Add a DevTools warning for a missing subjectAltName

net/cert/x509_util_nss.cc

 // Copyright 2015 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <cert.h>  // Must be included before certdb.h
 #include <certdb.h>
 #include <cryptohi.h>
 #include <nss.h>
 #include <pk11pub.h>
 #include <prerror.h>
@@ skipping 141 matching lines @@
   SECStatus rv = DER_DecodeTimeChoice(&prtime, der_date);
   DCHECK_EQ(SECSuccess, rv);
   *result = crypto::PRTimeToBaseTime(prtime);
 }
 
 std::string ParseSerialNumber(const CERTCertificate* certificate) {
   return std::string(reinterpret_cast<char*>(certificate->serialNumber.data),
                      certificate->serialNumber.len);
 }
 
-void GetSubjectAltName(CERTCertificate* cert_handle,
+bool GetSubjectAltName(CERTCertificate* cert_handle,
                        std::vector<std::string>* dns_names,
                        std::vector<std::string>* ip_addrs) {
   if (dns_names)
     dns_names->clear();
   if (ip_addrs)
     ip_addrs->clear();
 
   SECItem alt_name;
   SECStatus rv = CERT_FindCertExtension(
       cert_handle, SEC_OID_X509_SUBJECT_ALT_NAME, &alt_name);
   if (rv != SECSuccess)
-    return;
+    return false;
 
-  PLArenaPool* arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
-  DCHECK(arena != NULL);
+  crypto::ScopedPLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE));
 
   CERTGeneralName* alt_name_list;
-  alt_name_list = CERT_DecodeAltNameExtension(arena, &alt_name);
+  alt_name_list = CERT_DecodeAltNameExtension(arena.get(), &alt_name);
   SECITEM_FreeItem(&alt_name, PR_FALSE);
 
+  bool has_san = false;
   CERTGeneralName* name = alt_name_list;
   while (name) {
     // DNSName and IPAddress are encoded as IA5String and OCTET STRINGs
     // respectively, both of which can be byte copied from
     // SECItemType::data into the appropriate output vector.
-    if (dns_names && name->type == certDNSName) {
-      dns_names->push_back(
-          std::string(reinterpret_cast<char*>(name->name.other.data),
-                      name->name.other.len));
-    } else if (ip_addrs && name->type == certIPAddress) {
-      ip_addrs->push_back(
-          std::string(reinterpret_cast<char*>(name->name.other.data),
-                      name->name.other.len));
+    if (name->type == certDNSName) {
+      has_san = true;
+      if (dns_names) {
+        dns_names->push_back(
+            std::string(reinterpret_cast<char*>(name->name.other.data),
+                        name->name.other.len));
+      }
+    } else if (name->type == certIPAddress) {
+      has_san = true;
+      if (ip_addrs) {
+        ip_addrs->push_back(
+            std::string(reinterpret_cast<char*>(name->name.other.data),
+                        name->name.other.len));
+      }
     }
+    // Fast path: Found at least one subjectAltName and the caller doesn't
+    // need the actual values.
+    if (has_san && !ip_addrs && !dns_names)
+      return true;
+
     name = CERT_GetNextGeneralName(name);
     if (name == alt_name_list)
       break;
   }
-  PORT_FreeArena(arena, PR_FALSE);
+  return has_san;
 }
 
 void GetRFC822SubjectAltNames(CERTCertificate* cert_handle,
                               std::vector<std::string>* names) {
   crypto::ScopedSECItem alt_name(SECITEM_AllocItem(NULL, NULL, 0));
   DCHECK(alt_name.get());
 
   names->clear();
   SECStatus rv = CERT_FindCertExtension(
       cert_handle, SEC_OID_X509_SUBJECT_ALT_NAME, alt_name.get());
@@ skipping 194 matching lines @@
     base::SStringPrintf(&new_name, "%s #%d", nickname.c_str(), index++);
     temp_nickname = token_name + new_name;
   }
 
   return new_name;
 }
 
 }  // namespace x509_util
 
 }  // namespace net