| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/x509_certificate.h" | 5 #include "net/cert/x509_certificate.h" |
| 6 | 6 |
| 7 #include "base/basictypes.h" | 7 #include "base/basictypes.h" |
| 8 #include "base/files/file_path.h" | 8 #include "base/files/file_path.h" |
| 9 #include "base/memory/scoped_ptr.h" | 9 #include "base/memory/scoped_ptr.h" |
| 10 #include "base/pickle.h" | 10 #include "base/pickle.h" |
| (...skipping 1005 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1016 "*.foo.com,*.*.foo.com,*.*.bar.foo.com,*..bar.foo.com," }, | 1016 "*.foo.com,*.*.foo.com,*.*.bar.foo.com,*..bar.foo.com," }, |
| 1017 { false, "www.bath.org", "www.bath.org", "", "20.30.40.50" }, | 1017 { false, "www.bath.org", "www.bath.org", "", "20.30.40.50" }, |
| 1018 { false, "66.77.88.99", "www.bath.org", "www.bath.org" }, | 1018 { false, "66.77.88.99", "www.bath.org", "www.bath.org" }, |
| 1019 // IDN tests | 1019 // IDN tests |
| 1020 { true, "xn--poema-9qae5a.com.br", "xn--poema-9qae5a.com.br" }, | 1020 { true, "xn--poema-9qae5a.com.br", "xn--poema-9qae5a.com.br" }, |
| 1021 { true, "www.xn--poema-9qae5a.com.br", "*.xn--poema-9qae5a.com.br" }, | 1021 { true, "www.xn--poema-9qae5a.com.br", "*.xn--poema-9qae5a.com.br" }, |
| 1022 { false, "xn--poema-9qae5a.com.br", "", "*.xn--poema-9qae5a.com.br," | 1022 { false, "xn--poema-9qae5a.com.br", "", "*.xn--poema-9qae5a.com.br," |
| 1023 "xn--poema-*.com.br," | 1023 "xn--poema-*.com.br," |
| 1024 "xn--*-9qae5a.com.br," | 1024 "xn--*-9qae5a.com.br," |
| 1025 "*--poema-9qae5a.com.br" }, | 1025 "*--poema-9qae5a.com.br" }, |
| 1026 { true, "xn--poema-9qae5a.com.br", "*.com.br" }, | |
| 1027 // The following are adapted from the examples quoted from | 1026 // The following are adapted from the examples quoted from |
| 1028 // http://tools.ietf.org/html/rfc6125#section-6.4.3 | 1027 // http://tools.ietf.org/html/rfc6125#section-6.4.3 |
| 1029 // (e.g., *.example.com would match foo.example.com but | 1028 // (e.g., *.example.com would match foo.example.com but |
| 1030 // not bar.foo.example.com or example.com). | 1029 // not bar.foo.example.com or example.com). |
| 1031 { true, "foo.example.com", "*.example.com" }, | 1030 { true, "foo.example.com", "*.example.com" }, |
| 1032 { false, "bar.foo.example.com", "*.example.com" }, | 1031 { false, "bar.foo.example.com", "*.example.com" }, |
| 1033 { false, "example.com", "*.example.com" }, | 1032 { false, "example.com", "*.example.com" }, |
| 1034 // (e.g., baz*.example.net and *baz.example.net and b*z.example.net would | 1033 // (e.g., baz*.example.net and *baz.example.net and b*z.example.net would |
| 1035 // be taken to match baz1.example.net and foobaz.example.net and | 1034 // be taken to match baz1.example.net and foobaz.example.net and |
| 1036 // buzz.example.net, respectively | 1035 // buzz.example.net, respectively |
| 1037 { true, "baz1.example.net", "baz*.example.net" }, | 1036 { true, "baz1.example.net", "baz*.example.net" }, |
| 1038 { true, "foobaz.example.net", "*baz.example.net" }, | 1037 { true, "foobaz.example.net", "*baz.example.net" }, |
| 1039 { true, "buzz.example.net", "b*z.example.net" }, | 1038 { true, "buzz.example.net", "b*z.example.net" }, |
| 1040 // Wildcards should not be valid unless there are at least three name | 1039 // Wildcards should not be valid for public registry controlled domains, |
| 1041 // components. | 1040 // and unknown/unrecognized domains, at least three domain components must |
| 1042 { true, "h.co.uk", "*.co.uk" }, | 1041 // be present. |
| 1042 { true, "www.test.example", "*.test.example" }, |
| 1043 { true, "test.example.co.uk", "*.example.co.uk" }, |
| 1044 { false, "test.example", "*.exmaple" }, |
| 1045 { false, "example.co.uk", "*.co.uk" }, |
| 1043 { false, "foo.com", "*.com" }, | 1046 { false, "foo.com", "*.com" }, |
| 1044 { false, "foo.us", "*.us" }, | 1047 { false, "foo.us", "*.us" }, |
| 1045 { false, "foo", "*" }, | 1048 { false, "foo", "*" }, |
| 1049 // IDN variants of wildcards and registry controlled domains. |
| 1050 { true, "www.xn--poema-9qae5a.com.br", "*.xn--poema-9qae5a.com.br" }, |
| 1051 { true, "test.example.xn--mgbaam7a8h", "*.example.xn--mgbaam7a8h" }, |
| 1052 { false, "xn--poema-9qae5a.com.br", "*.com.br" }, |
| 1053 { false, "example.xn--mgbaam7a8h", "*.xn--mgbaam7a8h" }, |
| 1054 // Wildcards should be permissible for 'private' registry controlled |
| 1055 // domains. |
| 1056 { true, "www.appspot.com", "*.appspot.com" }, |
| 1057 { true, "foo.s3.amazonaws.com", "*.s3.amazonaws.com" }, |
| 1046 // Multiple wildcards are not valid. | 1058 // Multiple wildcards are not valid. |
| 1047 { false, "foo.example.com", "*.*.com" }, | 1059 { false, "foo.example.com", "*.*.com" }, |
| 1048 { false, "foo.bar.example.com", "*.bar.*.com" }, | 1060 { false, "foo.bar.example.com", "*.bar.*.com" }, |
| 1049 // Absolute vs relative DNS name tests. Although not explicitly specified | 1061 // Absolute vs relative DNS name tests. Although not explicitly specified |
| 1050 // in RFC 6125, absolute reference names (those ending in a .) should | 1062 // in RFC 6125, absolute reference names (those ending in a .) should |
| 1051 // match either absolute or relative presented names. | 1063 // match either absolute or relative presented names. |
| 1052 { true, "foo.com", "foo.com." }, | 1064 { true, "foo.com", "foo.com." }, |
| 1053 { true, "foo.com.", "foo.com" }, | 1065 { true, "foo.com.", "foo.com" }, |
| 1054 { true, "foo.com.", "foo.com." }, | 1066 { true, "foo.com.", "foo.com." }, |
| 1055 { true, "f", "f." }, | 1067 { true, "f", "f." }, |
| 1056 { true, "f.", "f" }, | 1068 { true, "f.", "f" }, |
| 1057 { true, "f.", "f." }, | 1069 { true, "f.", "f." }, |
| 1058 { true, "www-3.bar.foo.com", "*.bar.foo.com." }, | 1070 { true, "www-3.bar.foo.com", "*.bar.foo.com." }, |
| 1059 { true, "www-3.bar.foo.com.", "*.bar.foo.com" }, | 1071 { true, "www-3.bar.foo.com.", "*.bar.foo.com" }, |
| 1060 { true, "www-3.bar.foo.com.", "*.bar.foo.com." }, | 1072 { true, "www-3.bar.foo.com.", "*.bar.foo.com." }, |
| 1061 { false, ".", "." }, | 1073 { false, ".", "." }, |
| 1062 { false, "example.com", "*.com." }, | 1074 { false, "example.com", "*.com." }, |
| 1063 { false, "example.com.", "*.com" }, | 1075 { false, "example.com.", "*.com" }, |
| 1064 { false, "example.com.", "*.com." }, | 1076 { false, "example.com.", "*.com." }, |
| 1065 { false, "foo.", "*." }, | 1077 { false, "foo.", "*." }, |
| 1078 { false, "foo", "*." }, |
| 1079 { false, "foo.co.uk", "*.co.uk." }, |
| 1080 { false, "foo.co.uk.", "*.co.uk." }, |
| 1066 // IP addresses in common name; IPv4 only. | 1081 // IP addresses in common name; IPv4 only. |
| 1067 { true, "127.0.0.1", "127.0.0.1" }, | 1082 { true, "127.0.0.1", "127.0.0.1" }, |
| 1068 { true, "192.168.1.1", "192.168.1.1" }, | 1083 { true, "192.168.1.1", "192.168.1.1" }, |
| 1069 { true, "676768", "0.10.83.160" }, | 1084 { true, "676768", "0.10.83.160" }, |
| 1070 { true, "1.2.3", "1.2.0.3" }, | 1085 { true, "1.2.3", "1.2.0.3" }, |
| 1071 { false, "192.169.1.1", "192.168.1.1" }, | 1086 { false, "192.169.1.1", "192.168.1.1" }, |
| 1072 { false, "12.19.1.1", "12.19.1.1/255.255.255.0" }, | 1087 { false, "12.19.1.1", "12.19.1.1/255.255.255.0" }, |
| 1073 { false, "FEDC:ba98:7654:3210:FEDC:BA98:7654:3210", | 1088 { false, "FEDC:ba98:7654:3210:FEDC:BA98:7654:3210", |
| 1074 "FEDC:BA98:7654:3210:FEDC:ba98:7654:3210" }, | 1089 "FEDC:BA98:7654:3210:FEDC:ba98:7654:3210" }, |
| 1075 { false, "1111:2222:3333:4444:5555:6666:7777:8888", | 1090 { false, "1111:2222:3333:4444:5555:6666:7777:8888", |
| (...skipping 85 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 1161 } | 1176 } |
| 1162 | 1177 |
| 1163 EXPECT_EQ(test_data.expected, X509Certificate::VerifyHostname( | 1178 EXPECT_EQ(test_data.expected, X509Certificate::VerifyHostname( |
| 1164 test_data.hostname, common_name, dns_names, ip_addressses)); | 1179 test_data.hostname, common_name, dns_names, ip_addressses)); |
| 1165 } | 1180 } |
| 1166 | 1181 |
| 1167 INSTANTIATE_TEST_CASE_P(, X509CertificateNameVerifyTest, | 1182 INSTANTIATE_TEST_CASE_P(, X509CertificateNameVerifyTest, |
| 1168 testing::ValuesIn(kNameVerifyTestData)); | 1183 testing::ValuesIn(kNameVerifyTestData)); |
| 1169 | 1184 |
| 1170 } // namespace net | 1185 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 14741019:
Disallow wildcards from matching top-level registry controlled domains during cert validation. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src