Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(438)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: net/cert/x509_certificate.cc

Issue 2719273002: Disable commonName matching for certificates (Closed)
Patch Set: Update tests & fix small bug with IPvsDNS sans Created 3 years, 10 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « net/cert/x509_certificate.h ('k') | net/cert/x509_certificate_unittest.cc » ('j') | net/cert/x509_certificate_unittest.cc » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/cert/x509_certificate.cc
diff --git a/net/cert/x509_certificate.cc b/net/cert/x509_certificate.cc
index 0d6fe95f1341bb2ea178b176304acd2fc2a6569b..5ebf3944b6e08bdcd15e473daa23d8c3f25da6f9 100644
--- a/net/cert/x509_certificate.cc
+++ b/net/cert/x509_certificate.cc
@@ -493,7 +493,7 @@ bool X509Certificate::VerifyHostname(
const std::string& cert_common_name,
const std::vector<std::string>& cert_san_dns_names,
const std::vector<std::string>& cert_san_ip_addrs,
- bool* common_name_fallback_used) {
+ bool allow_common_name_fallback) {
DCHECK(!hostname.empty());
// Perform name verification following http://tools.ietf.org/html/rfc6125.
// The terminology used in this method is as per that RFC:-
@@ -514,14 +514,16 @@ bool X509Certificate::VerifyHostname(
if (reference_name.empty())
return false;
- // Allow fallback to Common name matching?
- const bool common_name_fallback = cert_san_dns_names.empty() &&
- cert_san_ip_addrs.empty();
- *common_name_fallback_used = common_name_fallback;
+ if (!allow_common_name_fallback && cert_san_dns_names.empty() &&
+ cert_san_ip_addrs.empty()) {
+ // Common Name matching is not allowed, so fail fast.
+ return false;
+ }
// Fully handle all cases where |hostname| contains an IP address.
if (host_info.IsIPAddress()) {
- if (common_name_fallback && host_info.family == url::CanonHostInfo::IPV4) {
+ if (allow_common_name_fallback && cert_san_ip_addrs.empty() &&
+ host_info.family == url::CanonHostInfo::IPV4) {
// Fallback to Common name matching. As this is deprecated and only
// supported for compatibility refuse it for IPv6 addresses.
return reference_name == cert_common_name;
@@ -580,7 +582,8 @@ bool X509Certificate::VerifyHostname(
// fallback to use the common name instead.
std::vector<std::string> common_name_as_vector;
const std::vector<std::string>* presented_names = &cert_san_dns_names;
- if (common_name_fallback) {
+ if (allow_common_name_fallback && cert_san_dns_names.empty() &&
+ cert_san_ip_addrs.empty()) {
// Note: there's a small possibility cert_common_name is an international
// domain name in non-standard encoding (e.g. UTF8String or BMPString
// instead of A-label). As common name fallback is deprecated we're not
@@ -628,11 +631,11 @@ bool X509Certificate::VerifyHostname(
}
bool X509Certificate::VerifyNameMatch(const std::string& hostname,
- bool* common_name_fallback_used) const {
+ bool allow_common_name_fallback) const {
std::vector<std::string> dns_names, ip_addrs;
GetSubjectAltName(&dns_names, &ip_addrs);
return VerifyHostname(hostname, subject_.common_name, dns_names, ip_addrs,
- common_name_fallback_used);
+ allow_common_name_fallback);
}
// static
« no previous file with comments | « net/cert/x509_certificate.h ('k') | net/cert/x509_certificate_unittest.cc » ('j') | net/cert/x509_certificate_unittest.cc » ('J')

Powered by Google App Engine
This is Rietveld 408576698