net/cert/x509_certificate_unittest.cc - Issue 14741019: Disallow wildcards from matching top-level registry controlled domains during cert validation.

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: net/cert/x509_certificate_unittest.cc

Issue 14741019: Disallow wildcards from matching top-level registry controlled domains during cert validation. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: Review feedback Created 7 years, 7 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: net/cert/x509_certificate_unittest.cc

diff --git a/net/cert/x509_certificate_unittest.cc b/net/cert/x509_certificate_unittest.cc

index 6e1043999517dd16744223ad008ca953b4eda899..735de89dc3dfd6b1e10a0ecb3eef36c1603ef324 100644

--- a/net/cert/x509_certificate_unittest.cc

+++ b/net/cert/x509_certificate_unittest.cc

@@ -1023,7 +1023,6 @@ const CertificateNameVerifyTestData kNameVerifyTestData[] = {

"xn--poema-*.com.br,"

"xn--*-9qae5a.com.br,"

"*--poema-9qae5a.com.br" },

- { true, "xn--poema-9qae5a.com.br", "*.com.br" },

// The following are adapted from the examples quoted from

// http://tools.ietf.org/html/rfc6125#section-6.4.3

// (e.g., *.example.com would match foo.example.com but

@@ -1037,12 +1036,25 @@ const CertificateNameVerifyTestData kNameVerifyTestData[] = {

{ true, "baz1.example.net", "baz*.example.net" },

{ true, "foobaz.example.net", "*baz.example.net" },

{ true, "buzz.example.net", "b*z.example.net" },

- // Wildcards should not be valid unless there are at least three name

- // components.

- { true, "h.co.uk", "*.co.uk" },

+ // Wildcards should not be valid for public registry controlled domains,

+ // and unknown/unrecognized domains, at least three domain components must

+ // be present.

+ { true, "www.test.example", "*.test.example" },

+ { true, "test.example.co.uk", "*.example.co.uk" },

+ { false, "test.example", "*.exmaple" },

+ { false, "example.co.uk", "*.co.uk" },

{ false, "foo.com", "*.com" },

{ false, "foo.us", "*.us" },

{ false, "foo", "*" },

+ // IDN variants of wildcards and registry controlled domains.

+ { true, "www.xn--poema-9qae5a.com.br", "*.xn--poema-9qae5a.com.br" },

+ { true, "test.example.xn--mgbaam7a8h", "*.example.xn--mgbaam7a8h" },

+ { false, "xn--poema-9qae5a.com.br", "*.com.br" },

+ { false, "example.xn--mgbaam7a8h", "*.xn--mgbaam7a8h" },

+ // Wildcards should be permissible for 'private' registry controlled

+ // domains.

+ { true, "www.appspot.com", "*.appspot.com" },

+ { true, "foo.s3.amazonaws.com", "*.s3.amazonaws.com" },

// Multiple wildcards are not valid.

{ false, "foo.example.com", "*.*.com" },

{ false, "foo.bar.example.com", "*.bar.*.com" },

@@ -1063,6 +1075,9 @@ const CertificateNameVerifyTestData kNameVerifyTestData[] = {

{ false, "example.com.", "*.com" },

{ false, "example.com.", "*.com." },

{ false, "foo.", "*." },

+ { false, "foo", "*." },

+ { false, "foo.co.uk", "*.co.uk." },

+ { false, "foo.co.uk.", "*.co.uk." },

// IP addresses in common name; IPv4 only.

{ true, "127.0.0.1", "127.0.0.1" },

{ true, "192.168.1.1", "192.168.1.1" },

« no previous file with comments | « net/cert/x509_certificate_nss.cc ('k') | no next file » | no next file with comments »