Move name matching into the shared certificate validator

Move name matching into the shared certificate validator

In the way-old times, Chrome used to rely on the underlying OS to
perform certificate name matching. Unfortunately, this meant that
certificates that worked in Chrome on one platform wouldn't work
in Chrome on another platform. As a result, a long time ago (e.g.
more than two years ago), Chrome moved to a common name validator,
which ensured that IPv6 was handled correctly, as were things like
trailing dots in the hostname (used to bypass DNS suffix search).

This cleans up the historical remants of that, by moving name
matching for certificates into a single place, in
CertVerifyProc::Verify, rather than the per-platform implementations
in CertVerifyProc::VerifyInternal.

The upside is this reduces code duplication.
The downside is this means that MockCertVerifyProc's now need to
supply certificates that *really* match their intended hostname, and
can no longer fake it til they make it.

BUG=308330
Review-Url: https://codereview.chromium.org/2725683002
Cr-Commit-Position: refs/heads/master@{#453735}
Committed: https://chromium.googlesource.com/chromium/src/+/b88c4386cdc3ea8c18d1bfd9cbaf5017141e83f4

[Ryan Sleevi, 2017-02-28 19:50:46]

rsleevi@chromium.org changed reviewers:
+ mattm@chromium.org

[Ryan Sleevi, 2017-02-28 19:50:47]

Matt, I realized https://codereview.chromium.org/2719273002/ was too unwieldy,
so I split this out into its own CL.

[Ryan Sleevi, 2017-02-28 19:50:51]

The CQ bit was checked by rsleevi@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2017-02-28 19:51:35]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2017-02-28 21:10:50]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2017-02-28 21:10:51]

Dry run: This issue passed the CQ dry run.

[mattm, 2017-02-28 21:14:32]

lgtm

[Ryan Sleevi, 2017-02-28 22:20:55]

The CQ bit was checked by rsleevi@chromium.org

[commit-bot: I haz the power, 2017-02-28 22:21:21]

CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2017-02-28 23:19:29]

CQ is committing da patch.

Bot data: {"patchset_id": 1, "attempt_start_ts": 1488320455532740, "parent_rev":
"6b0bff9826848a668c3a37089004335877dc6479", "commit_rev":
"b88c4386cdc3ea8c18d1bfd9cbaf5017141e83f4"}

[commit-bot: I haz the power, 2017-02-28 23:20:05]

Description was changed from

==========
Move name matching into the shared certificate validator

In the way-old times, Chrome used to rely on the underlying OS to
perform certificate name matching. Unfortunately, this meant that
certificates that worked in Chrome on one platform wouldn't work
in Chrome on another platform. As a result, a long time ago (e.g.
more than two years ago), Chrome moved to a common name validator,
which ensured that IPv6 was handled correctly, as were things like
trailing dots in the hostname (used to bypass DNS suffix search).

This cleans up the historical remants of that, by moving name
matching for certificates into a single place, in
CertVerifyProc::Verify, rather than the per-platform implementations
in CertVerifyProc::VerifyInternal.

The upside is this reduces code duplication.
The downside is this means that MockCertVerifyProc's now need to
supply certificates that *really* match their intended hostname, and
can no longer fake it til they make it.

BUG=308330
==========

to

==========
Move name matching into the shared certificate validator

In the way-old times, Chrome used to rely on the underlying OS to
perform certificate name matching. Unfortunately, this meant that
certificates that worked in Chrome on one platform wouldn't work
in Chrome on another platform. As a result, a long time ago (e.g.
more than two years ago), Chrome moved to a common name validator,
which ensured that IPv6 was handled correctly, as were things like
trailing dots in the hostname (used to bypass DNS suffix search).

This cleans up the historical remants of that, by moving name
matching for certificates into a single place, in
CertVerifyProc::Verify, rather than the per-platform implementations
in CertVerifyProc::VerifyInternal.

The upside is this reduces code duplication.
The downside is this means that MockCertVerifyProc's now need to
supply certificates that *really* match their intended hostname, and
can no longer fake it til they make it.

BUG=308330

Review-Url: https://codereview.chromium.org/2725683002
Cr-Commit-Position: refs/heads/master@{#453735}
Committed:
https://chromium.googlesource.com/chromium/src/+/b88c4386cdc3ea8c18d1bfd9cbaf...
==========

[commit-bot: I haz the power, 2017-02-28 23:20:06]

Committed patchset #1 (id:1) as
https://chromium.googlesource.com/chromium/src/+/b88c4386cdc3ea8c18d1bfd9cbaf...