Make X509Certificate creation fail if X509Certificate::Initialize fails.

net/cert/x509_certificate_mac.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/cert/x509_certificate.h"
 
 #include <CommonCrypto/CommonDigest.h>
 #include <CoreServices/CoreServices.h>
 #include <Security/Security.h>
 
@@ skipping 17 matching lines @@
 
 namespace net {
 
 // CSSM functions are deprecated as of OSX 10.7, but have no replacement.
 // https://bugs.chromium.org/p/chromium/issues/detail?id=590914#c1
 #pragma clang diagnostic push
 #pragma clang diagnostic ignored "-Wdeprecated-declarations"
 
 namespace {
 
-void GetCertDistinguishedName(
+bool GetCertDistinguishedName(
     const x509_util::CSSMCachedCertificate& cached_cert,
     const CSSM_OID* oid,
     CertPrincipal* result) {
   x509_util::CSSMFieldValue distinguished_name;
   OSStatus status = cached_cert.GetField(oid, &distinguished_name);
   if (status || !distinguished_name.field())
-    return;
+    return false;
   result->ParseDistinguishedName(distinguished_name.field()->Data,
                                  distinguished_name.field()->Length);
+  return true;
 }
 
 bool IsCertIssuerInEncodedList(X509Certificate::OSCertHandle cert_handle,
                                const std::vector<std::string>& issuers) {
   x509_util::CSSMCachedCertificate cached_cert;
   if (cached_cert.Init(cert_handle) != CSSM_OK)
     return false;
 
   x509_util::CSSMFieldValue distinguished_name;
   OSStatus status = cached_cert.GetField(&CSSMOID_X509V1IssuerNameStd,
                                          &distinguished_name);
   if (status || !distinguished_name.field())
     return false;
 
   base::StringPiece name_piece(
       reinterpret_cast<const char*>(distinguished_name.field()->Data),
       static_cast<size_t>(distinguished_name.field()->Length));
 
   for (std::vector<std::string>::const_iterator it = issuers.begin();
        it != issuers.end(); ++it) {
     base::StringPiece issuer_piece(*it);
     if (name_piece == issuer_piece)
       return true;
   }
 
   return false;
 }
 
-void GetCertDateForOID(const x509_util::CSSMCachedCertificate& cached_cert,
+bool GetCertDateForOID(const x509_util::CSSMCachedCertificate& cached_cert,
                        const CSSM_OID* oid,
                        Time* result) {
   *result = Time();
 
   x509_util::CSSMFieldValue field;
   OSStatus status = cached_cert.GetField(oid, &field);
   if (status)
-    return;
+    return false;
 
   const CSSM_X509_TIME* x509_time = field.GetAs<CSSM_X509_TIME>();
   if (x509_time->timeType != BER_TAG_UTC_TIME &&
       x509_time->timeType != BER_TAG_GENERALIZED_TIME) {
     LOG(ERROR) << "Unsupported date/time format "
                << x509_time->timeType;
-    return;
+    return false;
   }
 
   base::StringPiece time_string(
       reinterpret_cast<const char*>(x509_time->time.Data),
       x509_time->time.Length);
   CertDateFormat format = x509_time->timeType == BER_TAG_UTC_TIME ?
       CERT_DATE_FORMAT_UTC_TIME : CERT_DATE_FORMAT_GENERALIZED_TIME;
-  if (!ParseCertificateDate(time_string, format, result))
+  if (!ParseCertificateDate(time_string, format, result)) {
     LOG(ERROR) << "Invalid certificate date/time " << time_string;
+    return false;
+  }
+  return true;
 }
 
 std::string GetCertSerialNumber(
     const x509_util::CSSMCachedCertificate& cached_cert) {
   x509_util::CSSMFieldValue serial_number;
   OSStatus status = cached_cert.GetField(&CSSMOID_X509V1SerialNumber,
                                          &serial_number);
   if (status || !serial_number.field())
     return std::string();
 
@@ skipping 70 matching lines @@
       if (IsValidOSCertHandle(cert)) {
         CFRetain(cert);
         output->push_back(cert);
       }
     }
   }
 }
 
 }  // namespace
 
-void X509Certificate::Initialize() {
+bool X509Certificate::Initialize() {
   x509_util::CSSMCachedCertificate cached_cert;
-  if (cached_cert.Init(cert_handle_) == CSSM_OK) {
-    GetCertDistinguishedName(cached_cert, &CSSMOID_X509V1SubjectNameStd,
-                             &subject_);
-    GetCertDistinguishedName(cached_cert, &CSSMOID_X509V1IssuerNameStd,
-                             &issuer_);
-    GetCertDateForOID(cached_cert, &CSSMOID_X509V1ValidityNotBefore,
-                      &valid_start_);
-    GetCertDateForOID(cached_cert, &CSSMOID_X509V1ValidityNotAfter,
-                      &valid_expiry_);
-    serial_number_ = GetCertSerialNumber(cached_cert);
-  }
+  if (cached_cert.Init(cert_handle_) != CSSM_OK)
+    return false;
+  serial_number_ = GetCertSerialNumber(cached_cert);
+
+  return (!serial_number_.empty() &&
+          GetCertDistinguishedName(cached_cert, &CSSMOID_X509V1SubjectNameStd,
+                                   &subject_) &&
+          GetCertDistinguishedName(cached_cert, &CSSMOID_X509V1IssuerNameStd,
+                                   &issuer_) &&
+          GetCertDateForOID(cached_cert, &CSSMOID_X509V1ValidityNotBefore,
+                            &valid_start_) &&
+          GetCertDateForOID(cached_cert, &CSSMOID_X509V1ValidityNotAfter,
+                            &valid_expiry_));
 }
 
 bool X509Certificate::IsIssuedByEncoded(
     const std::vector<std::string>& valid_issuers) {
   if (IsCertIssuerInEncodedList(cert_handle_, valid_issuers))
     return true;
 
   for (OSCertHandles::iterator it = intermediate_ca_certs_.begin();
        it != intermediate_ca_certs_.end(); ++it) {
     if (IsCertIssuerInEncodedList(*it, valid_issuers))
@@ skipping 292 matching lines @@
     return false;
 
   if (CSSM_CL_CertVerify(cl_handle, 0, &cert_data, &cert_data, NULL, 0))
     return false;
   return true;
 }
 
 #pragma clang diagnostic pop  // "-Wdeprecated-declarations"
 
 }  // namespace net