Make third party auth cert selection code more flexible

Our previous logic would only check the common name of the certificate
to use for third party auth.  If someone wanted to use a cert which
specified O or OU instead of CN, then that certificate could not be
targeted via our Chrome Policy i.e.
RemoteAccessHostTokenValidationCertificateIssuer.

The new helper function will return the first valid field (in order):
CN, O, OU.  Our cert selection code will still favor CN so there won't
be any compat issues.

Change-Id: I2e1ea37f794c407e3b62afe87cf774976f283e55
Reviewed-on: https://chromium-review.googlesource.com/c/1323805
Commit-Queue: Joe Downing <joedow@chromium.org>
Reviewed-by: Jamie Walch <jamiewalch@chromium.org>
Cr-Commit-Position: refs/heads/master@{#606218}

remoting/host/token_validator_base.cc

@@ -40,18 +40,35 @@
 
 namespace {
 
-const int kBufferSize = 4096;
-const char kCertIssuerWildCard[] = "*";
+constexpr int kBufferSize = 4096;
+constexpr char kCertIssuerWildCard[] = "*";
+
+// Returns a value from the issuer field for certificate selection, in order of
+// preference.  If the O or OU entries are populated with multiple values, we
+// choose the first one.  This function should not be used for validation, only
+// for logging or determining which certificate to select for validation.
+std::string GetPreferredIssuerFieldValue(const net::X509Certificate* cert) {
+  if (!cert->issuer().common_name.empty())
+    return cert->issuer().common_name;
+  if (!cert->issuer().organization_names.empty() &&
+      !cert->issuer().organization_names[0].empty())
+    return cert->issuer().organization_names[0];
+  if (!cert->issuer().organization_unit_names.empty() &&
+      !cert->issuer().organization_unit_names[0].empty())
+    return cert->issuer().organization_unit_names[0];
 
-// The certificate is valid if:
+  return std::string();
+}
+
+// The certificate is valid if both are true:
 // * The certificate issuer matches exactly |issuer| or the |issuer| is a
-//   wildcard. And
+//   wildcard.
 // * |now| is within [valid_start, valid_expiry].
 bool IsCertificateValid(const std::string& issuer,
                         const base::Time& now,
                         const net::X509Certificate* cert) {
   return (issuer == kCertIssuerWildCard ||
-      issuer == cert->issuer().common_name) &&
+          issuer == GetPreferredIssuerFieldValue(cert)) &&
          cert->valid_start() <= now && cert->valid_expiry() > now;
 }
 
@@ -239,10 +256,10 @@ void TokenValidatorBase::ContinueWithCertificate(
     scoped_refptr<net::SSLPrivateKey> client_private_key) {
   if (request_) {
     if (client_cert) {
-      HOST_LOG << "Using certificate issued by: '"
-               << client_cert->issuer().common_name << "' with start date: '"
-               << client_cert->valid_start() << "' and expiry date: '"
-               << client_cert->valid_expiry() << "'";
+      HOST_LOG << "Using client certificate issued by: '"
+               << GetPreferredIssuerFieldValue(client_cert.get())
+               << "' with start date: '" << client_cert->valid_start()
+               << "' and expiry date: '" << client_cert->valid_expiry() << "'";
     }
 
     request_->ContinueWithCertificate(std::move(client_cert),