Normalize certificate name verification across all platforms

net/cert/cert_verify_proc_unittest.cc

Index: net/cert/cert_verify_proc_unittest.cc
diff --git a/net/cert/cert_verify_proc_unittest.cc b/net/cert/cert_verify_proc_unittest.cc
index a53d10a0845c710cbedc87c898f0a884729dd862..3286c77ee0280ef3b25b23c5535839c438ea2b0b 100644
--- a/net/cert/cert_verify_proc_unittest.cc
+++ b/net/cert/cert_verify_proc_unittest.cc
@@ -245,7 +245,6 @@ TEST_F(CertVerifyProcTest, MAYBE_IntermediateCARequireExplicitPolicy) {
   EXPECT_EQ(0u, verify_result.cert_status);
 }
 
-
 // Test for bug 58437.
 // This certificate will expire on 2011-12-21. The test will still
 // pass if error == ERR_CERT_DATE_INVALID.
@@ -1356,4 +1355,67 @@ WRAPPED_INSTANTIATE_TEST_CASE_P(
     CertVerifyProcWeakDigestTest,
     testing::ValuesIn(kVerifyMixedTestData));
 
+static const struct CertVerifyProcNameData {
+  const char* hostname;
+  bool valid;
+} kVerifyNameData[] = {
+  { "127.0.0.1", false },  // Don't match the common name
+  { "127.0.0.2", true },  // Matches the iPAddress SAN (IPv4)
+  { "FE80:0:0:0:0:0:0:1", true },  // Matches the iPAddress SAN (IPv6)
+  { "[FE80:0:0:0:0:0:0:1]", false },  // Should not match the iPAddress SAN
+  { "FE80::1", true },  // Compressed form matches the iPAddress SAN (IPv6)
+  { "::127.0.0.2", false },  // IPv6 mapped form should NOT match iPAddress SAN
+  { "test.example", true },  // Matches the dNSName SAN
+  { "test.example.", true },  // Matches the dNSName SAN (trailing . ignored)
+  { "www.test.example", false },  // Should not match the dNSName SAN
+  { "test..example", false },  // Should not match the dNSName SAN
+  { "test.example..", false },  // Should not match the dNSName SAN
+  { ".test.example.", false },  // Should not match the dNSName SAN
+  { ".test.example", false },  // Should not match the dNSName SAN

[wtc, 2013/08/16 19:59:19]

It would be nice to document what subject CN and alternative names the
test certificate has. This will allow a reader to verify these expected
test results are correct.

Could you document what |valid| means? Does it mean "matches vs. doesn't match"?

+};
+
+// GTest 'magic' pretty-printer, so that if/when a test fails, it knows how
+// to output the parameter that was passed. Without this, it will simply
+// attempt to print out the first twenty bytes of the object, which depending
+// on platform and alignment, may result in an invalid read.
+void PrintTo(const CertVerifyProcNameData& data, std::ostream* os) {
+  *os << "Hostname: " << data.hostname << "; valid=" << data.valid;
+}
+
+class CertVerifyProcNameTest
+    : public CertVerifyProcTest,
+      public testing::WithParamInterface<CertVerifyProcNameData> {
+ public:
+  CertVerifyProcNameTest() {}
+  virtual ~CertVerifyProcNameTest() {}
+};
+
+TEST_P(CertVerifyProcNameTest, VerifyCertName) {
+  CertVerifyProcNameData data = GetParam();
+
+  CertificateList cert_list = CreateCertificateListFromFile(
+      GetTestCertsDirectory(), "subjectAltName_sanity_check.pem",
+      X509Certificate::FORMAT_AUTO);
+  ASSERT_EQ(1U, cert_list.size());
+  scoped_refptr<X509Certificate> cert(cert_list[0]);
+
+  ScopedTestRoot scoped_root(cert.get());
+
+  CertVerifyResult verify_result;
+  int error = Verify(cert.get(), data.hostname, 0, NULL, empty_cert_list_,
+                     &verify_result);
+  if (data.valid) {
+    EXPECT_EQ(OK, error);
+    EXPECT_FALSE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID);
+  } else {
+    EXPECT_EQ(ERR_CERT_COMMON_NAME_INVALID, error);
+    EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_COMMON_NAME_INVALID);
+  }
+}
+
+WRAPPED_INSTANTIATE_TEST_CASE_P(
+    VerifyName,
+    CertVerifyProcNameTest,
+    testing::ValuesIn(kVerifyNameData));
+
 }  // namespace net