Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(83)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/cert/internal/name_constraints.cc

Issue 2521813002: PKI library: dNSName constraints starting with dot should match subdomains. (Closed)
Patch Set: add test of ".." constraint Created 4 years ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | net/cert/internal/name_constraints_unittest.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2015 The Chromium Authors. All rights reserved. 1 // Copyright 2015 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/cert/internal/name_constraints.h" 5 #include "net/cert/internal/name_constraints.h"
6 6
7 #include <limits.h> 7 #include <limits.h>
8 8
9 #include <memory> 9 #include <memory>
10 10
(...skipping 69 matching lines...) Expand 10 before | Expand all | Expand 10 after
80 } 80 }
81 } 81 }
82 82
83 if (!base::EndsWith(name, dns_constraint, 83 if (!base::EndsWith(name, dns_constraint,
84 base::CompareCase::INSENSITIVE_ASCII)) { 84 base::CompareCase::INSENSITIVE_ASCII)) {
85 return false; 85 return false;
86 } 86 }
87 // Exact match. 87 // Exact match.
88 if (name.size() == dns_constraint.size()) 88 if (name.size() == dns_constraint.size())
89 return true; 89 return true;
90 // If dNSName constraint starts with a dot, only subdomains should match.
91 // (e.g., "foo.bar.com" matches constraint ".bar.com", but "bar.com" doesn't.)
92 // RFC 5280 is ambiguous, but this matches the behavior of other platforms.
93 if (!dns_constraint.empty() && dns_constraint[0] == '.')
94 dns_constraint.remove_prefix(1);
90 // Subtree match. 95 // Subtree match.
91 if (name.size() > dns_constraint.size() && 96 if (name.size() > dns_constraint.size() &&
92 name[name.size() - dns_constraint.size() - 1] == '.') { 97 name[name.size() - dns_constraint.size() - 1] == '.') {
93 return true; 98 return true;
94 } 99 }
95 // Trailing text matches, but not in a subtree (e.g., "foobar.com" is not a 100 // Trailing text matches, but not in a subtree (e.g., "foobar.com" is not a
96 // match for "bar.com"). 101 // match for "bar.com").
97 return false; 102 return false;
98 } 103 }
99 104
(...skipping 443 matching lines...) Expand 10 before | Expand all | Expand 10 after
543 548
544 return false; 549 return false;
545 } 550 }
546 551
547 int NameConstraints::ConstrainedNameTypes() const { 552 int NameConstraints::ConstrainedNameTypes() const {
548 return (permitted_subtrees_.present_name_types | 553 return (permitted_subtrees_.present_name_types |
549 excluded_subtrees_.present_name_types); 554 excluded_subtrees_.present_name_types);
550 } 555 }
551 556
552 } // namespace net 557 } // namespace net
OLDNEW
« no previous file with comments | « no previous file | net/cert/internal/name_constraints_unittest.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698