briansmith
diff --git a/‎src/name.rs‎
Lines changed: 32 additions & 4 deletions b/‎src/name.rs‎
Lines changed: 32 additions & 4 deletions
diff --git a/‎src/webpki.rs‎
Lines changed: 13 additions & 0 deletions b/‎src/webpki.rs‎
Lines changed: 13 additions & 0 deletions
diff --git a/‎tests/integration.rs‎
Lines changed: 111 additions & 0 deletions b/‎tests/integration.rs‎
Lines changed: 111 additions & 0 deletions
diff --git a/‎tests/misc/dns_names_and_wildcards.der‎
1.73 KB b/‎tests/misc/dns_names_and_wildcards.der‎
1.73 KB
diff --git a/‎tests/misc/invalid_subject_alternative_name.der‎
1.73 KB b/‎tests/misc/invalid_subject_alternative_name.der‎
1.73 KB
diff --git a/‎tests/misc/no_subject_alternative_name.der‎
797 Bytes b/‎tests/misc/no_subject_alternative_name.der‎
797 Bytes
@@ -18,6 +18,12 @@ use crate::{
 };
 use core;
 
+#[cfg(feature = "std")]
+use std::string::String;
+
+#[cfg(feature = "std")]
+use std::vec::Vec;
+
 /// A DNS Name suitable for use in the TLS Server Name Indication (SNI)
 /// extension and/or for use as the reference hostname for which to verify a
 /// certificate.
@@ -154,6 +160,27 @@ pub fn verify_cert_dns_name(
     )
 }
 
+
+#[cfg(feature = "std")]
+pub fn list_cert_dns_names<'names>(cert: &super::EndEntityCert<'names>)
+                                   -> Result<Vec<DNSNameRef<'names>>, Error> {
+    let cert = &cert.inner;
+    let names = std::cell::RefCell::new(Vec::new());
+
+    iterate_names(cert.subject, cert.subject_alt_name, Ok(()), &|name| {
+        match name {
+            GeneralName::DNSName(presented_id) => {
+                match DNSNameRef::try_from_ascii(presented_id) {
+                    Ok(name) => names.borrow_mut().push(name),
+                    Err(_) => { /* keep going */ },
+                };
+            },
+            _ => ()
+        }
+        NameIteration::KeepGoing
+    }).map(|_| names.into_inner())
+}
+
 // https://tools.ietf.org/html/rfc5280#section-4.2.1.10
 pub fn check_name_constraints(
     input: Option<&mut untrusted::Reader>, subordinate_certs: &Cert,
@@ -384,10 +411,11 @@ enum NameIteration {
     Stop(Result<(), Error>),
 }
 
-fn iterate_names(
-    subject: untrusted::Input, subject_alt_name: Option<untrusted::Input>,
-    result_if_never_stopped_early: Result<(), Error>, f: &dyn Fn(GeneralName) -> NameIteration,
-) -> Result<(), Error> {
+fn iterate_names<'names, F>(
+    subject: untrusted::Input<'names>, subject_alt_name: Option<untrusted::Input<'names>>,
+    result_if_never_stopped_early: Result<(), Error>, f: &F,
+) -> Result<(), Error>
+    where F: Fn(GeneralName<'names>) -> NameIteration, {
     match subject_alt_name {
         Some(subject_alt_name) => {
             let mut subject_alt_name = untrusted::Reader::new(subject_alt_name);
 
@@ -241,6 +241,19 @@ impl<'a> EndEntityCert<'a> {
             untrusted::Input::from(signature),
         )
     }
+
+    /// Returns a list of the DNS names provided in the subject alternative names extension
+    ///
+    /// This function must not be used to implement custom DNS name verification.
+    /// Verification functions are already provided as `verify_is_valid_for_dns_name`
+    /// and `verify_is_valid_for_at_least_one_dns_name`.
+    ///
+    /// Requires the `std` default feature; i.e. this isn't available in
+    /// `#![no_std]` configurations.
+    #[cfg(feature = "std")]
+    pub fn dns_names(&self) -> Result<Vec<DNSNameRef<'a>>, Error> {
+        name::list_cert_dns_names(&self)
+    }
 }
 
 /// A trust anchor (a.k.a. root CA).
 
@@ -104,3 +104,114 @@ fn read_root_with_neg_serial() {
 #[cfg(feature = "std")]
 #[test]
 fn time_constructor() { let _ = webpki::Time::try_from(std::time::SystemTime::now()).unwrap(); }
+
+#[cfg(feature = "std")]
+#[test]
+pub fn list_netflix_names()
+{
+    let ee = include_bytes!("netflix/ee.der");
+
+    expect_cert_dns_names(ee, &[
+        "account.netflix.com",
+        "ca.netflix.com",
+        "netflix.ca",
+        "netflix.com",
+        "signup.netflix.com",
+        "www.netflix.ca",
+        "www1.netflix.com",
+        "www2.netflix.com",
+        "www3.netflix.com",
+        "develop-stage.netflix.com",
+        "release-stage.netflix.com",
+        "www.netflix.com",
+    ]);
+}
+
+#[cfg(feature = "std")]
+#[test]
+pub fn invalid_subject_alt_names()
+{
+    // same as netflix ee certificate, but with the last name in the list
+    // changed to 'www.netflix:com'
+    let data = include_bytes!("misc/invalid_subject_alternative_name.der");
+
+    expect_cert_dns_names(data, &[
+        "account.netflix.com",
+        "ca.netflix.com",
+        "netflix.ca",
+        "netflix.com",
+        "signup.netflix.com",
+        "www.netflix.ca",
+        "www1.netflix.com",
+        "www2.netflix.com",
+        "www3.netflix.com",
+        "develop-stage.netflix.com",
+        "release-stage.netflix.com",
+        // NOT 'www.netflix:com'
+    ]);
+}
+
+#[cfg(feature = "std")]
+#[test]
+pub fn wildcard_subject_alternative_names()
+{
+    // same as netflix ee certificate, but with the last name in the list
+    // changed to 'ww*.netflix:com'
+    let data = include_bytes!("misc/dns_names_and_wildcards.der");
+
+    expect_cert_dns_names(data, &[
+        "account.netflix.com",
+        // NOT "c*.netflix.com",
+        "netflix.ca",
+        "netflix.com",
+        "signup.netflix.com",
+        "www.netflix.ca",
+        "www1.netflix.com",
+        "www2.netflix.com",
+        "www3.netflix.com",
+        "develop-stage.netflix.com",
+        "release-stage.netflix.com",
+        "www.netflix.com"
+    ]);
+}
+
+#[cfg(feature = "std")]
+fn expect_cert_dns_names(data: &[u8], expected_names: &[&str])
+{
+    use std::iter::FromIterator;
+
+    let input = untrusted::Input::from(data);
+    let cert = webpki::EndEntityCert::from(input)
+      .expect("should parse end entity certificate correctly");
+
+    let expected_names =
+        std::collections::HashSet::from_iter(expected_names.iter().cloned());
+
+    let mut actual_names = cert.dns_names()
+      .expect("should get all DNS names correctly for end entity cert");
+
+    // Ensure that converting the list to a set doesn't throw away
+    // any duplicates that aren't supposed to be there
+    assert_eq!(actual_names.len(), expected_names.len());
+
+    let actual_names: std::collections::HashSet<&str> = actual_names.drain(..).map(|name| {
+        name.into()
+    }).collect();
+
+    assert_eq!(actual_names, expected_names);
+}
+
+#[cfg(feature = "std")]
+#[test]
+pub fn no_subject_alt_names()
+{
+    let data = include_bytes!("misc/no_subject_alternative_name.der");
+
+    let input = untrusted::Input::from(data);
+    let cert = webpki::EndEntityCert::from(input)
+      .expect("should parse end entity certificate correctly");
+
+    let names = cert.dns_names().expect("we should get a result even without subjectAltNames");
+
+    assert!(names.is_empty());
+}
Original file line number	Diff line number	Diff line change
`@@ -241,6 +241,19 @@ impl<'a> EndEntityCert<'a> {`
`241`	`241`	`untrusted::Input::from(signature),`
`242`	`242`	`)`
`243`	`243`	`}`
	`244`	`+`
	`245`	`+ /// Returns a list of the DNS names provided in the subject alternative names extension`
	`246`	`+ ///`
	`247`	`+ /// This function must not be used to implement custom DNS name verification.`
	`248`	+ /// Verification functions are already provided as `verify_is_valid_for_dns_name`
	`249`	+ /// and `verify_is_valid_for_at_least_one_dns_name`.
	`250`	`+ ///`
	`251`	+ /// Requires the `std` default feature; i.e. this isn't available in
	`252`	+ /// `#![no_std]` configurations.
	`253`	`+ #[cfg(feature = "std")]`
	`254`	`+ pub fn dns_names(&self) -> Result<Vec<DNSNameRef<'a>>, Error> {`
	`255`	`+ name::list_cert_dns_names(&self)`
	`256`	`+ }`
`244`	`257`	`}`
`245`	`258`
`246`	`259`	`/// A trust anchor (a.k.a. root CA).`