Revert 138795 - Revert "nss: revert encrypted and origin bound certificates support."

net/base/transport_security_state_static_generate.go

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // This program converts the information in
 // transport_security_state_static.json and
 // transport_security_state_static.certs into
 // transport_security_state_static.h. The input files contain information about
 // public key pinning and HTTPS-only sites that is compiled into Chromium.
 
@@ skipping 20 matching lines @@
         "strings"
 )
 
 // A pin represents an entry in transport_security_state_static.certs. It's a
 // name associated with a SubjectPublicKeyInfo hash and, optionally, a
 // certificate.
 type pin struct {
         name         string
         cert         *x509.Certificate
         spkiHash     []byte
-        spkiHashFunc string  // i.e. "sha1"
+        spkiHashFunc string // i.e. "sha1"
 }
 
 // preloaded represents the information contained in the
 // transport_security_state_static.json file. This structure and the two
 // following are used by the "json" package to parse the file. See the comments
 // in transport_security_state_static.json for details.
 type preloaded struct {
         Pinsets []pinset `json:"pinsets"`
         Entries []hsts   `json:"entries"`
 }
 
 type pinset struct {
         Name    string   `json:"name"`
         Include []string `json:"static_spki_hashes"`
         Exclude []string `json:"bad_static_spki_hashes"`
 }
 
 type hsts struct {
         Name       string `json:"name"`
         Subdomains bool   `json:"include_subdomains"`
-        Mode       string   `json:"mode"`
+        Mode       string `json:"mode"`
         Pins       string `json:"pins"`
         SNIOnly    bool   `json:"snionly"`
 }
 
 func main() {
         if len(os.Args) != 3 {
                 fmt.Fprintf(os.Stderr, "Usage: %s <json file> <certificates file>\n", os.Args[0])
                 os.Exit(1)
         }
 
@@ skipping 203 matching lines @@
 // given CN.
 func matchNames(name, v string) error {
         words := strings.Split(name, " ")
         if len(words) == 0 {
                 return errors.New("no words in certificate name")
         }
         firstWord := words[0]
         if strings.HasSuffix(firstWord, ",") {
                 firstWord = firstWord[:len(firstWord)-1]
         }
+        if strings.HasPrefix(firstWord, "*.") {
+                firstWord = firstWord[2:]
+        }
         if pos := strings.Index(firstWord, "."); pos != -1 {
                 firstWord = firstWord[:pos]
         }
         if pos := strings.Index(firstWord, "-"); pos != -1 {
                 firstWord = firstWord[:pos]
         }
-        if !strings.HasPrefix(v, firstWord) {
+        if len(firstWord) == 0 {
+                return errors.New("first word of certificate name is empty")
+        }
+        firstWord = strings.ToLower(firstWord)
+        lowerV := strings.ToLower(v)
+        if !strings.HasPrefix(lowerV, firstWord) {
                 return errors.New("the first word of the certificate name isn't a prefix of the variable name")
         }
 
         for i, word := range words {
                 if word == "Class" && i+1 < len(words) {
                         if strings.Index(v, word+words[i+1]) == -1 {
                                 return errors.New("class specification doesn't appear in the variable name")
                         }
                 } else if len(word) == 1 && word[0] >= '0' && word[0] <= '9' {
                         if strings.Index(v, word) == -1 {
@@ skipping 146 matching lines @@
         var name string
         var l int
         for _, label := range labels {
                 if len(label) > 63 {
                         panic("DNS label too long")
                 }
                 name += fmt.Sprintf("\\%03o", len(label))
                 name += label
                 l += len(label) + 1
         }
-        l += 1  // For the length of the root label.
+        l += 1 // For the length of the root label.
 
         return name, l
 }
 
 // domainConstant converts the domain name |s| into a string of the form
 // "DOMAIN_" + uppercase last two labels.
 func domainConstant(s string) string {
         labels := strings.Split(s, ".")
         gtld := strings.ToUpper(labels[len(labels)-1])
         domain := strings.Replace(strings.ToUpper(labels[len(labels)-2]), "-", "_", -1)
@@ skipping 68 matching lines @@
                 writeHSTSEntry(out, entry)
         }
 
         out.WriteString(`};
 static const size_t kNumPreloadedSNISTS = ARRAYSIZE_UNSAFE(kPreloadedSNISTS);
 
 `)
 
         return nil
 }