Send certificates to devtools when it's open instead of using certId

content/child/web_url_loader_impl.cc

Index: content/child/web_url_loader_impl.cc
diff --git a/content/child/web_url_loader_impl.cc b/content/child/web_url_loader_impl.cc
index 17da0e103519d484dec9df5c4376e17e589aa2f0..ef0ce4ebe6bc4df0b98de505467e65a577cb5f9f 100644
--- a/content/child/web_url_loader_impl.cc
+++ b/content/child/web_url_loader_impl.cc
@@ -33,6 +33,7 @@
 #include "content/child/weburlresponse_extradata_impl.h"
 #include "content/common/resource_messages.h"
 #include "content/common/resource_request_body_impl.h"
+#include "content/common/security_style_util.h"
 #include "content/common/service_worker/service_worker_types.h"
 #include "content/common/ssl_status_serialization.h"
 #include "content/common/url_loader.mojom.h"
@@ -45,6 +46,7 @@
 #include "net/base/net_errors.h"
 #include "net/cert/cert_status_flags.h"
 #include "net/cert/ct_sct_to_string.h"
+#include "net/cert/x509_certificate.h"
 #include "net/http/http_response_headers.h"
 #include "net/http/http_util.h"
 #include "net/ssl/ssl_cipher_suite_names.h"
@@ -239,7 +241,7 @@ void SetSecurityStyleAndDetails(const GURL& url,
   }
 
   int ssl_version =
-      net::SSLConnectionStatusToVersion(ssl_status.connection_status);
+      net::SSLConnectionStatusToVersion(info.ssl_connection_status);
   const char* protocol;
   net::SSLVersionToString(&protocol, ssl_version);
 
@@ -248,7 +250,7 @@ void SetSecurityStyleAndDetails(const GURL& url,
   const char* mac;
   bool is_aead;
   uint16_t cipher_suite =
-      net::SSLConnectionStatusToCipherSuite(ssl_status.connection_status);
+      net::SSLConnectionStatusToCipherSuite(info.ssl_connection_status);
   net::SSLCipherSuiteToStrings(&key_exchange, &cipher, &mac, &is_aead,
                                cipher_suite);
   if (mac == NULL) {
@@ -256,27 +258,38 @@ void SetSecurityStyleAndDetails(const GURL& url,
     mac = "";
   }
 
-  blink::WebURLResponse::SecurityStyle securityStyle =
+  SecurityStyle security_style = GetSecurityStyleForResource(

[estark, 2016/09/01 00:20:03]

Could you instead attach a security style to ResourceResponseInfo, alongside
|ssl_connection_status| and |cert_status|? Then you could just compute
GetSecurityStyleForResource() once in ResourceLoader and not have to pull it out
into a separate utils file.

[jam, 2016/09/01 01:14:02]

The motivation for the network-service part of this cl is to remove
SecurityStyle knowledge from the networking code in content/browser/loader.

+      url, !info.certificate.empty(), info.cert_status);
+
+  blink::WebURLResponse::SecurityStyle security_style_blink =
       WebURLResponse::SecurityStyleUnknown;
-  switch (ssl_status.security_style) {
+  switch (security_style) {
     case SECURITY_STYLE_UNKNOWN:
-      securityStyle = WebURLResponse::SecurityStyleUnknown;
+      security_style_blink = WebURLResponse::SecurityStyleUnknown;
       break;
     case SECURITY_STYLE_UNAUTHENTICATED:
-      securityStyle = WebURLResponse::SecurityStyleUnauthenticated;
+      security_style_blink = WebURLResponse::SecurityStyleUnauthenticated;
       break;
     case SECURITY_STYLE_AUTHENTICATION_BROKEN:
-      securityStyle = WebURLResponse::SecurityStyleAuthenticationBroken;
+      security_style_blink = WebURLResponse::SecurityStyleAuthenticationBroken;
       break;
     case SECURITY_STYLE_WARNING:
-      securityStyle = WebURLResponse::SecurityStyleWarning;
+      security_style_blink = WebURLResponse::SecurityStyleWarning;
       break;
     case SECURITY_STYLE_AUTHENTICATED:
-      securityStyle = WebURLResponse::SecurityStyleAuthenticated;
+      security_style_blink = WebURLResponse::SecurityStyleAuthenticated;
       break;
   }
 
-  response->setSecurityStyle(securityStyle);
+  response->setSecurityStyle(security_style_blink);
+
+  base::Pickle pickle(info.certificate.data(), info.certificate.size());
+  base::PickleIterator iterator(pickle);
+  scoped_refptr<net::X509Certificate> certificate =
+      net::X509Certificate::CreateFromPickle(
+          &iterator,
+          net::X509Certificate::PICKLETYPE_CERTIFICATE_CHAIN_V3);
+  DCHECK(certificate);
 
   blink::WebURLResponse::SignedCertificateTimestampList sct_list(
       info.signed_certificate_timestamps.size());
@@ -284,9 +297,31 @@ void SetSecurityStyleAndDetails(const GURL& url,
   for (size_t i = 0; i < sct_list.size(); ++i)
     sct_list[i] = NetSCTToBlinkSCT(info.signed_certificate_timestamps[i]);
 
+  std::vector<std::string> san, ip_addrs;
+  certificate->GetSubjectAltName(&san, &ip_addrs);
+
+  // IP addresses are in raw network bytes and must be converted to string form
+  for (const std::string& ip : ip_addrs) {
+    net::IPAddress ip_addr(reinterpret_cast<const uint8_t*>(ip.c_str()),
+                           ip.length());
+    san.push_back(ip_addr.ToString());
+  }
+
+  blink::WebVector<blink::WebString> web_san(san.size());
+  std::transform(
+      san.begin(),
+      san.end(), web_san.begin(),
+      [](const std::string& h) { return blink::WebString::fromLatin1(h); });
+
   blink::WebURLResponse::WebSecurityDetails webSecurityDetails(
       WebString::fromUTF8(protocol), WebString::fromUTF8(key_exchange),
-      WebString::fromUTF8(cipher), WebString::fromUTF8(mac), ssl_status.cert_id,
+      WebString::fromUTF8(cipher), WebString::fromUTF8(mac),
+      WebString::fromUTF8(certificate->subject().GetDisplayName()),
+      web_san,
+      WebString::fromUTF8(certificate->issuer().GetDisplayName()),
+      certificate->valid_start().ToDoubleT(),
+      certificate->valid_expiry().ToDoubleT(),
+      WebString::fromLatin1(info.certificate),
       sct_list);
 
   response->setSecurityDetails(webSecurityDetails);