Return the certificate chain in ClientCertStoreNSS.

net/third_party/nss/ssl/cmpcert.cc

+/*
+ * NSS utility functions
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "net/third_party/nss/ssl/cmpcert.h"
+
+#include <secder.h>
+#include <secitem.h>
+
+#include "base/logging.h"
+#include "base/strings/string_piece.h"
+
+namespace net {
+
+bool MatchClientCertificateIssuers(
+    CERTCertificate* cert,
+    const std::vector<std::string>& cert_authorities,
+    std::vector<ScopedCERTCertificate>* chain) {
+  // Bound how many iterations to try.
+  static const int kMaxDepth = 20;
+
+  // Retain the full certificate chain. Some deployments expect the client to
+  // supply intermediates out of the local store. https://crbug.com/548631
+  chain->clear();
+  chain->emplace_back(CERT_DupCertificate(cert));
+
+  // If no authorities are supplied, everything matches.
+  if (cert_authorities.empty())
+    return true;
+
+  while (chain->size() < kMaxDepth) {
+    CERTCertificate* curcert = chain->back().get();
+
+    base::StringPiece issuer(
+        reinterpret_cast<const char*>(curcert->derIssuer.data),
+        curcert->derIssuer.len);
+
+    // Compute an alternate issuer name for compatibility with 2.0 enterprise
+    // server, which send the CA names without the outer layer of DER header.
+    //
+    // TODO(davidben): Can this be removed?

[Ryan Sleevi, 2016/07/29 00:37:44]

Yup. No other platforms have this.

[davidben, 2016/07/29 15:14:11]

Removed.

At this point this function can only passingly be considered to be derived from
the NSS function, but I suppose I did start from that file. :-)

+    base::StringPiece compat_issuer;
+    int header_len;
+    PRUint32 content_len;
+    if (DER_Lengths(&curcert->derIssuer, &header_len, &content_len) ==
+        SECSuccess)
+      compat_issuer = issuer.substr(header_len);
+
+    // Check if |curcert| is signed by a valid CA.
+    for (const std::string& ca : cert_authorities) {
+      if (issuer == ca || (!compat_issuer.empty() && compat_issuer == ca))
+        return true;
+    }
+
+    // Stop at self-issued certificates.
+    if (SECITEM_CompareItem(&curcert->derIssuer, &curcert->derSubject) ==
+        SECEqual) {
+      return false;
+    }
+
+    // Look the parent up in the database and keep searching.
+    CERTCertificate* parent =
+        CERT_FindCertByName(curcert->dbhandle, &curcert->derIssuer);
+    if (!parent)
+      return false;
+    chain->emplace_back(parent);
+  }
+
+  return false;
+}
+
+}  // namespace net