Add X509Certificate::IsIssuedByEncoded()

net/base/x509_certificate_ios.cc

Index: net/base/x509_certificate_ios.cc
diff --git a/net/base/x509_certificate_ios.cc b/net/base/x509_certificate_ios.cc
index 0286203ebb41aa255278c2ca85e87e8c38325707..5e5cc15140d45899fb4f253c1086f372cc8ea04b 100644
--- a/net/base/x509_certificate_ios.cc
+++ b/net/base/x509_certificate_ios.cc
@@ -69,6 +69,21 @@ void X509Certificate::Initialize() {
   ca_fingerprint_ = CalculateCAFingerprint(intermediate_ca_certs_);
 }
 
+bool X509Certificate::IsIssuedByEncoded(
+    const std::vector<std::string>& valid_issuers) {
+  if (x509_util::IsCertNameItemInIssuerList(&cert_handle_->derIssuer,
+                                            valid_issuers))

[Ryan Sleevi, 2012/12/13 19:49:05]

It's a shame to have to reparse the CERTName here (we have it in
cert_handle->issuer)

[digit1, 2012/12/14 17:54:33]

I know, but cert_handle->issuer is a CertPrincipal which, has you already
mentioned, should only be used for presentation. That's why I intentionally
avoided using it here.

I also wanted to use CERT_CompareName(), unfortunately NSS doesn't seem to
provide _any_ API to create a CERTName object from its DER-encoded
representation. The only alternative seems to create multiple CERTRDN objects
first, then pass then to CERT_CreateName() / CERT_AddRDN(), amd each CERTRDN is
created from a list of CERTAVA objects.

This is much more work, it requires parsing the DER encoded issuer names
explicitely, and I'm not sure it will be much better than comparing the
DER-encoded representations directly.

I'd be happy if you or wtc@ had a better suggestion for this issue.

[Ryan Sleevi, 2012/12/14 18:16:42]

cert_handle->issuer is a CERTName, which is the canonical type, not a
CertPrincipal.

Note, I was talking about cert_handle->issuer, not this->issuer_
typedef scoped_ptr_malloc<CERTName, NSSDestroyer<CERTName, CERT_DestroyName> >
ScopedCERTName;


SECItem data;
data.len = ...
data.data = ...;

ScopedPLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE));
if (!arena.get());
  return false;
ScopedCERTName name(PORT_ArenaZNew(arena, CERTName));
if (!name.get())
  return false;
SECStatus rv = SEC_ASN1DecodeItem(arena.get(), name.get(),
SEC_ASN1_GET(CERT_NameTemplate), &data);
if (rv != SECSuccess)
  return false;

/* Setting ->arena will ensure that name releases arena when it's done. If this
is all stack local, then you don't need to do this and just let the arena pool
handle cleanup */
name->arena = arena.release();

/* do something with a CERTName here */

return true;
It also yields the RFC-correct output, which comparing the DER-encoded
representations does not.

[digit1, 2012/12/18 16:19:24]

Thank you so much for this, I've implemented this in net/base/x509_util_nss.cc,
this makes the use of CERT_CompareName() possible.

+    return true;
+
+  for (OSCertHandles::iterator it = intermediate_ca_certs_.begin();
+       it != intermediate_ca_certs_.end(); ++it) {
+    if (x509_util::IsCertNameItemInIssuerList(&(*it)->derSubject,
+                                              valid_issuers))
+      return true;

[Ryan Sleevi, 2012/12/13 19:49:05]

BUG: Rather then checking the subject, you should be checking issuer names here
as well.

It's legal for intermediate_ca_certs[.size() - 1].issuer == some_valid_issuer,
which would be missed by this algorithm.

[digit1, 2012/12/14 17:54:33]

That makes sense, I'll fix all checks.

+  }
+  return false;
+}
+
 // static
 X509Certificate* X509Certificate::CreateSelfSigned(
     crypto::RSAPrivateKey* key,