Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(1245)

Unified Diff: net/cert/x509_certificate.cc

Issue 14741019: Disallow wildcards from matching top-level registry controlled domains during cert validation. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Review feedback Created 7 years, 7 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « no previous file | net/cert/x509_certificate_nss.cc » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/cert/x509_certificate.cc
diff --git a/net/cert/x509_certificate.cc b/net/cert/x509_certificate.cc
index 382be8ef389155052a8f4a4f0455b503d7f0cbf0..8df4a7141fdc225ac3c35776330034817b829f18 100644
--- a/net/cert/x509_certificate.cc
+++ b/net/cert/x509_certificate.cc
@@ -24,6 +24,7 @@
#include "base/time.h"
#include "googleurl/src/url_canon_ip.h"
#include "net/base/net_util.h"
+#include "net/base/registry_controlled_domains/registry_controlled_domain.h"
#include "net/cert/pem_tokenizer.h"
namespace net {
@@ -552,10 +553,35 @@ bool X509Certificate::VerifyHostname(
bool allow_wildcards = false;
if (!reference_domain.empty()) {
DCHECK(reference_domain.starts_with("."));
- // We required at least 3 components (i.e. 2 dots) as a basic protection
- // against too-broad wild-carding.
- // Also we don't attempt wildcard matching on a purely numerical hostname.
- allow_wildcards = reference_domain.rfind('.') != 0 &&
+
+ // Do not allow wildcards for public/ICANN registry controlled domains -
+ // that is, prevent *.com or *.co.uk as valid presented names, but do not
+ // prevent *.appspot.com (a private registry controlled domain).
+ // In addition, unknown top-level domains (such as 'intranet' domains or
+ // new TLDs/gTLDs not yet added to the registry controlled domain dataset)
+ // are also implicitly prevented.
+ // Because |reference_domain| must contain at least one name component that
+ // is not registry controlled, this ensures that all reference domains
+ // contain at least three domain components when using wildcards.
+ size_t registry_length =
+ registry_controlled_domains::GetRegistryLength(
+ reference_name,
+ registry_controlled_domains::INCLUDE_UNKNOWN_REGISTRIES,
+ registry_controlled_domains::EXCLUDE_PRIVATE_REGISTRIES);
+
+ // Because |reference_name| was already canonicalized, the following
+ // should never happen.
+ CHECK_NE(std::string::npos, registry_length);
+
+ // Account for the leading dot in |reference_domain|.
+ bool is_registry_controlled =
+ registry_length != 0 &&
+ registry_length == (reference_domain.size() - 1);
+
+ // Additionally, do not attempt wildcard matching for purely numeric
+ // hostnames.
+ allow_wildcards =
+ !is_registry_controlled &&
reference_name.find_first_not_of("0123456789.") != std::string::npos;
}
@@ -622,13 +648,11 @@ bool X509Certificate::VerifyHostname(
return false;
}
-#if !defined(USE_NSS)
bool X509Certificate::VerifyNameMatch(const std::string& hostname) const {
std::vector<std::string> dns_names, ip_addrs;
GetSubjectAltName(&dns_names, &ip_addrs);
return VerifyHostname(hostname, subject_.common_name, dns_names, ip_addrs);
}
-#endif
// static
bool X509Certificate::GetPEMEncoded(OSCertHandle cert_handle,
« no previous file with comments | « no previous file | net/cert/x509_certificate_nss.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698