| Index: net/cert/cert_verify_proc.cc
|
| diff --git a/net/cert/cert_verify_proc.cc b/net/cert/cert_verify_proc.cc
|
| index a7f56b77a115099e217b42a0230499f0f0373c3d..9022651050e94de490688b0a2813b3bac17d4730 100644
|
| --- a/net/cert/cert_verify_proc.cc
|
| +++ b/net/cert/cert_verify_proc.cc
|
| @@ -7,7 +7,10 @@
|
| #include "base/metrics/histogram.h"
|
| #include "base/sha1.h"
|
| #include "build/build_config.h"
|
| +#include "googleurl/src/url_canon.h"
|
| #include "net/base/net_errors.h"
|
| +#include "net/base/net_util.h"
|
| +#include "net/base/registry_controlled_domains/registry_controlled_domain.h"
|
| #include "net/cert/cert_status_flags.h"
|
| #include "net/cert/cert_verifier.h"
|
| #include "net/cert/cert_verify_result.h"
|
| @@ -150,6 +153,14 @@ int CertVerifyProc::Verify(X509Certificate* cert,
|
| rv = MapCertStatusToNetError(verify_result->cert_status);
|
| }
|
|
|
| + // Flag certificates from publicly-trusted CAs that are issued to intranet
|
| + // hosts. While the CA/Browser Forum Baseline Requirements (v1.1) permit
|
| + // these to be issued until 1 November 2015, they represent a real risk for
|
| + // the deployment of gTLDs and are being phased out.
|
| + if (verify_result->is_issued_by_known_root && IsHostnameNonUnique(hostname)) {
|
| + verify_result->cert_status |= CERT_STATUS_NON_UNIQUE_NAME;
|
| + }
|
| +
|
| return rv;
|
| }
|
|
|
| @@ -286,4 +297,39 @@ bool CertVerifyProc::IsPublicKeyBlacklisted(
|
| return false;
|
| }
|
|
|
| +// static
|
| +bool CertVerifyProc::IsHostnameNonUnique(const std::string& hostname) {
|
| + // CanonicalizeHost requires surrounding brackets to parse an IPv6 address.
|
| + const std::string host_or_ip = hostname.find(':') != std::string::npos ?
|
| + "[" + hostname + "]" : hostname;
|
| + url_canon::CanonHostInfo host_info;
|
| + std::string canonical_name = CanonicalizeHost(host_or_ip, &host_info);
|
| +
|
| + // If canonicalization fails, then the input is truly malformed. However,
|
| + // to avoid mis-reporting bad inputs as "non-unique", treat them as unique.
|
| + if (canonical_name.empty())
|
| + return false;
|
| +
|
| + // If |hostname| is an IP address, presume it's unique.
|
| + // TODO(rsleevi): In the future, this should also reject IP addresses in
|
| + // IANA-reserved ranges, since those are also non-unique among publicly
|
| + // trusted CAs.
|
| + if (host_info.IsIPAddress())
|
| + return false;
|
| +
|
| + // Check for a registry controlled portion of |hostname|, ignoring private
|
| + // registries, as they already chain to ICANN-administered registries,
|
| + // and explicitly ignoring unknown registries.
|
| + //
|
| + // Note: This means that as new gTLDs are introduced on the Internet, they
|
| + // will be treated as non-unique until the registry controlled domain list
|
| + // is updated. However, because gTLDs are expected to provide significant
|
| + // advance notice to deprecate older versions of this code, this an
|
| + // acceptable tradeoff.
|
| + return 0 == registry_controlled_domains::GetRegistryLength(
|
| + canonical_name,
|
| + registry_controlled_domains::EXCLUDE_UNKNOWN_REGISTRIES,
|
| + registry_controlled_domains::EXCLUDE_PRIVATE_REGISTRIES);
|
| +}
|
| +
|
| } // namespace net
|
|
|
Chromium Code Reviews
Issue 15203007:
Warn if a well-known/"public" CA issues a certificate for a non-TLD (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src