Disallow wildcards from matching top-level registry controlled domains during cert validation.

Disallow wildcards from matching top-level registry controlled domains during cert validation.

This only disallows wildcards for "ICANN" TLDs/registry controlled domains, and
excludes domains in the "private" registry (such as appspot.com or
s3.amazonaws.com)

BUG=100442
TEST=net_unittests:X509CertificateNameVerifyTest.*, as well as visiting sites
such as https://www.appspot.com continues to work without issue.

Committed: https://src.chromium.org/viewvc/chrome?view=rev&revision=200771

[Ryan Sleevi, 2013-05-16 01:41:29]

wtc: Now that nyquist@ added support for distinguishing between public and
private domains, I'd like to go and reland this.

This is more or less the same as the previously reviewed
http://codereview.chromium.org/8362023 , rebased, and with one notable
difference:

To ensure consistency across platforms, NSS now uses the same code we've been
using on Win/Mac/Android, rather than its internal functions. The only
difference this should have is in how NSS handles domain-specific overrides,
which is a Firefox-ism that we never adopted (see cert->domainOK).

[wtc, 2013-05-16 18:03:08]

Patch set 1 LGTM.

https://codereview.chromium.org/14741019/diff/1/net/cert/x509_certificate.cc
File net/cert/x509_certificate.cc (right):

https://codereview.chromium.org/14741019/diff/1/net/cert/x509_certificate.cc#...
net/cert/x509_certificate.cc:558: // that is, prevent *.com or *.co.uk as valid
presented names, but do not

Nit: but do not => but not ?

[commit-bot: I haz the power, 2013-05-16 18:22:46]

CQ is trying da patch. Follow status at
https://chromium-status.appspot.com/cq/rsleevi@chromium.org/14741019/5001

[commit-bot: I haz the power, 2013-05-17 09:26:40]

Change committed as 200771