Make X509Certificate creation fail if X509Certificate::Initialize fails.

net/cert/x509_certificate_ios.cc

 // Copyright (c) 2016 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/cert/x509_certificate.h"
 
 #include <CommonCrypto/CommonDigest.h>
 #include <Security/Security.h>
 
 #include "base/mac/scoped_cftyperef.h"
@@ skipping 57 matching lines @@
                           std::vector<std::string>* fields) {
   for (int index = -1;
        (index = X509_NAME_get_index_by_NID(name, nid, index)) != -1;) {
     std::string field;
     if (!x509_util::ParsePrincipalValueByIndex(name, index, &field))
       break;
     fields->push_back(field);
   }
 }
 
-void ParsePrincipal(X509Certificate::OSCertHandle os_cert,
+bool ParsePrincipal(X509Certificate::OSCertHandle os_cert,
                     X509_NAME* x509_name,
                     CertPrincipal* principal) {
   if (!x509_name)
-    return;
+    return false;
 
   ParsePrincipalValues(x509_name, NID_streetAddress,
                        &principal->street_addresses);
   ParsePrincipalValues(x509_name, NID_organizationName,
                        &principal->organization_names);
   ParsePrincipalValues(x509_name, NID_organizationalUnitName,
                        &principal->organization_unit_names);
   ParsePrincipalValues(x509_name, NID_domainComponent,
                        &principal->domain_components);
 
   x509_util::ParsePrincipalValueByNID(x509_name, NID_commonName,
                                       &principal->common_name);
   x509_util::ParsePrincipalValueByNID(x509_name, NID_localityName,
                                       &principal->locality_name);
   x509_util::ParsePrincipalValueByNID(x509_name, NID_stateOrProvinceName,
                                       &principal->state_or_province_name);
   x509_util::ParsePrincipalValueByNID(x509_name, NID_countryName,
                                       &principal->country_name);
+  return true;
 }
 
 bool ParseSubjectAltName(X509Certificate::OSCertHandle os_cert,
                          std::vector<std::string>* dns_names,
                          std::vector<std::string>* ip_addresses) {
   bssl::UniquePtr<X509> cert = OSCertHandleToOpenSSL(os_cert);
   if (!cert.get())
     return false;
   int index = X509_get_ext_by_NID(cert.get(), NID_subject_alt_name, -1);
   X509_EXTENSION* alt_name_ext = X509_get_ext(cert.get(), index);
@@ skipping 47 matching lines @@
     return nullptr;
   return reinterpret_cast<OSCertHandle>(const_cast<void*>(CFRetain(handle)));
 }
 
 // static
 void X509Certificate::FreeOSCertHandle(OSCertHandle cert_handle) {
   if (cert_handle)
     CFRelease(cert_handle);
 }
 
-void X509Certificate::Initialize() {
+bool X509Certificate::Initialize() {
   crypto::EnsureOpenSSLInit();
   bssl::UniquePtr<X509> x509_cert = OSCertHandleToOpenSSL(cert_handle_);
   if (!x509_cert)
-    return;
+    return false;
   ASN1_INTEGER* serial_num = X509_get_serialNumber(x509_cert.get());
-  if (serial_num) {
-    // ASN1_INTEGERS represent the decoded number, in a format internal to
-    // OpenSSL. Most notably, this may have leading zeroes stripped off for
-    // numbers whose first byte is >= 0x80. Thus, it is necessary to
-    // re-encoded the integer back into DER, which is what the interface
-    // of X509Certificate exposes, to ensure callers get the proper (DER)
-    // value.
-    int bytes_required = i2c_ASN1_INTEGER(serial_num, nullptr);
-    unsigned char* buffer = reinterpret_cast<unsigned char*>(
-        base::WriteInto(&serial_number_, bytes_required + 1));
-    int bytes_written = i2c_ASN1_INTEGER(serial_num, &buffer);
-    DCHECK_EQ(static_cast<size_t>(bytes_written), serial_number_.size());
-  }
+  if (!serial_num)
+    return false;
+  // ASN1_INTEGERS represent the decoded number, in a format internal to
+  // OpenSSL. Most notably, this may have leading zeroes stripped off for
+  // numbers whose first byte is >= 0x80. Thus, it is necessary to
+  // re-encoded the integer back into DER, which is what the interface
+  // of X509Certificate exposes, to ensure callers get the proper (DER)
+  // value.
+  int bytes_required = i2c_ASN1_INTEGER(serial_num, nullptr);
+  unsigned char* buffer = reinterpret_cast<unsigned char*>(
+      base::WriteInto(&serial_number_, bytes_required + 1));
+  int bytes_written = i2c_ASN1_INTEGER(serial_num, &buffer);
+  DCHECK_EQ(static_cast<size_t>(bytes_written), serial_number_.size());
 
-  ParsePrincipal(cert_handle_, X509_get_subject_name(x509_cert.get()),
-                 &subject_);
-  ParsePrincipal(cert_handle_, X509_get_issuer_name(x509_cert.get()), &issuer_);
-  x509_util::ParseDate(X509_get_notBefore(x509_cert.get()), &valid_start_);
-  x509_util::ParseDate(X509_get_notAfter(x509_cert.get()), &valid_expiry_);
+  return (
+      ParsePrincipal(cert_handle_, X509_get_subject_name(x509_cert.get()),
+                     &subject_) &&
+      ParsePrincipal(cert_handle_, X509_get_issuer_name(x509_cert.get()),
+                     &issuer_) &&
+      x509_util::ParseDate(X509_get_notBefore(x509_cert.get()),
+                           &valid_start_) &&
+      x509_util::ParseDate(X509_get_notAfter(x509_cert.get()), &valid_expiry_));
 }
 
 // static
 SHA256HashValue X509Certificate::CalculateFingerprint256(OSCertHandle cert) {
   SHA256HashValue sha256;
   memset(sha256.data, 0, sizeof(sha256.data));
 
   ScopedCFTypeRef<CFDataRef> cert_data(SecCertificateCopyData(cert));
   if (!cert_data)
     return sha256;
@@ skipping 234 matching lines @@
     return false;
   bssl::UniquePtr<EVP_PKEY> scoped_key(X509_get_pubkey(cert.get()));
   if (!scoped_key)
     return false;
   if (!X509_verify(cert.get(), scoped_key.get()))
     return false;
   return X509_check_issued(cert.get(), cert.get()) == X509_V_OK;
 }
 
 }  // namespace net