Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(282)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/base/x509_certificate_unittest.cc

Issue 8362023: Disallow wildcards from matching top-level registry controlled domains during cert validation. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Require at least 3 host components for unknown/unrecognized domains Created 9 years, 2 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« net/base/x509_certificate.cc ('K') | « net/base/x509_certificate.cc ('k') | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "base/file_path.h" 5 #include "base/file_path.h"
6 #include "base/file_util.h" 6 #include "base/file_util.h"
7 #include "base/path_service.h" 7 #include "base/path_service.h"
8 #include "base/pickle.h" 8 #include "base/pickle.h"
9 #include "base/sha1.h" 9 #include "base/sha1.h"
10 #include "base/string_number_conversions.h" 10 #include "base/string_number_conversions.h"
(...skipping 1280 matching lines...) Expand 10 before | Expand all | Expand 10 after
1291 "*.foo.com,*.*.foo.com,*.*.bar.foo.com,*..bar.foo.com," }, 1291 "*.foo.com,*.*.foo.com,*.*.bar.foo.com,*..bar.foo.com," },
1292 { false, "www.bath.org", "www.bath.org", "", "20.30.40.50" }, 1292 { false, "www.bath.org", "www.bath.org", "", "20.30.40.50" },
1293 { false, "66.77.88.99", "www.bath.org", "www.bath.org" }, 1293 { false, "66.77.88.99", "www.bath.org", "www.bath.org" },
1294 // IDN tests 1294 // IDN tests
1295 { true, "xn--poema-9qae5a.com.br", "xn--poema-9qae5a.com.br" }, 1295 { true, "xn--poema-9qae5a.com.br", "xn--poema-9qae5a.com.br" },
1296 { true, "www.xn--poema-9qae5a.com.br", "*.xn--poema-9qae5a.com.br" }, 1296 { true, "www.xn--poema-9qae5a.com.br", "*.xn--poema-9qae5a.com.br" },
1297 { false, "xn--poema-9qae5a.com.br", "", "*.xn--poema-9qae5a.com.br," 1297 { false, "xn--poema-9qae5a.com.br", "", "*.xn--poema-9qae5a.com.br,"
1298 "xn--poema-*.com.br," 1298 "xn--poema-*.com.br,"
1299 "xn--*-9qae5a.com.br," 1299 "xn--*-9qae5a.com.br,"
1300 "*--poema-9qae5a.com.br" }, 1300 "*--poema-9qae5a.com.br" },
1301 { true, "xn--poema-9qae5a.com.br", "*.com.br" },
1302 // The following are adapted from the examples quoted from 1301 // The following are adapted from the examples quoted from
1303 // http://tools.ietf.org/html/rfc6125#section-6.4.3 1302 // http://tools.ietf.org/html/rfc6125#section-6.4.3
1304 // (e.g., *.example.com would match foo.example.com but 1303 // (e.g., *.example.com would match foo.example.com but
1305 // not bar.foo.example.com or example.com). 1304 // not bar.foo.example.com or example.com).
1306 { true, "foo.example.com", "*.example.com" }, 1305 { true, "foo.example.com", "*.example.com" },
1307 { false, "bar.foo.example.com", "*.example.com" }, 1306 { false, "bar.foo.example.com", "*.example.com" },
1308 { false, "example.com", "*.example.com" }, 1307 { false, "example.com", "*.example.com" },
1309 // (e.g., baz*.example.net and *baz.example.net and b*z.example.net would 1308 // (e.g., baz*.example.net and *baz.example.net and b*z.example.net would
1310 // be taken to match baz1.example.net and foobaz.example.net and 1309 // be taken to match baz1.example.net and foobaz.example.net and
1311 // buzz.example.net, respectively 1310 // buzz.example.net, respectively
1312 { true, "baz1.example.net", "baz*.example.net" }, 1311 { true, "baz1.example.net", "baz*.example.net" },
1313 { true, "foobaz.example.net", "*baz.example.net" }, 1312 { true, "foobaz.example.net", "*baz.example.net" },
1314 { true, "buzz.example.net", "b*z.example.net" }, 1313 { true, "buzz.example.net", "b*z.example.net" },
1315 // Wildcards should not be valid unless there are at least three name 1314 // Wildcards should not be valid for registry-controlled domains, and for
1316 // components. 1315 // unknown/unrecognized domains, at least three domain components must be
1317 { true, "h.co.uk", "*.co.uk" }, 1316 // present.
1317 { true, "www.test.example", "*.test.example" },
1318 { true, "test.example.co.uk", "*.example.co.uk" },
1319 { false, "test.example", "*.example" },
1320 { false, "example.co.uk", "*.co.uk" },
1318 { false, "foo.com", "*.com" }, 1321 { false, "foo.com", "*.com" },
1319 { false, "foo.us", "*.us" }, 1322 { false, "foo.us", "*.us" },
1320 { false, "foo", "*" }, 1323 { false, "foo", "*" },
1324 // IDN variants of wildcards and registry-controlled domains.
1325 { true, "www.xn--poema-9qae5a.com.br", "*.xn--poema-9qae5a.com.br" },
1326 { true, "test.example.xn--mgbaam7a8h", "*.example.xn--mgbaam7a8h" },
1327 { false, "xn--poema-9qae5a.com.br", "*.com.br" },
1328 { false, "example.xn--mgbaam7a8h", "*.xn--mgbaam7a8h" },
1321 // Multiple wildcards are not valid. 1329 // Multiple wildcards are not valid.
1322 { false, "foo.example.com", "*.*.com" }, 1330 { false, "foo.example.com", "*.*.com" },
1323 { false, "foo.bar.example.com", "*.bar.*.com" }, 1331 { false, "foo.bar.example.com", "*.bar.*.com" },
1324 // Absolute vs relative DNS name tests. Although not explicitly specified 1332 // Absolute vs relative DNS name tests. Although not explicitly specified
1325 // in RFC 6125, absolute reference names (those ending in a .) should 1333 // in RFC 6125, absolute reference names (those ending in a .) should
1326 // match either absolute or relative presented names. 1334 // match either absolute or relative presented names.
1327 { true, "foo.com", "foo.com." }, 1335 { true, "foo.com", "foo.com." },
1328 { true, "foo.com.", "foo.com" }, 1336 { true, "foo.com.", "foo.com" },
1329 { true, "foo.com.", "foo.com." }, 1337 { true, "foo.com.", "foo.com." },
1330 { true, "f", "f." }, 1338 { true, "f", "f." },
1331 { true, "f.", "f" }, 1339 { true, "f.", "f" },
1332 { true, "f.", "f." }, 1340 { true, "f.", "f." },
1333 { true, "www-3.bar.foo.com", "*.bar.foo.com." }, 1341 { true, "www-3.bar.foo.com", "*.bar.foo.com." },
1334 { true, "www-3.bar.foo.com.", "*.bar.foo.com" }, 1342 { true, "www-3.bar.foo.com.", "*.bar.foo.com" },
1335 { true, "www-3.bar.foo.com.", "*.bar.foo.com." }, 1343 { true, "www-3.bar.foo.com.", "*.bar.foo.com." },
1336 { false, ".", "." }, 1344 { false, ".", "." },
1337 { false, "example.com", "*.com." }, 1345 { false, "example.com", "*.com." },
1338 { false, "example.com.", "*.com" }, 1346 { false, "example.com.", "*.com" },
1339 { false, "example.com.", "*.com." }, 1347 { false, "example.com.", "*.com." },
1340 { false, "foo.", "*." }, 1348 { false, "foo.", "*." },
1349 { false, "foo", "*." },
1350 { false, "foo.co.uk", "*.co.uk." },
1351 { false, "foo.co.uk.", "*.co.uk." },
1341 // IP addresses in common name; IPv4 only. 1352 // IP addresses in common name; IPv4 only.
1342 { true, "127.0.0.1", "127.0.0.1" }, 1353 { true, "127.0.0.1", "127.0.0.1" },
1343 { true, "192.168.1.1", "192.168.1.1" }, 1354 { true, "192.168.1.1", "192.168.1.1" },
1344 { true, "676768", "0.10.83.160" }, 1355 { true, "676768", "0.10.83.160" },
1345 { true, "1.2.3", "1.2.0.3" }, 1356 { true, "1.2.3", "1.2.0.3" },
1346 { false, "192.169.1.1", "192.168.1.1" }, 1357 { false, "192.169.1.1", "192.168.1.1" },
1347 { false, "12.19.1.1", "12.19.1.1/255.255.255.0" }, 1358 { false, "12.19.1.1", "12.19.1.1/255.255.255.0" },
1348 { false, "FEDC:ba98:7654:3210:FEDC:BA98:7654:3210", 1359 { false, "FEDC:ba98:7654:3210:FEDC:BA98:7654:3210",
1349 "FEDC:BA98:7654:3210:FEDC:ba98:7654:3210" }, 1360 "FEDC:BA98:7654:3210:FEDC:ba98:7654:3210" },
1350 { false, "1111:2222:3333:4444:5555:6666:7777:8888", 1361 { false, "1111:2222:3333:4444:5555:6666:7777:8888",
(...skipping 85 matching lines...) Expand 10 before | Expand all | Expand 10 after
1436 } 1447 }
1437 1448
1438 EXPECT_EQ(test_data.expected, X509Certificate::VerifyHostname( 1449 EXPECT_EQ(test_data.expected, X509Certificate::VerifyHostname(
1439 test_data.hostname, common_name, dns_names, ip_addressses)); 1450 test_data.hostname, common_name, dns_names, ip_addressses));
1440 } 1451 }
1441 1452
1442 INSTANTIATE_TEST_CASE_P(, X509CertificateNameVerifyTest, 1453 INSTANTIATE_TEST_CASE_P(, X509CertificateNameVerifyTest,
1443 testing::ValuesIn(kNameVerifyTestData)); 1454 testing::ValuesIn(kNameVerifyTestData));
1444 1455
1445 } // namespace net 1456 } // namespace net
OLDNEW
« net/base/x509_certificate.cc ('K') | « net/base/x509_certificate.cc ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698