Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(1783)

Unified Diff: net/base/x509_certificate_unittest.cc

Issue 8362023: Disallow wildcards from matching top-level registry controlled domains during cert validation. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Handle npos Created 9 years, 2 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « net/base/x509_certificate.cc ('k') | no next file » | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/base/x509_certificate_unittest.cc
diff --git a/net/base/x509_certificate_unittest.cc b/net/base/x509_certificate_unittest.cc
index 9ba1124023fe5ceb2a8107b05c3d167ba8a32479..d61750b43d3b9bc3059ecb64736b12ef3f7beffd 100644
--- a/net/base/x509_certificate_unittest.cc
+++ b/net/base/x509_certificate_unittest.cc
@@ -1298,7 +1298,6 @@ const CertificateNameVerifyTestData kNameVerifyTestData[] = {
"xn--poema-*.com.br,"
"xn--*-9qae5a.com.br,"
"*--poema-9qae5a.com.br" },
- { true, "xn--poema-9qae5a.com.br", "*.com.br" },
// The following are adapted from the examples quoted from
// http://tools.ietf.org/html/rfc6125#section-6.4.3
// (e.g., *.example.com would match foo.example.com but
@@ -1312,12 +1311,21 @@ const CertificateNameVerifyTestData kNameVerifyTestData[] = {
{ true, "baz1.example.net", "baz*.example.net" },
{ true, "foobaz.example.net", "*baz.example.net" },
{ true, "buzz.example.net", "b*z.example.net" },
- // Wildcards should not be valid unless there are at least three name
- // components.
- { true, "h.co.uk", "*.co.uk" },
+ // Wildcards should not be valid for registry-controlled domains, and for
+ // unknown/unrecognized domains, at least three domain components must be
+ // present.
+ { true, "www.test.example", "*.test.example" },
+ { true, "test.example.co.uk", "*.example.co.uk" },
+ { false, "test.example", "*.example" },
+ { false, "example.co.uk", "*.co.uk" },
{ false, "foo.com", "*.com" },
{ false, "foo.us", "*.us" },
{ false, "foo", "*" },
+ // IDN variants of wildcards and registry-controlled domains.
+ { true, "www.xn--poema-9qae5a.com.br", "*.xn--poema-9qae5a.com.br" },
+ { true, "test.example.xn--mgbaam7a8h", "*.example.xn--mgbaam7a8h" },
+ { false, "xn--poema-9qae5a.com.br", "*.com.br" },
+ { false, "example.xn--mgbaam7a8h", "*.xn--mgbaam7a8h" },
// Multiple wildcards are not valid.
{ false, "foo.example.com", "*.*.com" },
{ false, "foo.bar.example.com", "*.bar.*.com" },
@@ -1338,6 +1346,9 @@ const CertificateNameVerifyTestData kNameVerifyTestData[] = {
{ false, "example.com.", "*.com" },
{ false, "example.com.", "*.com." },
{ false, "foo.", "*." },
+ { false, "foo", "*." },
+ { false, "foo.co.uk", "*.co.uk." },
+ { false, "foo.co.uk.", "*.co.uk." },
// IP addresses in common name; IPv4 only.
{ true, "127.0.0.1", "127.0.0.1" },
{ true, "192.168.1.1", "192.168.1.1" },
« no previous file with comments | « net/base/x509_certificate.cc ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698