Add a DevTools warning for a missing subjectAltName

net/cert/x509_certificate_win.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/cert/x509_certificate.h"
 
 #include <memory>
 
 #include "base/logging.h"
 #include "base/memory/free_deleter.h"
@@ skipping 133 matching lines @@
   valid_expiry_ = Time::FromFileTime(cert_handle_->pCertInfo->NotAfter);
 
   const CRYPT_INTEGER_BLOB* serial = &cert_handle_->pCertInfo->SerialNumber;
   std::unique_ptr<uint8_t[]> serial_bytes(new uint8_t[serial->cbData]);
   for (unsigned i = 0; i < serial->cbData; i++)
     serial_bytes[i] = serial->pbData[serial->cbData - i - 1];
   serial_number_ = std::string(
       reinterpret_cast<char*>(serial_bytes.get()), serial->cbData);
 }
 
-void X509Certificate::GetSubjectAltName(
+bool X509Certificate::GetSubjectAltName(
     std::vector<std::string>* dns_names,
     std::vector<std::string>* ip_addrs) const {
   if (dns_names)
     dns_names->clear();
   if (ip_addrs)
     ip_addrs->clear();
 
   if (!cert_handle_)
-    return;
+    return false;
 
   std::unique_ptr<CERT_ALT_NAME_INFO, base::FreeDeleter> alt_name_info;
   GetCertSubjectAltName(cert_handle_, &alt_name_info);
   CERT_ALT_NAME_INFO* alt_name = alt_name_info.get();
-  if (alt_name) {
-    int num_entries = alt_name->cAltEntry;
-    for (int i = 0; i < num_entries; i++) {
-      // dNSName is an ASN.1 IA5String representing a string of ASCII
-      // characters, so we can use UTF16ToASCII here.
-      const CERT_ALT_NAME_ENTRY& entry = alt_name->rgAltEntry[i];
+  if (!alt_name)
+    return false;
 
-      if (dns_names && entry.dwAltNameChoice == CERT_ALT_NAME_DNS_NAME) {
+  bool has_san = false;
+  for (DWORD i = 0, num_entries = alt_name->cAltEntry; i < num_entries; i++) {
+    // dNSName is an ASN.1 IA5String representing a string of ASCII
+    // characters, so we can use UTF16ToASCII here.
+    const CERT_ALT_NAME_ENTRY& entry = alt_name->rgAltEntry[i];
+
+    if (entry.dwAltNameChoice == CERT_ALT_NAME_DNS_NAME) {
+      has_san = true;
+      if (dns_names)
         dns_names->push_back(base::UTF16ToASCII(entry.pwszDNSName));
-      } else if (ip_addrs &&
-                 entry.dwAltNameChoice == CERT_ALT_NAME_IP_ADDRESS) {
+    } else if (entry.dwAltNameChoice == CERT_ALT_NAME_IP_ADDRESS) {
+      has_san = true;
+      if (ip_addrs) {
         ip_addrs->push_back(std::string(
             reinterpret_cast<const char*>(entry.IPAddress.pbData),
             entry.IPAddress.cbData));
       }
     }
+    // Fast path: Found at least one subjectAltName and the caller doesn't
+    // need the actual values.
+    if (has_san && !ip_addrs && !dns_names)
+      return true;
   }
+
+  return has_san;
 }
 
 PCCERT_CONTEXT X509Certificate::CreateOSCertChainForCert() const {
   // Create an in-memory certificate store to hold this certificate and
   // any intermediate certificates in |intermediate_ca_certs_|. The store
   // will be referenced in the returned PCCERT_CONTEXT, and will not be freed
   // until the PCCERT_CONTEXT is freed.
   ScopedHCERTSTORE store(CertOpenStore(
       CERT_STORE_PROV_MEMORY, 0, NULL,
       CERT_STORE_DEFER_CLOSE_UNTIL_LAST_FREE_FLAG, NULL));
@@ skipping 254 matching lines @@
       CRYPT_VERIFY_CERT_SIGN_ISSUER_CERT,
       reinterpret_cast<void*>(const_cast<PCERT_CONTEXT>(cert_handle)), 0, NULL);
   if (!valid_signature)
     return false;
   return !!CertCompareCertificateName(X509_ASN_ENCODING,
                                       &cert_handle->pCertInfo->Subject,
                                       &cert_handle->pCertInfo->Issuer);
 }
 
 }  // namespace net