Use X509Certificate printable_string_is_utf8 hack for ChromeOS client cert extension apis

Bug: 788655
Change-Id: Ib43359d84663d72719853c63d910ae2d2d03eabb
Reviewed-on: https://chromium-review.googlesource.com/801995Reviewed-by: Ryan Sleevi <rsleevi@chromium.org>
Reviewed-by: Maksim Ivanov <emaxx@chromium.org>
Commit-Queue: Matt Mueller <mattm@chromium.org>
Cr-Commit-Position: refs/heads/master@{#520790}

chrome/browser/extensions/api/certificate_provider/certificate_provider_api.cc

@@ -125,8 +125,12 @@ bool CertificateProviderInternalReportCertificatesFunction::
     return false;
   }
 
-  out_info->certificate =
-      net::X509Certificate::CreateFromBytes(cert_der.data(), cert_der.size());
+  // Allow UTF-8 inside PrintableStrings in client certificates. See
+  // crbug.com/770323 and crbug.com/788655.
+  net::X509Certificate::UnsafeCreateOptions options;
+  options.printable_string_is_utf8 = true;
+  out_info->certificate = net::X509Certificate::CreateFromBytesUnsafeOptions(
+      cert_der.data(), cert_der.size(), options);
   if (!out_info->certificate) {
     WriteToConsole(content::CONSOLE_MESSAGE_LEVEL_ERROR, kErrorInvalidX509Cert);
     return false;

chrome/browser/extensions/api/enterprise_platform_keys/enterprise_platform_keys_api.cc

@@ -142,8 +142,13 @@ EnterprisePlatformKeysImportCertificateFunction::Run() {
     return RespondNow(Error(platform_keys::kErrorInvalidToken));
 
   const std::vector<char>& cert_der = params->certificate;
+  // Allow UTF-8 inside PrintableStrings in client certificates. See
+  // crbug.com/770323 and crbug.com/788655.
+  net::X509Certificate::UnsafeCreateOptions options;
+  options.printable_string_is_utf8 = true;
   scoped_refptr<net::X509Certificate> cert_x509 =
-      net::X509Certificate::CreateFromBytes(cert_der.data(), cert_der.size());
+      net::X509Certificate::CreateFromBytesUnsafeOptions(
+          cert_der.data(), cert_der.size(), options);
   if (!cert_x509.get())
     return RespondNow(Error(kErrorInvalidX509Cert));
 
@@ -180,8 +185,13 @@ EnterprisePlatformKeysRemoveCertificateFunction::Run() {
     return RespondNow(Error(platform_keys::kErrorInvalidToken));
 
   const std::vector<char>& cert_der = params->certificate;
+  // Allow UTF-8 inside PrintableStrings in client certificates. See
+  // crbug.com/770323 and crbug.com/788655.
+  net::X509Certificate::UnsafeCreateOptions options;
+  options.printable_string_is_utf8 = true;
   scoped_refptr<net::X509Certificate> cert_x509 =
-      net::X509Certificate::CreateFromBytes(cert_der.data(), cert_der.size());
+      net::X509Certificate::CreateFromBytesUnsafeOptions(
+          cert_der.data(), cert_der.size(), options);
   if (!cert_x509.get())
     return RespondNow(Error(kErrorInvalidX509Cert));
 

chrome/browser/extensions/api/platform_keys/platform_keys_api.cc

@@ -131,8 +131,13 @@ PlatformKeysInternalGetPublicKeyFunction::Run() {
   const std::vector<char>& cert_der = params->certificate;
   if (cert_der.empty())
     return RespondNow(Error(platform_keys::kErrorInvalidX509Cert));
+  // Allow UTF-8 inside PrintableStrings in client certificates. See
+  // crbug.com/770323 and crbug.com/788655.
+  net::X509Certificate::UnsafeCreateOptions options;
+  options.printable_string_is_utf8 = true;
   scoped_refptr<net::X509Certificate> cert_x509 =
-      net::X509Certificate::CreateFromBytes(cert_der.data(), cert_der.size());
+      net::X509Certificate::CreateFromBytesUnsafeOptions(
+          cert_der.data(), cert_der.size(), options);
   if (!cert_x509)
     return RespondNow(Error(platform_keys::kErrorInvalidX509Cert));
 
@@ -206,9 +211,13 @@ PlatformKeysInternalSelectClientCertificatesFunction::Run() {
          *params->details.client_certs) {
       if (client_cert_der.empty())
         return RespondNow(Error(platform_keys::kErrorInvalidX509Cert));
+      // Allow UTF-8 inside PrintableStrings in client certificates. See
+      // crbug.com/770323 and crbug.com/788655.
+      net::X509Certificate::UnsafeCreateOptions options;
+      options.printable_string_is_utf8 = true;
       scoped_refptr<net::X509Certificate> client_cert_x509 =
-          net::X509Certificate::CreateFromBytes(client_cert_der.data(),
-                                                client_cert_der.size());
+          net::X509Certificate::CreateFromBytesUnsafeOptions(
+              client_cert_der.data(), client_cert_der.size(), options);
       if (!client_cert_x509)
         return RespondNow(Error(platform_keys::kErrorInvalidX509Cert));
       client_certs->push_back(client_cert_x509);

net/cert/x509_certificate.cc

@@ -233,12 +233,20 @@ scoped_refptr<X509Certificate> X509Certificate::CreateFromDERCertChain(
 scoped_refptr<X509Certificate> X509Certificate::CreateFromBytes(
     const char* data,
     size_t length) {
+  return CreateFromBytesUnsafeOptions(data, length, {});
+}
+
+// static
+scoped_refptr<X509Certificate> X509Certificate::CreateFromBytesUnsafeOptions(
+    const char* data,
+    size_t length,
+    UnsafeCreateOptions options) {
   OSCertHandle cert_handle = CreateOSCertHandleFromBytes(data, length);
   if (!cert_handle)
     return NULL;
 
   scoped_refptr<X509Certificate> cert =
-      CreateFromHandle(cert_handle, OSCertHandles());
+      CreateFromHandleUnsafeOptions(cert_handle, {}, options);
   FreeOSCertHandle(cert_handle);
   return cert;
 }

net/cert/x509_certificate.h

@@ -112,6 +112,13 @@ class NET_EXPORT X509Certificate
   static scoped_refptr<X509Certificate> CreateFromBytes(const char* data,
                                                         size_t length);
 
+  // Create an X509Certificate with non-standard parsing options.
+  // Do not use without consulting //net owners.
+  static scoped_refptr<X509Certificate> CreateFromBytesUnsafeOptions(
+      const char* data,
+      size_t length,
+      UnsafeCreateOptions options);
+
   // Create an X509Certificate from the representation stored in the given
   // pickle.  The data for this object is found relative to the given
   // pickle_iter, which should be passed to the pickle's various Read* methods.