Fix API mismatch between NameConstraints::IsPermittedCert's subjectAltName...

Fix API mismatch between NameConstraints::IsPermittedCert's subjectAltName param and ParseExtension. BUG=none Review URL: https://codereview.chromium.org/1685023002 Cr-Commit-Position: refs/heads/master@{#374826}

Fix API mismatch between NameConstraints::IsPermittedCert's subjectAltName...
Fix API mismatch between NameConstraints::IsPermittedCert's subjectAltName param and ParseExtension. BUG=none Review URL: https://codereview.chromium.org/1685023002 Cr-Commit-Position: refs/heads/master@{#374826}
0cb852e8 · mattm · Commit bot · dcaccb9c · 0cb852e8 · 0cb852e8
Commit 0cb852e8 authored Feb 10, 2016 by mattm Committed by Commit bot Feb 11, 2016
16 changed files
--- a/net/cert/internal/name_constraints.cc
+++ b/net/cert/internal/name_constraints.cc
@@ -396,7 +396,8 @@ bool NameConstraints::Parse(const der::Input& extension_value,

 bool NameConstraints::IsPermittedCert(
    const der::Input& subject_rdn_sequence,
-    const der::Input& subject_alt_name_extnvalue_tlv) const {
+    bool has_subject_alt_name,
+    const der::Input& subject_alt_name_tlv) const {
  // Subject Alternative Name handling:
  //
  // RFC 5280 section 4.2.1.6:
@@ -407,12 +408,7 @@ bool NameConstraints::IsPermittedCert(
  // GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName

  GeneralNames san_names;
-  if (subject_alt_name_extnvalue_tlv.Length()) {
-    der::Parser extnvalue_parser(subject_alt_name_extnvalue_tlv);
-    der::Input subject_alt_name_tlv;
-    if (!extnvalue_parser.ReadTag(der::kOctetString, &subject_alt_name_tlv))
-      return false;
-
+  if (has_subject_alt_name) {
    der::Parser subject_alt_name_parser(subject_alt_name_tlv);
    der::Parser san_sequence_parser;
    if (!subject_alt_name_parser.ReadSequence(&san_sequence_parser))
@@ -466,6 +462,8 @@ bool NameConstraints::IsPermittedCert(
      if (!IsPermittedIP(ip_address))
        return false;
    }
+  } else {
+    DCHECK_EQ(0U, subject_alt_name_tlv.Length());
  }

  // Subject handling:
@@ -477,7 +475,7 @@ bool NameConstraints::IsPermittedCert(
  // form, but the certificate does not include a subject alternative name, the
  // rfc822Name constraint MUST be applied to the attribute of type emailAddress
  // in the subject distinguished name.
-  if (!subject_alt_name_extnvalue_tlv.Length() &&
+  if (!has_subject_alt_name &&
      (ConstrainedNameTypes() & GENERAL_NAME_RFC822_NAME)) {
    bool contained_email_address = false;
    if (!NameContainsEmailAddress(subject_rdn_sequence,
@@ -496,10 +494,8 @@ bool NameConstraints::IsPermittedCert(
  // This code assumes that criticality condition is checked by the caller, and
  // therefore only needs to avoid the IsPermittedDirectoryName check against an
  // empty subject in such a case.
-  if (subject_alt_name_extnvalue_tlv.Length() &&
-      subject_rdn_sequence.Length() == 0) {
+  if (has_subject_alt_name && subject_rdn_sequence.Length() == 0)
    return true;
-  }

  return IsPermittedDirectoryName(subject_rdn_sequence);
 }

--- a/net/cert/internal/name_constraints.h
+++ b/net/cert/internal/name_constraints.h
@@ -86,13 +86,15 @@ class NET_EXPORT NameConstraints {
  // Tests if a certificate is allowed by the name constraints.
  // |subject_rdn_sequence| should be the DER-encoded value of the subject's
  // RDNSequence (not including Sequence tag), and may be an empty ASN.1
-  // sequence. |subject_alt_name_extnvalue_tlv| should be the extnValue of the
-  // subjectAltName extension (including the OCTET STRING tag & length), or
-  // empty if the cert did not have a subjectAltName extension.
+  // sequence. |subject_alt_name_tlv| should be the extnValue of the
+  // subjectAltName extension (not including the OCTET STRING tag & length). If
+  // the cert did not have a subjectAltName extension, |has_subject_alt_name|
+  // should be false and |subject_alt_name_tlv| should be empty.
  // Note that this method does not check hostname or IP address in commonName,
  // which is deprecated (crbug.com/308330).
  bool IsPermittedCert(const der::Input& subject_rdn_sequence,
-                       const der::Input& subject_alt_name_extnvalue_tlv) const;
+                       bool has_subject_alt_name,
+                       const der::Input& subject_alt_name_tlv) const;

  // Returns true if the ASCII hostname |name| is permitted.
  // |name| may be a wildcard hostname (starts with "*."). Eg, "*.bar.com"

--- a/net/cert/internal/name_constraints_unittest.cc
+++ b/net/cert/internal/name_constraints_unittest.cc
--- a/net/data/name_constraints_unittest/generate_name_constraints.py
+++ b/net/data/name_constraints_unittest/generate_name_constraints.py
@@ -47,7 +47,7 @@ class SubjectAltNameGenerator:
    self.names.append(general_name)

  def __str__(self):
-    s = "asn1 = OCTWRAP,SEQUENCE:subjectAltNameSequence\n"
+    s = "asn1 = SEQUENCE:subjectAltNameSequence\n"
    s += "[subjectAltNameSequence]\n"
    s_suffix = ""
    for n, name in enumerate(self.names):

--- a/net/data/name_constraints_unittest/san-edipartyname.pem
+++ b/net/data/name_constraints_unittest/san-edipartyname.pem
-    0:d=0  hl=2 l=   9 prim: OCTET STRING      [HEX DUMP]:3007A5058103666F6F
+    0:d=0  hl=2 l=   7 cons: SEQUENCE          
+    2:d=1  hl=2 l=   5 cons:  cont [ 5 ]        
+    4:d=2  hl=2 l=   3 prim:   cont [ 1 ]        
 -----BEGIN SUBJECT ALTERNATIVE NAME-----
-BAkwB6UFgQNmb28=
+MAelBYEDZm9v
 -----END SUBJECT ALTERNATIVE NAME-----
--- a/net/data/name_constraints_unittest/san-excluded-directoryname.pem
+++ b/net/data/name_constraints_unittest/san-excluded-directoryname.pem
-    0:d=0  hl=3 l= 128 prim: OCTET STRING      [HEX DUMP]:307E82157065726D69747465642E6578616D706C652E636F6D8704C0A80102A421301F310B30090603550406130255533110300E06035504080C074172697A6F6E61A43C303A310B30090603550406130255533113301106035504080C0A43616C69666F726E69613116301406035504070C0D4D6F756E7461696E2056696577
+    0:d=0  hl=2 l= 126 cons: SEQUENCE          
+    2:d=1  hl=2 l=  21 prim:  cont [ 2 ]        
+   25:d=1  hl=2 l=   4 prim:  cont [ 7 ]        
+   31:d=1  hl=2 l=  33 cons:  cont [ 4 ]        
+   33:d=2  hl=2 l=  31 cons:   SEQUENCE          
+   35:d=3  hl=2 l=  11 cons:    SET               
+   37:d=4  hl=2 l=   9 cons:     SEQUENCE          
+   39:d=5  hl=2 l=   3 prim:      OBJECT            :countryName
+   44:d=5  hl=2 l=   2 prim:      PRINTABLESTRING   :US
+   48:d=3  hl=2 l=  16 cons:    SET               
+   50:d=4  hl=2 l=  14 cons:     SEQUENCE          
+   52:d=5  hl=2 l=   3 prim:      OBJECT            :stateOrProvinceName
+   57:d=5  hl=2 l=   7 prim:      UTF8STRING        :Arizona
+   66:d=1  hl=2 l=  60 cons:  cont [ 4 ]        
+   68:d=2  hl=2 l=  58 cons:   SEQUENCE          
+   70:d=3  hl=2 l=  11 cons:    SET               
+   72:d=4  hl=2 l=   9 cons:     SEQUENCE          
+   74:d=5  hl=2 l=   3 prim:      OBJECT            :countryName
+   79:d=5  hl=2 l=   2 prim:      PRINTABLESTRING   :US
+   83:d=3  hl=2 l=  19 cons:    SET               
+   85:d=4  hl=2 l=  17 cons:     SEQUENCE          
+   87:d=5  hl=2 l=   3 prim:      OBJECT            :stateOrProvinceName
+   92:d=5  hl=2 l=  10 prim:      UTF8STRING        :California
+  104:d=3  hl=2 l=  22 cons:    SET               
+  106:d=4  hl=2 l=  20 cons:     SEQUENCE          
+  108:d=5  hl=2 l=   3 prim:      OBJECT            :localityName
+  113:d=5  hl=2 l=  13 prim:      UTF8STRING        :Mountain View
 -----BEGIN SUBJECT ALTERNATIVE NAME-----
-BIGAMH6CFXBlcm1pdHRlZC5leGFtcGxlLmNvbYcEwKgBAqQhMB8xCzAJBgNVBAYTAlVTMRAwDgYD
-VQQIDAdBcml6b25hpDwwOjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNV
-BAcMDU1vdW50YWluIFZpZXc=
+MH6CFXBlcm1pdHRlZC5leGFtcGxlLmNvbYcEwKgBAqQhMB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQI
+DAdBcml6b25hpDwwOjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcM
+DU1vdW50YWluIFZpZXc=
 -----END SUBJECT ALTERNATIVE NAME-----
--- a/net/data/name_constraints_unittest/san-excluded-dnsname.pem
+++ b/net/data/name_constraints_unittest/san-excluded-dnsname.pem
-    0:d=0  hl=2 l= 120 prim: OCTET STRING      [HEX DUMP]:307682157065726D69747465642E6578616D706C652E636F6D8704C0A80102A421301F310B30090603550406130255533110300E06035504080C074172697A6F6E618234666F6F2E7374696C6C6E6F747065726D69747465642E6578636C756465642E7065726D69747465642E6578616D706C652E636F6D
+    0:d=0  hl=2 l= 118 cons: SEQUENCE          
+    2:d=1  hl=2 l=  21 prim:  cont [ 2 ]        
+   25:d=1  hl=2 l=   4 prim:  cont [ 7 ]        
+   31:d=1  hl=2 l=  33 cons:  cont [ 4 ]        
+   33:d=2  hl=2 l=  31 cons:   SEQUENCE          
+   35:d=3  hl=2 l=  11 cons:    SET               
+   37:d=4  hl=2 l=   9 cons:     SEQUENCE          
+   39:d=5  hl=2 l=   3 prim:      OBJECT            :countryName
+   44:d=5  hl=2 l=   2 prim:      PRINTABLESTRING   :US
+   48:d=3  hl=2 l=  16 cons:    SET               
+   50:d=4  hl=2 l=  14 cons:     SEQUENCE          
+   52:d=5  hl=2 l=   3 prim:      OBJECT            :stateOrProvinceName
+   57:d=5  hl=2 l=   7 prim:      UTF8STRING        :Arizona
+   66:d=1  hl=2 l=  52 prim:  cont [ 2 ]        
 -----BEGIN SUBJECT ALTERNATIVE NAME-----
-BHgwdoIVcGVybWl0dGVkLmV4YW1wbGUuY29thwTAqAECpCEwHzELMAkGA1UEBhMCVVMxEDAOBgNV
-BAgMB0FyaXpvbmGCNGZvby5zdGlsbG5vdHBlcm1pdHRlZC5leGNsdWRlZC5wZXJtaXR0ZWQuZXhh
-bXBsZS5jb20=
+MHaCFXBlcm1pdHRlZC5leGFtcGxlLmNvbYcEwKgBAqQhMB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQI
+DAdBcml6b25hgjRmb28uc3RpbGxub3RwZXJtaXR0ZWQuZXhjbHVkZWQucGVybWl0dGVkLmV4YW1w
+bGUuY29t
 -----END SUBJECT ALTERNATIVE NAME-----
--- a/net/data/name_constraints_unittest/san-excluded-ipaddress.pem
+++ b/net/data/name_constraints_unittest/san-excluded-ipaddress.pem
-    0:d=0  hl=2 l=  72 prim: OCTET STRING      [HEX DUMP]:304682157065726D69747465642E6578616D706C652E636F6D8704C0A80102A421301F310B30090603550406130255533110300E06035504080C074172697A6F6E618704C0A80505
+    0:d=0  hl=2 l=  70 cons: SEQUENCE          
+    2:d=1  hl=2 l=  21 prim:  cont [ 2 ]        
+   25:d=1  hl=2 l=   4 prim:  cont [ 7 ]        
+   31:d=1  hl=2 l=  33 cons:  cont [ 4 ]        
+   33:d=2  hl=2 l=  31 cons:   SEQUENCE          
+   35:d=3  hl=2 l=  11 cons:    SET               
+   37:d=4  hl=2 l=   9 cons:     SEQUENCE          
+   39:d=5  hl=2 l=   3 prim:      OBJECT            :countryName
+   44:d=5  hl=2 l=   2 prim:      PRINTABLESTRING   :US
+   48:d=3  hl=2 l=  16 cons:    SET               
+   50:d=4  hl=2 l=  14 cons:     SEQUENCE          
+   52:d=5  hl=2 l=   3 prim:      OBJECT            :stateOrProvinceName
+   57:d=5  hl=2 l=   7 prim:      UTF8STRING        :Arizona
+   66:d=1  hl=2 l=   4 prim:  cont [ 7 ]        
 -----BEGIN SUBJECT ALTERNATIVE NAME-----
-BEgwRoIVcGVybWl0dGVkLmV4YW1wbGUuY29thwTAqAECpCEwHzELMAkGA1UEBhMCVVMxEDAOBgNV
-BAgMB0FyaXpvbmGHBMCoBQU=
+MEaCFXBlcm1pdHRlZC5leGFtcGxlLmNvbYcEwKgBAqQhMB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQI
+DAdBcml6b25hhwTAqAUF
 -----END SUBJECT ALTERNATIVE NAME-----
--- a/net/data/name_constraints_unittest/san-invalid-empty.pem
+++ b/net/data/name_constraints_unittest/san-invalid-empty.pem
-    0:d=0  hl=2 l=   2 prim: OCTET STRING      [HEX DUMP]:3000
+    0:d=0  hl=2 l=   0 cons: SEQUENCE          
 -----BEGIN SUBJECT ALTERNATIVE NAME-----
-BAIwAA==
+MAA=
 -----END SUBJECT ALTERNATIVE NAME-----
--- a/net/data/name_constraints_unittest/san-invalid-ipaddress.pem
+++ b/net/data/name_constraints_unittest/san-invalid-ipaddress.pem
-    0:d=0  hl=2 l=   9 prim: OCTET STRING      [HEX DUMP]:30078705C0A8000500
+    0:d=0  hl=2 l=   7 cons: SEQUENCE          
+    2:d=1  hl=2 l=   5 prim:  cont [ 7 ]        
 -----BEGIN SUBJECT ALTERNATIVE NAME-----
-BAkwB4cFwKgABQA=
+MAeHBcCoAAUA
 -----END SUBJECT ALTERNATIVE NAME-----
--- a/net/data/name_constraints_unittest/san-othername.pem
+++ b/net/data/name_constraints_unittest/san-othername.pem
-    0:d=0  hl=2 l=  16 prim: OCTET STRING      [HEX DUMP]:300EA00C06042A0304050404DEADBEEF
+    0:d=0  hl=2 l=  14 cons: SEQUENCE          
+    2:d=1  hl=2 l=  12 cons:  cont [ 0 ]        
+    4:d=2  hl=2 l=   4 prim:   OBJECT            :1.2.3.4.5
+   10:d=2  hl=2 l=   4 prim:   OCTET STRING      [HEX DUMP]:DEADBEEF
 -----BEGIN SUBJECT ALTERNATIVE NAME-----
-BBAwDqAMBgQqAwQFBATerb7v
+MA6gDAYEKgMEBQQE3q2+7w==
 -----END SUBJECT ALTERNATIVE NAME-----
--- a/net/data/name_constraints_unittest/san-permitted.pem
+++ b/net/data/name_constraints_unittest/san-permitted.pem
-    0:d=0  hl=2 l=  66 prim: OCTET STRING      [HEX DUMP]:304082157065726D69747465642E6578616D706C652E636F6D8704C0A80102A421301F310B30090603550406130255533110300E06035504080C074172697A6F6E61
+    0:d=0  hl=2 l=  64 cons: SEQUENCE          
+    2:d=1  hl=2 l=  21 prim:  cont [ 2 ]        
+   25:d=1  hl=2 l=   4 prim:  cont [ 7 ]        
+   31:d=1  hl=2 l=  33 cons:  cont [ 4 ]        
+   33:d=2  hl=2 l=  31 cons:   SEQUENCE          
+   35:d=3  hl=2 l=  11 cons:    SET               
+   37:d=4  hl=2 l=   9 cons:     SEQUENCE          
+   39:d=5  hl=2 l=   3 prim:      OBJECT            :countryName
+   44:d=5  hl=2 l=   2 prim:      PRINTABLESTRING   :US
+   48:d=3  hl=2 l=  16 cons:    SET               
+   50:d=4  hl=2 l=  14 cons:     SEQUENCE          
+   52:d=5  hl=2 l=   3 prim:      OBJECT            :stateOrProvinceName
+   57:d=5  hl=2 l=   7 prim:      UTF8STRING        :Arizona
 -----BEGIN SUBJECT ALTERNATIVE NAME-----
-BEIwQIIVcGVybWl0dGVkLmV4YW1wbGUuY29thwTAqAECpCEwHzELMAkGA1UEBhMCVVMxEDAOBgNV
-BAgMB0FyaXpvbmE=
+MECCFXBlcm1pdHRlZC5leGFtcGxlLmNvbYcEwKgBAqQhMB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQI
+DAdBcml6b25h
 -----END SUBJECT ALTERNATIVE NAME-----
--- a/net/data/name_constraints_unittest/san-registeredid.pem
+++ b/net/data/name_constraints_unittest/san-registeredid.pem
-    0:d=0  hl=2 l=   7 prim: OCTET STRING      [HEX DUMP]:300588032A0304
+    0:d=0  hl=2 l=   5 cons: SEQUENCE          
+    2:d=1  hl=2 l=   3 prim:  cont [ 8 ]        
 -----BEGIN SUBJECT ALTERNATIVE NAME-----
-BAcwBYgDKgME
+MAWIAyoDBA==
 -----END SUBJECT ALTERNATIVE NAME-----
--- a/net/data/name_constraints_unittest/san-rfc822name.pem
+++ b/net/data/name_constraints_unittest/san-rfc822name.pem
-    0:d=0  hl=2 l=  19 prim: OCTET STRING      [HEX DUMP]:3011810F666F6F406578616D706C652E636F6D
+    0:d=0  hl=2 l=  17 cons: SEQUENCE          
+    2:d=1  hl=2 l=  15 prim:  cont [ 1 ]        
 -----BEGIN SUBJECT ALTERNATIVE NAME-----
-BBMwEYEPZm9vQGV4YW1wbGUuY29t
+MBGBD2Zvb0BleGFtcGxlLmNvbQ==
 -----END SUBJECT ALTERNATIVE NAME-----
--- a/net/data/name_constraints_unittest/san-uri.pem
+++ b/net/data/name_constraints_unittest/san-uri.pem
-    0:d=0  hl=2 l=  22 prim: OCTET STRING      [HEX DUMP]:30148612687474703A2F2F6578616D706C652E636F6D
+    0:d=0  hl=2 l=  20 cons: SEQUENCE          
+    2:d=1  hl=2 l=  18 prim:  cont [ 6 ]        
 -----BEGIN SUBJECT ALTERNATIVE NAME-----
-BBYwFIYSaHR0cDovL2V4YW1wbGUuY29t
+MBSGEmh0dHA6Ly9leGFtcGxlLmNvbQ==
 -----END SUBJECT ALTERNATIVE NAME-----
--- a/net/data/name_constraints_unittest/san-x400address.pem
+++ b/net/data/name_constraints_unittest/san-x400address.pem
-    0:d=0  hl=2 l=  12 prim: OCTET STRING      [HEX DUMP]:300AA3083006610413025553
+    0:d=0  hl=2 l=  10 cons: SEQUENCE          
+    2:d=1  hl=2 l=   8 cons:  cont [ 3 ]        
+    4:d=2  hl=2 l=   6 cons:   SEQUENCE          
+    6:d=3  hl=2 l=   4 cons:    appl [ 1 ]        
+    8:d=4  hl=2 l=   2 prim:     PRINTABLESTRING   :US
 -----BEGIN SUBJECT ALTERNATIVE NAME-----
-BAwwCqMIMAZhBBMCVVM=
+MAqjCDAGYQQTAlVT
 -----END SUBJECT ALTERNATIVE NAME-----