Index: net/cert/cert_verify_proc.cc |
diff --git a/net/cert/cert_verify_proc.cc b/net/cert/cert_verify_proc.cc |
index a7f56b77a115099e217b42a0230499f0f0373c3d..d3084c8b12fa19320c315285f1bd5a0b05a40c01 100644 |
--- a/net/cert/cert_verify_proc.cc |
+++ b/net/cert/cert_verify_proc.cc |
@@ -7,7 +7,10 @@ |
#include "base/metrics/histogram.h" |
#include "base/sha1.h" |
#include "build/build_config.h" |
+#include "googleurl/src/url_canon.h" |
#include "net/base/net_errors.h" |
+#include "net/base/net_util.h" |
+#include "net/base/registry_controlled_domains/registry_controlled_domain.h" |
#include "net/cert/cert_status_flags.h" |
#include "net/cert/cert_verifier.h" |
#include "net/cert/cert_verify_result.h" |
@@ -150,6 +153,14 @@ int CertVerifyProc::Verify(X509Certificate* cert, |
rv = MapCertStatusToNetError(verify_result->cert_status); |
} |
+ // Flag certificates from publicly-trusted CAs that are issued to intranet |
+ // hosts. While the CA/Browser Forum Baseline Requirements (v1.1) permit |
+ // these to be issued until 1 November 2015, they represent a real risk for |
+ // the deployment of gTLDs and are being phased out. |
+ if (verify_result->is_issued_by_known_root && IsHostnameNonUnique(hostname)) { |
+ verify_result->cert_status |= CERT_STATUS_NON_UNIQUE_NAME; |
+ } |
+ |
return rv; |
} |
@@ -286,4 +297,38 @@ bool CertVerifyProc::IsPublicKeyBlacklisted( |
return false; |
} |
+// static |
+bool CertVerifyProc::IsHostnameNonUnique(const std::string& hostname) { |
+ // CanonicalizeHost requires surrounding brackets to parse an IPv6 address. |
+ const std::string host_or_ip = hostname.find(':') != std::string::npos ? |
+ "[" + hostname + "]" : hostname; |
+ url_canon::CanonHostInfo host_info; |
+ std::string canonical_name = CanonicalizeHost(host_or_ip, &host_info); |
+ |
+ // If canonicalization fails, then the input is truly malformed. However, |
+ // to avoid mis-reporting bad inputs as "non-unique". |
+ if (canonical_name.empty()) |
+ return false; |
+ |
+ // If |hostname| is an IP address, presume it's unique. |
+ // TODO(rsleevi): In the future, this should also reject addresses in |
+ // IANA-reserved ranges, since those too are not unique among public CAs. |
+ if (host_info.IsIPAddress()) |
+ return false; |
+ |
+ // Check for a registry controlled portion of |hostname|, ignoring private |
+ // registries (since they already chain to ICANN-administered registries), |
+ // and explicitly ignoring unknown registries. |
+ // |
+ // Note: This means that as new gTLDs are introduced on the Internet, they |
+ // will be treated as non-unique until the registry controlled domain list |
+ // is updated. However, because gTLDs are expected to provide significant |
+ // advance notice to deprecate older versions of this code, this an |
+ // acceptable tradeoff. |
+ return 0 == registry_controlled_domains::GetRegistryLength( |
+ canonical_name, |
+ registry_controlled_domains::EXCLUDE_UNKNOWN_REGISTRIES, |
+ registry_controlled_domains::EXCLUDE_PRIVATE_REGISTRIES); |
+} |
+ |
} // namespace net |