Add a histogram for measuring the number of times we fall back to common name matching, when a cert…

net/cert/x509_certificate.h

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef NET_CERT_X509_CERTIFICATE_H_
 #define NET_CERT_X509_CERTIFICATE_H_
 
 #include <string.h>
 
 #include <string>
@@ skipping 295 matching lines @@
 
 #if defined(USE_OPENSSL)
   // Returns a handle to a global, in-memory certificate store. We
   // use it for test code, e.g. importing the test server's certificate.
   static X509_STORE* cert_store();
 #endif
 
   // Verifies that |hostname| matches this certificate.
   // Does not verify that the certificate is valid, only that the certificate
   // matches this host.
-  // Returns true if it matches.
-  bool VerifyNameMatch(const std::string& hostname) const;
+  // Returns true if it matches, and updates |*common_name_fallback_used|,
+  // setting it to true if a fallback to the CN was used, rather than
+  // subjectAltName.
+  bool VerifyNameMatch(const std::string& hostname,
+                       bool* common_name_fallback_used) const;
 
   // Obtains the DER encoded certificate data for |cert_handle|. On success,
   // returns true and writes the DER encoded certificate to |*der_encoded|.
   static bool GetDEREncoded(OSCertHandle cert_handle,
                             std::string* der_encoded);
 
   // Returns the PEM encoded data from a DER encoded certificate. If the return
   // value is true, then the PEM encoded certificate is written to
   // |pem_encoded|.
   static bool GetPEMEncodedFromDER(const std::string& der_encoded,
@@ skipping 90 matching lines @@
 
   // Verifies that |hostname| matches one of the certificate names or IP
   // addresses supplied, based on TLS name matching rules - specifically,
   // following http://tools.ietf.org/html/rfc6125.
   // |cert_common_name| is the Subject CN, e.g. from X509Certificate::subject().
   // The members of |cert_san_dns_names| and |cert_san_ipaddrs| must be filled
   // from the dNSName and iPAddress components of the subject alternative name
   // extension, if present. Note these IP addresses are NOT ascii-encoded:
   // they must be 4 or 16 bytes of network-ordered data, for IPv4 and IPv6
   // addresses, respectively.
+  // |common_name_fallback_used| will be updated to true if cert_common_name
+  // was used to match the hostname, or false if either of the |cert_san_*|
+  // parameters was used to match the hostname.
   static bool VerifyHostname(const std::string& hostname,
                              const std::string& cert_common_name,
                              const std::vector<std::string>& cert_san_dns_names,
-                             const std::vector<std::string>& cert_san_ip_addrs);
+                             const std::vector<std::string>& cert_san_ip_addrs,
+                             bool* common_name_fallback_used);
 
   // Reads a single certificate from |pickle_iter| and returns a
   // platform-specific certificate handle. The format of the certificate
   // stored in |pickle_iter| is not guaranteed to be the same across different
   // underlying cryptographic libraries, nor acceptable to CreateFromBytes().
   // Returns an invalid handle, NULL, on failure.
   // NOTE: This should not be used for any new code. It is provided for
   // migration purposes and should eventually be removed.
   static OSCertHandle ReadOSCertHandleFromPickle(PickleIterator* pickle_iter);
 
@@ skipping 36 matching lines @@
   // based on the type of the certificate.
   std::string default_nickname_;
 #endif
 
   DISALLOW_COPY_AND_ASSIGN(X509Certificate);
 };
 
 }  // namespace net
 
 #endif  // NET_CERT_X509_CERTIFICATE_H_