Add new functions to handle UPN and email addresses

net/cert/x509_certificate.h

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef NET_CERT_X509_CERTIFICATE_H_
 #define NET_CERT_X509_CERTIFICATE_H_
 
 #include <stddef.h>
 #include <string.h>
 
@@ skipping 116 matching lines @@
     PICKLETYPE_CERTIFICATE_CHAIN_V2,
 
     // The Pickle contains the certificate and any certificates that were
     // stored in |intermediate_ca_certs_| at the time it was serialized.
     // The format is [int count], [data - this certificate],
     // [data - intermediate1], ... [data - intermediateN].
     // All certificates are stored in DER form.
     PICKLETYPE_CERTIFICATE_CHAIN_V3,
   };
 
+  // Allows the caller to filter the subjectAltName list and return only
+  // a specific data type (e.g. email addresses or Microsoft User Principal
+  // Name).
+  enum SubjectAltNameType {
+    SAN_RFC822_NAME,
+    SAN_DNS_NAME,
+    SAN_URI,

[Ryan Sleevi, 2016/02/27 00:38:45]

Concrete reasons I don't like this: Exposing RFC 822 name and URI are entirely
unnecessary for Chrome.

Exposing UPN is specific only for a very specific use case.

None of these are needed for general X509Certificate's - they only are needed
for an OSCertHandle (which suggests something perhaps suited for x509_util
working on a CERTCertificate or OSCertHandle)

And there's also the concerns about cross-platform; does this functionality need
to be cross platform (believe the answer is "No"), which would further argue
*against* putting it in X509Certificate and moreso one of the platform specific
files.

[Kevin Cernekee, 2016/02/27 19:06:23]

Done.

+    SAN_IP_ADDRESS,
+    SAN_UPN,
+  };
+
   // Creates a X509Certificate from the ground up.  Used by tests that simulate
   // SSL connections.
   X509Certificate(const std::string& subject, const std::string& issuer,
                   base::Time start_date, base::Time expiration_date);
 
   // Create an X509Certificate from a handle to the certificate object in the
   // underlying crypto library.
   static scoped_refptr<X509Certificate> CreateFromHandle(
       OSCertHandle cert_handle,
       const OSCertHandles& intermediates);
@@ skipping 80 matching lines @@
   // Otherwise, it gets the common name in the subject field.
   void GetDNSNames(std::vector<std::string>* dns_names) const;
 
   // Gets the subjectAltName extension field from the certificate, if any.
   // For future extension; currently this only returns those name types that
   // are required for HTTP certificate name verification - see VerifyHostname.
   // Unrequired parameters may be passed as NULL.
   void GetSubjectAltName(std::vector<std::string>* dns_names,
                          std::vector<std::string>* ip_addrs) const;
 
+  // Gets a specific type of subjectAltName only.  Currently implemented
+  // for NSS.
+  void GetSubjectAltName(SubjectAltNameType type,
+                         std::vector<std::string>* names) const;
+
   // Convenience method that returns whether this certificate has expired as of
   // now.
   bool HasExpired() const;
 
   // Returns true if this object and |other| represent the same certificate.
   bool Equals(const X509Certificate* other) const;
 
   // Returns intermediate certificates added via AddIntermediateCertificate().
   // Ownership follows the "get" rule: it is the caller's responsibility to
   // retain the elements of the result.
@@ skipping 270 matching lines @@
   // based on the type of the certificate.
   std::string default_nickname_;
 #endif
 
   DISALLOW_COPY_AND_ASSIGN(X509Certificate);
 };
 
 }  // namespace net
 
 #endif  // NET_CERT_X509_CERTIFICATE_H_