Disallow wildcards from matching top-level registry controlled domains during cert validation.

net/base/x509_certificate.cc

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/base/x509_certificate.h"
 
 #include <stdlib.h>
 
 #include <algorithm>
 #include <map>
 #include <string>
 #include <vector>
 
 #include "base/lazy_instance.h"
 #include "base/logging.h"
 #include "base/memory/singleton.h"
 #include "base/metrics/histogram.h"
 #include "base/pickle.h"
 #include "base/sha1.h"
 #include "base/string_piece.h"
 #include "base/string_util.h"
 #include "base/synchronization/lock.h"
 #include "base/time.h"
 #include "googleurl/src/url_canon_ip.h"
 #include "net/base/cert_status_flags.h"
 #include "net/base/cert_verify_result.h"
 #include "net/base/net_errors.h"
 #include "net/base/net_util.h"
 #include "net/base/pem_tokenizer.h"
+#include "net/base/registry_controlled_domain.h"
 
 namespace net {
 
 namespace {
 
 // Indicates the order to use when trying to decode binary data, which is
 // based on (speculation) as to what will be most common -> least common
 const X509Certificate::Format kFormatDecodePriority[] = {
   X509Certificate::FORMAT_SINGLE_CERTIFICATE,
   X509Certificate::FORMAT_PKCS7
@@ skipping 460 matching lines @@
     base::StringPiece ip_addr_string(
         reinterpret_cast<const char*>(host_info.address),
         host_info.AddressLength());
     return std::find(cert_san_ip_addrs.begin(), cert_san_ip_addrs.end(),
                      ip_addr_string) != cert_san_ip_addrs.end();
   }
 
   // |reference_domain| is the remainder of |host| after the leading host
   // component is stripped off, but includes the leading dot e.g.
   // "www.f.com" -> ".f.com".
-  // If there is no meaningful domain part to |host| (e.g. it contains no dots)
-  // then |reference_domain| will be empty.
+  // If there is no meaningful domain part to |host| (e.g. it contains no
+  // dots) then |reference_domain| will be empty.
   base::StringPiece reference_host, reference_domain;
   SplitOnChar(reference_name, '.', &reference_host, &reference_domain);
   bool allow_wildcards = false;
   if (!reference_domain.empty()) {
     DCHECK(reference_domain.starts_with("."));
-    // We required at least 3 components (i.e. 2 dots) as a basic protection
-    // against too-broad wild-carding.
-    // Also we don't attempt wildcard matching on a purely numerical hostname.
-    allow_wildcards = reference_domain.rfind('.') != 0 &&
+
+    // Do not allow wildcards for registry controlled domains, so as to
+    // prevent accepting *.com or *.co.uk as valid presented names. Passing
+    // true for |allow_unknown_registries| so that top-level domains which are
+    // unknown (intranet domains, new TLDs/gTLDs not yet recognized) are
+    // treated as registry-controlled domains. Because the |reference_domain|
+    // must contain at least one name component that is not registry
+    // controlled, this ensures that all reference names have at least three
+    // domain components in order to permit wildcards.
+    size_t registry_length =
+        RegistryControlledDomainService::GetRegistryLength(reference_name,
+                                                           true);
+    // As the |reference_name| was already canonicalized, this should never
+    // happen.
+    CHECK_NE(registry_length, std::string::npos);
+
+    // Subtracting 1 to account for the leading dot in |reference_domain|.
+    bool is_registry_controlled = registry_length != 0 &&
+        registry_length == (reference_domain.size() - 1);
+
+    // Additionally, do not attempt wildcard matching for purely numeric
+    // hostnames.
+    allow_wildcards = !is_registry_controlled &&
         reference_name.find_first_not_of("0123456789.") != std::string::npos;
   }
 
   // Now step through the DNS names doing wild card comparison (if necessary)
   // on each against the reference name. If subjectAltName is empty, then
   // fallback to use the common name instead.
   std::vector<std::string> common_name_as_vector;
   const std::vector<std::string>* presented_names = &cert_san_dns_names;
   if (common_name_fallback) {
     // Note: there's a small possibility cert_common_name is an international
@@ skipping 471 matching lines @@
 bool X509Certificate::IsSHA1HashInSortedArray(const SHA1Fingerprint& hash,
                                               const uint8* array,
                                               size_t array_byte_len) {
   DCHECK_EQ(0u, array_byte_len % base::kSHA1Length);
   const size_t arraylen = array_byte_len / base::kSHA1Length;
   return NULL != bsearch(hash.data, array, arraylen, base::kSHA1Length,
                          CompareSHA1Hashes);
 }
 
 }  // namespace net