Index: net/cert/cert_verify_proc.cc |
diff --git a/net/cert/cert_verify_proc.cc b/net/cert/cert_verify_proc.cc |
index a7f56b77a115099e217b42a0230499f0f0373c3d..15012bef516920b967189e487a748e532dfbebda 100644 |
--- a/net/cert/cert_verify_proc.cc |
+++ b/net/cert/cert_verify_proc.cc |
@@ -8,6 +8,7 @@ |
#include "base/sha1.h" |
#include "build/build_config.h" |
#include "net/base/net_errors.h" |
+#include "net/base/registry_controlled_domains/registry_controlled_domain.h" |
#include "net/cert/cert_status_flags.h" |
#include "net/cert/cert_verifier.h" |
#include "net/cert/cert_verify_result.h" |
@@ -150,6 +151,24 @@ int CertVerifyProc::Verify(X509Certificate* cert, |
rv = MapCertStatusToNetError(verify_result->cert_status); |
} |
+ // Flag certificates from publicly-trusted CAs that are issued to intranet |
+ // hosts. While the CA/Browser Forum Baseline Requirements (v1.1) permit |
+ // these to be issued until 1 November 2015, they represent a real risk for |
+ // the deployment of gTLDs and are being phased out. |
+ // |
+ // Note: This means that as new gTLDs are introduced, this logic will |
+ // incorrectly flag them as non-unique, because they will not be in the |
+ // registry controlled domain list yet. However, since new gTLDs are expected |
+ // to have significant advance notice, this is an acceptable tradeoff to |
+ // deprecate the practice. |
+ if (verify_result->is_issued_by_known_root && |
+ 0 == registry_controlled_domains::GetRegistryLength( |
+ hostname, |
+ registry_controlled_domains::EXCLUDE_UNKNOWN_REGISTRIES, |
+ registry_controlled_domains::INCLUDE_PRIVATE_REGISTRIES)) { |
+ verify_result->cert_status |= CERT_STATUS_NON_UNIQUE_NAME; |
+ } |
+ |
return rv; |
} |