Bug 1015973 - Improve cert error decoding. r=keeler

--HG--
extra : rebase_source : e812bc94b7c30727ef3a17fab0dac03633254083

security/manager/ssl/src/TransportSecurityInfo.cpp

@@ -20,6 +20,7 @@
 #include "nsIProgrammingLanguage.h"
 #include "nsIArray.h"
 #include "nsComponentManagerUtils.h"
+#include "nsReadableUtils.h"
 #include "nsServiceManagerUtils.h"
 #include "PSMRunnable.h"
 
@@ -624,12 +625,21 @@ GetSubjectAltNames(CERTCertificate *nssCert,
     nsAutoString name;
     switch (current->type) {
       case certDNSName:
-        name.AssignASCII((char*)current->name.other.data, current->name.other.len);
+        {
+          nsDependentCSubstring nameFromCert(reinterpret_cast<char*>
+                                              (current->name.other.data),
+                                              current->name.other.len);
+          // dNSName fields are defined as type IA5String and thus should
+          // be limited to ASCII characters.
+          if (IsASCII(nameFromCert)) {
+            name.Assign(NS_ConvertASCIItoUTF16(nameFromCert));
             if (!allNames.IsEmpty()) {
               allNames.AppendLiteral(", ");
             }
             ++nameCount;
             allNames.Append(name);
+          }
+        }
         break;
 
       case certIPAddress:
@@ -709,8 +719,15 @@ AppendErrorTextMismatch(const nsString &host,
   if (!useSAN) {
     char *certName = CERT_GetCommonName(&nssCert->subject);
     if (certName) {
+      nsDependentCSubstring commonName(certName, strlen(certName));
+      if (IsUTF8(commonName)) {
+        // Bug 1024781
+        // We should actually check that the common name is a valid dns name or
+        // ip address and not any string value before adding it to the display
+        // list.
         ++nameCount;
-      allNames.Assign(NS_ConvertUTF8toUTF16(certName));
+        allNames.Assign(NS_ConvertUTF8toUTF16(commonName));
+      }
       PORT_Free(certName);
     }
   }