail-archive/web/pkix/current/msg03145.html
  //   https://www.ietf.org/proceedings/65/slides/pkix-4/sld1.htm
  //   https://tools.ietf.org/html/rfc4556
  SAN_UPN
}


The goal is to be explicit *and thorough* in documentation, so that everyone
following has enough context to understand what's going on.

However, please take this suggestion in broader context of this CL.

https://codereview.chromium.org/1720653002/diff/100001/net/cert/x509_util_nss...
net/cert/x509_util_nss.h:54: // Gets the subjectAltName extension field from the
certificate, if any.
// Gets the dNSName and iPAddress name types from the subjectAltName
// extension of |cert_handle|, storing them in |dns_names| and
// |ip_addrs|, respectively.
// If no subjectAltName is present, or no names of that type are
// present, the relevant vectors are cleared.

https://codereview.chromium.org/1720653002/diff/100001/net/cert/x509_util_nss...
net/cert/x509_util_nss.h:60: // support wifi on CrOS.
1) It's obvious this is only implemented for NSS, by virtue of this being in
_nss.h
2) "to support wifi on CrOS" is the sort of bad comment trifecta
  a) Abbreviates ChromeOS
  b) Explains an implementation detail (of code far away)
  c) grammar nit (only a single space after the period, wifi -> WiFi ||
wireless)

https://codereview.chromium.org/1720653002/diff/100001/net/cert/x509_util_nss...
net/cert/x509_util_nss.h:60: // support wifi on CrOS.
DESIGN: This design really gets to the crux of the matter. Nothing uses the URI
type, nor do you have any unittests to ensure the URI is returned. It does type
erasure (collapsing all name types to std::string, but of unclear contents,
especially for types that can be ambiguous - like directoryName: Would this be
the DER or the string form? And which string form - prepped or not?)

The concrete suggestion is this:

// Stores the values of all rfc822Name subjectAltNames from |cert_handle|
// into |names|. If no names are present, clears |names|.
// WARNING: This method does not validate that the rfc822Name is
// properly encoded; it MAY contain embedded NULs or other illegal
// characters; care should be taken to validate the well-formedness
// before using.
NET_EXPORT void GetRFC822SubjectAltNames(CERTCertificate* cert_handle,
                                         std::vector<std::string>* names);

// Clear documentation goes here
NET_EXPORT void GetUPNSubjectAltNames(...);

https://codereview.chromium.org/1720653002/diff/100001/net/cert/x509_util_nss...
File net/cert/x509_util_nss_certs.cc (right):

https://codereview.chromium.org/1720653002/diff/100001/net/cert/x509_util_nss...
net/cert/x509_util_nss_certs.cc:256: !memcmp(on->oid.data, kUpnOid,
sizeof(kUpnOid))) {
The use of ! for values that return <0,0,>0 has been a huge source of bugs, both
security and otherwise.

if (on->oid.len == sizeof(kUpnOid) &&
    memcmp(...) == 0) {
}

https://codereview.chromium.org/1720653002/diff/100001/net/cert/x509_util_nss...
net/cert/x509_util_nss_certs.cc:258: if (SEC_ASN1DecodeItem(arena.get(),
&decoded,
SECURITY: DO *not* use this function in any way whatsoever. It is NOT safe to
use!

The idiomatic NSS way is SEC_QuickDERDecodeItem(...); alternatively, we've been
updating code to use //net/der (as seen in //net/cert/internal/parse_name). For
now, use QuickDER

[Kevin Cernekee, 2016-03-01 19:28:01]

https://codereview.chromium.org/1720653002/diff/100001/net/cert/x509_util_nss.h
File net/cert/x509_util_nss.h (right):

https://codereview.chromium.org/1720653002/diff/100001/net/cert/x509_util_nss...
net/cert/x509_util_nss.h:34: // Name).
On 2016/03/01 00:28:28, Ryan Sleevi wrote:
> While not wanting to seem too aggressive in this CL, I do want to highlight
that
> this isn't a good comment; it doesn't describe what it does or what the values
> are, and instead provides an 'example usage' which is really just documenting
> the existing code.
> 
> However, please see my comments below for greater context.

Done.

https://codereview.chromium.org/1720653002/diff/100001/net/cert/x509_util_nss...
net/cert/x509_util_nss.h:40: SAN_UPN,
On 2016/03/01 00:28:28, Ryan Sleevi wrote:
> I highlighted this in a previous CL, but I do want to restate:
> 
> 1) I'm opposed to exposing SAN_URI
> 2) I'm not a fan of adding a separate, duplicate method of exposing DNS &
> IPAddress SANs

Done.

https://codereview.chromium.org/1720653002/diff/100001/net/cert/x509_util_nss...
net/cert/x509_util_nss.h:54: // Gets the subjectAltName extension field from the
certificate, if any.
On 2016/03/01 00:28:28, Ryan Sleevi wrote:
> // Gets the dNSName and iPAddress name types from the subjectAltName
> // extension of |cert_handle|, storing them in |dns_names| and
> // |ip_addrs|, respectively.
> // If no subjectAltName is present, or no names of that type are
> // present, the relevant vectors are cleared.

Done.

https://codereview.chromium.org/1720653002/diff/100001/net/cert/x509_util_nss...
net/cert/x509_util_nss.h:60: // support wifi on CrOS.
On 2016/03/01 00:28:28, Ryan Sleevi wrote:
> DESIGN: This design really gets to the crux of the matter. Nothing uses the
URI
> type, nor do you have any unittests to ensure the URI is returned. It does
type
> erasure (collapsing all name types to std::string, but of unclear contents,
> especially for types that can be ambiguous - like directoryName: Would this be
> the DER or the string form? And which string form - prepped or not?)
> 
> The concrete suggestion is this:
> 
> // Stores the values of all rfc822Name subjectAltNames from |cert_handle|
> // into |names|. If no names are present, clears |names|.
> // WARNING: This method does not validate that the rfc822Name is
> // properly encoded; it MAY contain embedded NULs or other illegal
> // characters; care should be taken to validate the well-formedness
> // before using.
> NET_EXPORT void GetRFC822SubjectAltNames(CERTCertificate* cert_handle,
>                                          std::vector<std::string>* names);
> 
> // Clear documentation goes here
> NET_EXPORT void GetUPNSubjectAltNames(...);

Done.

https://codereview.chromium.org/1720653002/diff/100001/net/cert/x509_util_nss...
File net/cert/x509_util_nss_certs.cc (right):

https://codereview.chromium.org/1720653002/diff/100001/net/cert/x509_util_nss...
net/cert/x509_util_nss_certs.cc:256: !memcmp(on->oid.data, kUpnOid,
sizeof(kUpnOid))) {
On 2016/03/01 00:28:29, Ryan Sleevi wrote:
> The use of ! for values that return <0,0,>0 has been a huge source of bugs,
both
> security and otherwise.
> 
> if (on->oid.len == sizeof(kUpnOid) &&
>     memcmp(...) == 0) {
> }

Done.

https://codereview.chromium.org/1720653002/diff/100001/net/cert/x509_util_nss...
net/cert/x509_util_nss_certs.cc:258: if (SEC_ASN1DecodeItem(arena.get(),
&decoded,
On 2016/03/01 00:28:28, Ryan Sleevi wrote:
> SECURITY: DO *not* use this function in any way whatsoever. It is NOT safe to
> use!
> 
> The idiomatic NSS way is SEC_QuickDERDecodeItem(...); alternatively, we've
been
> updating code to use //net/der (as seen in //net/cert/internal/parse_name).
For
> now, use QuickDER

Done.

[Kevin Cernekee, 2016-03-01 20:18:52]

Description was changed from

==========
Add GetSubjectAltNameByType() variant to handle UPN and email addresses

The existing code only handles SAN fields that are useful for verifying
website certificates (hostnames + IPs).  For CrOS wifi certs
we also need to read out email addresses and Microsoft UPN fields.

BUG=549659
TEST=buildbots
==========

to

==========
Add new functions to handle UPN and email addresses

The existing code only handles SAN fields that are useful for verifying
website certificates (hostnames + IPs).  For CrOS wifi certs
we also need to read out email addresses and Microsoft UPN fields.

BUG=549659
TEST=buildbots
==========

[Ryan Sleevi, 2016-03-01 21:31:16]

Now you just need unit tests - that you can extract rfc822Name and that you can
extract the UPN name properly :)

[Kevin Cernekee, 2016-03-01 23:11:49]

Description was changed from

==========
Add new functions to handle UPN and email addresses

The existing code only handles SAN fields that are useful for verifying
website certificates (hostnames + IPs).  For CrOS wifi certs
we also need to read out email addresses and Microsoft UPN fields.

BUG=549659
TEST=buildbots
==========

to

==========
Add new functions to handle UPN and email addresses

The existing code only handles SAN fields that are useful for verifying
website certificates (hostnames + IPs).  For CrOS wifi certs
we also need to read out email addresses and Microsoft UPN fields.

BUG=549659
TEST=`./out/Debug/net_unittests --gtest_filter="X509CertificateTest*"`
==========

[Ryan Sleevi, 2016-03-02 19:18:54]

lgtm

[Kevin Cernekee, 2016-03-02 19:24:02]

The CQ bit was checked by cernekee@chromium.org

[Kevin Cernekee, 2016-03-02 19:24:03]

The patchset sent to the CQ was uploaded after l-g-t-m from
stevenjb@chromium.org
Link to the patchset: https://codereview.chromium.org/1720653002/#ps160001
(title: "fix ios build breakage")

[commit-bot: I haz the power, 2016-03-02 19:24:41]

CQ is trying da patch. Follow status at
 https://chromium-cq-status.appspot.com/patch-status/1720653002/160001
View timeline at
 https://chromium-cq-status.appspot.com/patch-timeline/1720653002/160001

[commit-bot: I haz the power, 2016-03-02 19:33:57]

Description was changed from

==========
Add new functions to handle UPN and email addresses

The existing code only handles SAN fields that are useful for verifying
website certificates (hostnames + IPs).  For CrOS wifi certs
we also need to read out email addresses and Microsoft UPN fields.

BUG=549659
TEST=`./out/Debug/net_unittests --gtest_filter="X509CertificateTest*"`
==========

to

==========
Add new functions to handle UPN and email addresses

The existing code only handles SAN fields that are useful for verifying
website certificates (hostnames + IPs).  For CrOS wifi certs
we also need to read out email addresses and Microsoft UPN fields.

BUG=549659
TEST=`./out/Debug/net_unittests --gtest_filter="X509CertificateTest*"`
==========

[commit-bot: I haz the power, 2016-03-02 19:33:59]

Committed patchset #9 (id:160001)

[commit-bot: I haz the power, 2016-03-02 19:35:18]

Description was changed from

==========
Add new functions to handle UPN and email addresses

The existing code only handles SAN fields that are useful for verifying
website certificates (hostnames + IPs).  For CrOS wifi certs
we also need to read out email addresses and Microsoft UPN fields.

BUG=549659
TEST=`./out/Debug/net_unittests --gtest_filter="X509CertificateTest*"`
==========

to

==========
Add new functions to handle UPN and email addresses

The existing code only handles SAN fields that are useful for verifying
website certificates (hostnames + IPs).  For CrOS wifi certs
we also need to read out email addresses and Microsoft UPN fields.

BUG=549659
TEST=`./out/Debug/net_unittests --gtest_filter="X509CertificateTest*"`

Committed: https://crrev.com/fca855226530609db4ec4400a83cf5339ae5c1e6
Cr-Commit-Position: refs/heads/master@{#378799}
==========

[commit-bot: I haz the power, 2016-03-02 19:35:20]

Patchset 9 (id:??) landed as
https://crrev.com/fca855226530609db4ec4400a83cf5339ae5c1e6
Cr-Commit-Position: refs/heads/master@{#378799}