Add X509Certificate::IsIssuedByEncoded()

net/base/x509_certificate_openssl.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/base/x509_certificate.h"
 
 #include <openssl/asn1.h>
 #include <openssl/crypto.h>
 #include <openssl/obj_mac.h>
 #include <openssl/pem.h>
@@ skipping 215 matching lines @@
     if (data_length <= 0 || !data)
       return false;
     internal_cache = SetDERCache(cert, x509_der_cache_index, data, data_length);
     if (!internal_cache)
       return false;
   }
   *der_cache = *internal_cache;
   return true;
 }
 
+// Used to free a list of X509_NAMEs without touching its objts.
+// sk_X509_NAME_free is a macro and can't be used as function
+// template parameter.
+void sk_X509_NAME_free_list(STACK_OF(X509_NAME)* sk) {
+  sk_X509_NAME_free(sk);
+}
+
+// Used to free a list of X509_NAMEs and the objects it points to.
+void sk_X509_NAME_free_all(STACK_OF(X509_NAME)* sk) {
+  sk_X509_NAME_pop_free(sk, X509_NAME_free);
+}
+
 }  // namespace
 
 // static
 X509Certificate::OSCertHandle X509Certificate::DupOSCertHandle(
     OSCertHandle cert_handle) {
   DCHECK(cert_handle);
   // Using X509_dup causes the entire certificate to be reparsed. This
   // conversion, besides being non-trivial, drops any associated
   // application-specific data set by X509_set_ex_data. Using CRYPTO_add
   // just bumps up the ref-count for the cert, without causing any allocations
@@ skipping 218 matching lines @@
       *type = kPublicKeyTypeECDSA;
       *size_bits = EVP_PKEY_size(key);
       break;
     case EVP_PKEY_DH:
       *type = kPublicKeyTypeDH;
       *size_bits = EVP_PKEY_size(key) * 8;
       break;
   }
 }
 
+bool X509Certificate::IsIssuedByEncoded(
+    const std::vector<std::string>& valid_issuers) {
+  if (valid_issuers.empty())
+    return false;
+
+  // Convert to a temporary list of X509_NAME objects.
+  // It will own the objects it points to.
+  crypto::ScopedOpenSSL<STACK_OF(X509_NAME), sk_X509_NAME_free_all>
+      issuer_names(sk_X509_NAME_new_null());
+  if (!issuer_names.get())
+    return false;
+
+  for (std::vector<std::string>::const_iterator it = valid_issuers.begin();
+      it != valid_issuers.end(); ++it) {
+    const unsigned char* p =
+        reinterpret_cast<const unsigned char*>(it->data());
+    long len = static_cast<long>(it->length());
+    X509_NAME* ca_name = d2i_X509_NAME(NULL, &p, len);
+    if (ca_name == NULL)
+      return false;
+    sk_X509_NAME_push(issuer_names.get(), ca_name);
+  }
+
+  // Create a temporary list of X509_NAME objects corresponding
+  // to the certificate chain. It doesn't own the object it points to.
+  std::vector<X509_NAME*> cert_names;
+  X509_NAME* issuer = X509_get_issuer_name(cert_handle_);
+  if (issuer == NULL)
+    return false;
+
+  cert_names.push_back(issuer);
+  for (OSCertHandles::iterator it = intermediate_ca_certs_.begin();
+      it != intermediate_ca_certs_.end(); ++it) {
+    issuer = X509_get_issuer_name(*it);
+    if (issuer == NULL)
+      return false;
+    cert_names.push_back(issuer);
+  }
+
+  // and 'cert_names'.
+  for (size_t n = 0; n < cert_names.size(); ++n) {
+    for (int m = 0; m < sk_X509_NAME_num(issuer_names.get()); ++m) {
+      X509_NAME* issuer = sk_X509_NAME_value(issuer_names.get(), m);
+      if (X509_NAME_cmp(issuer, cert_names[n]) == 0) {
+        return true;
+      }
+    }
+  }
+
+  return false;
+}
+
 }  // namespace net