Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(239)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: net/cert/internal/name_constraints.cc

Issue 2521813002: PKI library: dNSName constraints starting with dot should match subdomains. (Closed)
Patch Set: add test of ".." constraint Created 4 years, 1 month ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « no previous file | net/cert/internal/name_constraints_unittest.cc » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/cert/internal/name_constraints.cc
diff --git a/net/cert/internal/name_constraints.cc b/net/cert/internal/name_constraints.cc
index 162569f964cfcdf0958b5f1d365cc42e042ba7fd..0ed685101e9a15d6463ed693188273aed304c5fa 100644
--- a/net/cert/internal/name_constraints.cc
+++ b/net/cert/internal/name_constraints.cc
@@ -87,6 +87,11 @@ bool DNSNameMatches(base::StringPiece name,
// Exact match.
if (name.size() == dns_constraint.size())
return true;
+ // If dNSName constraint starts with a dot, only subdomains should match.
+ // (e.g., "foo.bar.com" matches constraint ".bar.com", but "bar.com" doesn't.)
+ // RFC 5280 is ambiguous, but this matches the behavior of other platforms.
+ if (!dns_constraint.empty() && dns_constraint[0] == '.')
+ dns_constraint.remove_prefix(1);
// Subtree match.
if (name.size() > dns_constraint.size() &&
name[name.size() - dns_constraint.size() - 1] == '.') {
« no previous file with comments | « no previous file | net/cert/internal/name_constraints_unittest.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698