Warn if a well-known/"public" CA issues a certificate for a non-TLD

net/cert/cert_verify_proc.h

Index: net/cert/cert_verify_proc.h
diff --git a/net/cert/cert_verify_proc.h b/net/cert/cert_verify_proc.h
index c85bf75b519b1bba15a623ffe0565f541d27125b..4816d8853f72d84ed2d380f241ac80cd0ea18a7c 100644
--- a/net/cert/cert_verify_proc.h
+++ b/net/cert/cert_verify_proc.h
@@ -67,13 +67,14 @@ class NET_EXPORT CertVerifyProc
   virtual bool SupportsAdditionalTrustAnchors() const = 0;
 
  protected:
-  friend class base::RefCountedThreadSafe<CertVerifyProc>;
-  FRIEND_TEST_ALL_PREFIXES(CertVerifyProcTest, DigiNotarCerts);
-
   CertVerifyProc();
   virtual ~CertVerifyProc();
 
  private:
+  friend class base::RefCountedThreadSafe<CertVerifyProc>;
+  friend class CertVerifyProcNonUniqueNameTest;
+  FRIEND_TEST_ALL_PREFIXES(CertVerifyProcTest, DigiNotarCerts);
+
   // Performs the actual verification using the desired underlying
   // cryptographic library.
   virtual int VerifyInternal(X509Certificate* cert,
@@ -89,6 +90,19 @@ class NET_EXPORT CertVerifyProc
   // IsPublicKeyBlacklisted returns true iff one of |public_key_hashes| (which
   // are hashes of SubjectPublicKeyInfo structures) is explicitly blocked.
   static bool IsPublicKeyBlacklisted(const HashValueVector& public_key_hashes);
+
+  // Returns true if |hostname| contains a name that is non-unique among
+  // certificates (eg: an "internal server name").
+  //
+  // While such names are not scheduled to be deprecated as of 1 November 2015

[agl, 2013/05/16 20:08:25]

s/as of/until/?

+  // according to the CA/Browser Forum Baseline Requirements (v1.1), they
+  // represent a real risk for the deployment of new gTLDs, and thus being
+  // phased out ahead of the hard deadline.
+  // TODO(rsleevi): http://crbug.com/119212 - Also match internal IP address
+  // ranges.
+  static bool IsHostnameNonUnique(const std::string& hostname);
+
+  DISALLOW_COPY_AND_ASSIGN(CertVerifyProc);
 };
 
 }  // namespace net