commit c7484f52b8ceb68e4334cad505e894aeef6cba83
author elawrence <elawrence@chromium.org> Wed Apr 05 21:46:42 2017
committer Commit bot <commit-bot@chromium.org> Wed Apr 05 21:46:42 2017
tree 770d28ebcccc64dec5235f2f0f793eefacfb9927
parent f7c47573b7686c59723f3b7da6d69f1ec494f23b

Update SSL error handling code to account for Subject CN deprecation

In Issue 308330, Chrome deprecated the use of the Subject CN field in
certificate hostname validation. However, the certificate error
interstitial and error classification logic were left unchanged,
leading to misleading error messages and doomed error recovery attempts
in the event that a certificate lacked SubjectAltNames.

In this change, Chrome's Certificate Error interstitial and error
recovery will no longer fallback to the certificate's Subject CN field
when evaluating the certificate's valid dns names.

BUG=703614

Review-Url: https://codereview.chromium.org/2777383002
Cr-Commit-Position: refs/heads/master@{#462230}

components/ssl_errors/error_info.cc

diff --git a/components/ssl_errors/error_info.cc b/components/ssl_errors/error_info.cc
index 7ef291e..ab7afcc 100644
--- a/components/ssl_errors/error_info.cc
+++ b/components/ssl_errors/error_info.cc
@@ -32,22 +32,30 @@
   base::string16 details, short_description;
   switch (error_type) {
     case CERT_COMMON_NAME_INVALID: {
-      // If the certificate contains multiple DNS names, we choose the most
-      // representative one -- either the DNS name that's also in the subject
-      // field, or the first one.  If this heuristic turns out to be
-      // inadequate, we can consider choosing the DNS name that is the
-      // "closest match" to the host name in the request URL, or listing all
-      // the DNS names with an HTML <ul>.
       std::vector<std::string> dns_names;
-      cert->GetDNSNames(&dns_names);
-      DCHECK(!dns_names.empty());
+      cert->GetSubjectAltName(&dns_names, nullptr);
+
       size_t i = 0;
-      for (; i < dns_names.size(); ++i) {
-        if (dns_names[i] == cert->subject().common_name)
-          break;
+      if (dns_names.empty()) {
+        // The certificate had no DNS names, display an explanatory string.
+        // TODO(elawrence): Change the error messsage instead of just the
+        // placeholder string; see https://crbug.com/708268
+        dns_names.push_back("[missing_subjectAltName]");
+      } else {
+        // If the certificate contains multiple DNS names, we choose the most
+        // representative one -- either the DNS name that's also in the subject
+        // field, or the first one. If this heuristic turns out to be
+        // inadequate, we can consider choosing the DNS name that is the
+        // "closest match" to the host name in the request URL, or listing all
+        // the DNS names with an HTML <ul>.
+        for (; i < dns_names.size(); ++i) {
+          if (dns_names[i] == cert->subject().common_name)
+            break;
+        }
+        if (i == dns_names.size())
+          i = 0;
       }
-      if (i == dns_names.size())
-        i = 0;
+
       details = l10n_util::GetStringFUTF16(
           IDS_CERT_ERROR_COMMON_NAME_INVALID_DETAILS,
           UTF8ToUTF16(request_url.host()),