Warn if a well-known/"public" CA issues a certificate for a non-TLD

net/cert/cert_verify_proc.cc

Index: net/cert/cert_verify_proc.cc
diff --git a/net/cert/cert_verify_proc.cc b/net/cert/cert_verify_proc.cc
index a7f56b77a115099e217b42a0230499f0f0373c3d..15012bef516920b967189e487a748e532dfbebda 100644
--- a/net/cert/cert_verify_proc.cc
+++ b/net/cert/cert_verify_proc.cc
@@ -8,6 +8,7 @@
 #include "base/sha1.h"
 #include "build/build_config.h"
 #include "net/base/net_errors.h"
+#include "net/base/registry_controlled_domains/registry_controlled_domain.h"
 #include "net/cert/cert_status_flags.h"
 #include "net/cert/cert_verifier.h"
 #include "net/cert/cert_verify_result.h"
@@ -150,6 +151,24 @@ int CertVerifyProc::Verify(X509Certificate* cert,
       rv = MapCertStatusToNetError(verify_result->cert_status);
   }
 
+  // Flag certificates from publicly-trusted CAs that are issued to intranet
+  // hosts. While the CA/Browser Forum Baseline Requirements (v1.1) permit
+  // these to be issued until 1 November 2015, they represent a real risk for
+  // the deployment of gTLDs and are being phased out.
+  //
+  // Note: This means that as new gTLDs are introduced, this logic will
+  // incorrectly flag them as non-unique, because they will not be in the
+  // registry controlled domain list yet. However, since new gTLDs are expected
+  // to have significant advance notice, this is an acceptable tradeoff to
+  // deprecate the practice.
+  if (verify_result->is_issued_by_known_root &&
+      0 == registry_controlled_domains::GetRegistryLength(
+               hostname,
+               registry_controlled_domains::EXCLUDE_UNKNOWN_REGISTRIES,
+               registry_controlled_domains::INCLUDE_PRIVATE_REGISTRIES)) {
+    verify_result->cert_status |= CERT_STATUS_NON_UNIQUE_NAME;
+  }
+
   return rv;
 }