net/base/x509_certificate_unittest.cc - Issue 8362023: Disallow wildcards from matching top-level registry controlled domains during cert validation.

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: net/base/x509_certificate_unittest.cc

Issue 8362023: Disallow wildcards from matching top-level registry controlled domains during cert validation. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: Handle npos Created 9 years, 2 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: net/base/x509_certificate_unittest.cc

diff --git a/net/base/x509_certificate_unittest.cc b/net/base/x509_certificate_unittest.cc

index 9ba1124023fe5ceb2a8107b05c3d167ba8a32479..d61750b43d3b9bc3059ecb64736b12ef3f7beffd 100644

--- a/net/base/x509_certificate_unittest.cc

+++ b/net/base/x509_certificate_unittest.cc

@@ -1298,7 +1298,6 @@ const CertificateNameVerifyTestData kNameVerifyTestData[] = {

"xn--poema-*.com.br,"

"xn--*-9qae5a.com.br,"

"*--poema-9qae5a.com.br" },

- { true, "xn--poema-9qae5a.com.br", "*.com.br" },

// The following are adapted from the examples quoted from

// http://tools.ietf.org/html/rfc6125#section-6.4.3

// (e.g., *.example.com would match foo.example.com but

@@ -1312,12 +1311,21 @@ const CertificateNameVerifyTestData kNameVerifyTestData[] = {

{ true, "baz1.example.net", "baz*.example.net" },

{ true, "foobaz.example.net", "*baz.example.net" },

{ true, "buzz.example.net", "b*z.example.net" },

- // Wildcards should not be valid unless there are at least three name

- // components.

- { true, "h.co.uk", "*.co.uk" },

+ // Wildcards should not be valid for registry-controlled domains, and for

+ // unknown/unrecognized domains, at least three domain components must be

+ // present.

+ { true, "www.test.example", "*.test.example" },

+ { true, "test.example.co.uk", "*.example.co.uk" },

+ { false, "test.example", "*.example" },

+ { false, "example.co.uk", "*.co.uk" },

{ false, "foo.com", "*.com" },

{ false, "foo.us", "*.us" },

{ false, "foo", "*" },

+ // IDN variants of wildcards and registry-controlled domains.

+ { true, "www.xn--poema-9qae5a.com.br", "*.xn--poema-9qae5a.com.br" },

+ { true, "test.example.xn--mgbaam7a8h", "*.example.xn--mgbaam7a8h" },

+ { false, "xn--poema-9qae5a.com.br", "*.com.br" },

+ { false, "example.xn--mgbaam7a8h", "*.xn--mgbaam7a8h" },

// Multiple wildcards are not valid.

{ false, "foo.example.com", "*.*.com" },

{ false, "foo.bar.example.com", "*.bar.*.com" },

@@ -1338,6 +1346,9 @@ const CertificateNameVerifyTestData kNameVerifyTestData[] = {

{ false, "example.com.", "*.com" },

{ false, "example.com.", "*.com." },

{ false, "foo.", "*." },

+ { false, "foo", "*." },

+ { false, "foo.co.uk", "*.co.uk." },

+ { false, "foo.co.uk.", "*.co.uk." },

// IP addresses in common name; IPv4 only.

{ true, "127.0.0.1", "127.0.0.1" },

{ true, "192.168.1.1", "192.168.1.1" },

« no previous file with comments | « net/base/x509_certificate.cc ('k') | no next file » | no next file with comments »