Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(657)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/cert/x509_certificate_unittest.cc

Issue 14741019: Disallow wildcards from matching top-level registry controlled domains during cert validation. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Review feedback Created 7 years, 7 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « net/cert/x509_certificate_nss.cc ('k') | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/cert/x509_certificate.h" 5 #include "net/cert/x509_certificate.h"
6 6
7 #include "base/basictypes.h" 7 #include "base/basictypes.h"
8 #include "base/files/file_path.h" 8 #include "base/files/file_path.h"
9 #include "base/memory/scoped_ptr.h" 9 #include "base/memory/scoped_ptr.h"
10 #include "base/pickle.h" 10 #include "base/pickle.h"
(...skipping 1005 matching lines...) Expand 10 before | Expand all | Expand 10 after
1016 "*.foo.com,*.*.foo.com,*.*.bar.foo.com,*..bar.foo.com," }, 1016 "*.foo.com,*.*.foo.com,*.*.bar.foo.com,*..bar.foo.com," },
1017 { false, "www.bath.org", "www.bath.org", "", "20.30.40.50" }, 1017 { false, "www.bath.org", "www.bath.org", "", "20.30.40.50" },
1018 { false, "66.77.88.99", "www.bath.org", "www.bath.org" }, 1018 { false, "66.77.88.99", "www.bath.org", "www.bath.org" },
1019 // IDN tests 1019 // IDN tests
1020 { true, "xn--poema-9qae5a.com.br", "xn--poema-9qae5a.com.br" }, 1020 { true, "xn--poema-9qae5a.com.br", "xn--poema-9qae5a.com.br" },
1021 { true, "www.xn--poema-9qae5a.com.br", "*.xn--poema-9qae5a.com.br" }, 1021 { true, "www.xn--poema-9qae5a.com.br", "*.xn--poema-9qae5a.com.br" },
1022 { false, "xn--poema-9qae5a.com.br", "", "*.xn--poema-9qae5a.com.br," 1022 { false, "xn--poema-9qae5a.com.br", "", "*.xn--poema-9qae5a.com.br,"
1023 "xn--poema-*.com.br," 1023 "xn--poema-*.com.br,"
1024 "xn--*-9qae5a.com.br," 1024 "xn--*-9qae5a.com.br,"
1025 "*--poema-9qae5a.com.br" }, 1025 "*--poema-9qae5a.com.br" },
1026 { true, "xn--poema-9qae5a.com.br", "*.com.br" },
1027 // The following are adapted from the examples quoted from 1026 // The following are adapted from the examples quoted from
1028 // http://tools.ietf.org/html/rfc6125#section-6.4.3 1027 // http://tools.ietf.org/html/rfc6125#section-6.4.3
1029 // (e.g., *.example.com would match foo.example.com but 1028 // (e.g., *.example.com would match foo.example.com but
1030 // not bar.foo.example.com or example.com). 1029 // not bar.foo.example.com or example.com).
1031 { true, "foo.example.com", "*.example.com" }, 1030 { true, "foo.example.com", "*.example.com" },
1032 { false, "bar.foo.example.com", "*.example.com" }, 1031 { false, "bar.foo.example.com", "*.example.com" },
1033 { false, "example.com", "*.example.com" }, 1032 { false, "example.com", "*.example.com" },
1034 // (e.g., baz*.example.net and *baz.example.net and b*z.example.net would 1033 // (e.g., baz*.example.net and *baz.example.net and b*z.example.net would
1035 // be taken to match baz1.example.net and foobaz.example.net and 1034 // be taken to match baz1.example.net and foobaz.example.net and
1036 // buzz.example.net, respectively 1035 // buzz.example.net, respectively
1037 { true, "baz1.example.net", "baz*.example.net" }, 1036 { true, "baz1.example.net", "baz*.example.net" },
1038 { true, "foobaz.example.net", "*baz.example.net" }, 1037 { true, "foobaz.example.net", "*baz.example.net" },
1039 { true, "buzz.example.net", "b*z.example.net" }, 1038 { true, "buzz.example.net", "b*z.example.net" },
1040 // Wildcards should not be valid unless there are at least three name 1039 // Wildcards should not be valid for public registry controlled domains,
1041 // components. 1040 // and unknown/unrecognized domains, at least three domain components must
1042 { true, "h.co.uk", "*.co.uk" }, 1041 // be present.
1042 { true, "www.test.example", "*.test.example" },
1043 { true, "test.example.co.uk", "*.example.co.uk" },
1044 { false, "test.example", "*.exmaple" },
1045 { false, "example.co.uk", "*.co.uk" },
1043 { false, "foo.com", "*.com" }, 1046 { false, "foo.com", "*.com" },
1044 { false, "foo.us", "*.us" }, 1047 { false, "foo.us", "*.us" },
1045 { false, "foo", "*" }, 1048 { false, "foo", "*" },
1049 // IDN variants of wildcards and registry controlled domains.
1050 { true, "www.xn--poema-9qae5a.com.br", "*.xn--poema-9qae5a.com.br" },
1051 { true, "test.example.xn--mgbaam7a8h", "*.example.xn--mgbaam7a8h" },
1052 { false, "xn--poema-9qae5a.com.br", "*.com.br" },
1053 { false, "example.xn--mgbaam7a8h", "*.xn--mgbaam7a8h" },
1054 // Wildcards should be permissible for 'private' registry controlled
1055 // domains.
1056 { true, "www.appspot.com", "*.appspot.com" },
1057 { true, "foo.s3.amazonaws.com", "*.s3.amazonaws.com" },
1046 // Multiple wildcards are not valid. 1058 // Multiple wildcards are not valid.
1047 { false, "foo.example.com", "*.*.com" }, 1059 { false, "foo.example.com", "*.*.com" },
1048 { false, "foo.bar.example.com", "*.bar.*.com" }, 1060 { false, "foo.bar.example.com", "*.bar.*.com" },
1049 // Absolute vs relative DNS name tests. Although not explicitly specified 1061 // Absolute vs relative DNS name tests. Although not explicitly specified
1050 // in RFC 6125, absolute reference names (those ending in a .) should 1062 // in RFC 6125, absolute reference names (those ending in a .) should
1051 // match either absolute or relative presented names. 1063 // match either absolute or relative presented names.
1052 { true, "foo.com", "foo.com." }, 1064 { true, "foo.com", "foo.com." },
1053 { true, "foo.com.", "foo.com" }, 1065 { true, "foo.com.", "foo.com" },
1054 { true, "foo.com.", "foo.com." }, 1066 { true, "foo.com.", "foo.com." },
1055 { true, "f", "f." }, 1067 { true, "f", "f." },
1056 { true, "f.", "f" }, 1068 { true, "f.", "f" },
1057 { true, "f.", "f." }, 1069 { true, "f.", "f." },
1058 { true, "www-3.bar.foo.com", "*.bar.foo.com." }, 1070 { true, "www-3.bar.foo.com", "*.bar.foo.com." },
1059 { true, "www-3.bar.foo.com.", "*.bar.foo.com" }, 1071 { true, "www-3.bar.foo.com.", "*.bar.foo.com" },
1060 { true, "www-3.bar.foo.com.", "*.bar.foo.com." }, 1072 { true, "www-3.bar.foo.com.", "*.bar.foo.com." },
1061 { false, ".", "." }, 1073 { false, ".", "." },
1062 { false, "example.com", "*.com." }, 1074 { false, "example.com", "*.com." },
1063 { false, "example.com.", "*.com" }, 1075 { false, "example.com.", "*.com" },
1064 { false, "example.com.", "*.com." }, 1076 { false, "example.com.", "*.com." },
1065 { false, "foo.", "*." }, 1077 { false, "foo.", "*." },
1078 { false, "foo", "*." },
1079 { false, "foo.co.uk", "*.co.uk." },
1080 { false, "foo.co.uk.", "*.co.uk." },
1066 // IP addresses in common name; IPv4 only. 1081 // IP addresses in common name; IPv4 only.
1067 { true, "127.0.0.1", "127.0.0.1" }, 1082 { true, "127.0.0.1", "127.0.0.1" },
1068 { true, "192.168.1.1", "192.168.1.1" }, 1083 { true, "192.168.1.1", "192.168.1.1" },
1069 { true, "676768", "0.10.83.160" }, 1084 { true, "676768", "0.10.83.160" },
1070 { true, "1.2.3", "1.2.0.3" }, 1085 { true, "1.2.3", "1.2.0.3" },
1071 { false, "192.169.1.1", "192.168.1.1" }, 1086 { false, "192.169.1.1", "192.168.1.1" },
1072 { false, "12.19.1.1", "12.19.1.1/255.255.255.0" }, 1087 { false, "12.19.1.1", "12.19.1.1/255.255.255.0" },
1073 { false, "FEDC:ba98:7654:3210:FEDC:BA98:7654:3210", 1088 { false, "FEDC:ba98:7654:3210:FEDC:BA98:7654:3210",
1074 "FEDC:BA98:7654:3210:FEDC:ba98:7654:3210" }, 1089 "FEDC:BA98:7654:3210:FEDC:ba98:7654:3210" },
1075 { false, "1111:2222:3333:4444:5555:6666:7777:8888", 1090 { false, "1111:2222:3333:4444:5555:6666:7777:8888",
(...skipping 85 matching lines...) Expand 10 before | Expand all | Expand 10 after
1161 } 1176 }
1162 1177
1163 EXPECT_EQ(test_data.expected, X509Certificate::VerifyHostname( 1178 EXPECT_EQ(test_data.expected, X509Certificate::VerifyHostname(
1164 test_data.hostname, common_name, dns_names, ip_addressses)); 1179 test_data.hostname, common_name, dns_names, ip_addressses));
1165 } 1180 }
1166 1181
1167 INSTANTIATE_TEST_CASE_P(, X509CertificateNameVerifyTest, 1182 INSTANTIATE_TEST_CASE_P(, X509CertificateNameVerifyTest,
1168 testing::ValuesIn(kNameVerifyTestData)); 1183 testing::ValuesIn(kNameVerifyTestData));
1169 1184
1170 } // namespace net 1185 } // namespace net
OLDNEW
« no previous file with comments | « net/cert/x509_certificate_nss.cc ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698