Disable commonName matching for certificates

net/cert/x509_certificate.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/cert/x509_certificate.h"
 
 #include <limits.h>
 #include <stdlib.h>
 
 #include <algorithm>
@@ skipping 475 matching lines @@
 bool X509Certificate::Equals(const X509Certificate* other) const {
   return IsSameOSCert(cert_handle_, other->cert_handle_);
 }
 
 // static
 bool X509Certificate::VerifyHostname(
     const std::string& hostname,
     const std::string& cert_common_name,
     const std::vector<std::string>& cert_san_dns_names,
     const std::vector<std::string>& cert_san_ip_addrs,
-    bool* common_name_fallback_used) {
+    bool allow_common_name_fallback) {
   DCHECK(!hostname.empty());
   // Perform name verification following http://tools.ietf.org/html/rfc6125.
   // The terminology used in this method is as per that RFC:-
   // Reference identifier == the host the local user/agent is intending to
   //                         access, i.e. the thing displayed in the URL bar.
   // Presented identifier(s) == name(s) the server knows itself as, in its cert.
 
   // CanonicalizeHost requires surrounding brackets to parse an IPv6 address.
   const std::string host_or_ip = hostname.find(':') != std::string::npos ?
       "[" + hostname + "]" : hostname;
   url::CanonHostInfo host_info;
   std::string reference_name = CanonicalizeHost(host_or_ip, &host_info);
   // CanonicalizeHost does not normalize absolute vs relative DNS names. If
   // the input name was absolute (included trailing .), normalize it as if it
   // was relative.
   if (!reference_name.empty() && *reference_name.rbegin() == '.')
     reference_name.resize(reference_name.size() - 1);
   if (reference_name.empty())
     return false;
 
-  // Allow fallback to Common name matching?
-  const bool common_name_fallback = cert_san_dns_names.empty() &&
-                                    cert_san_ip_addrs.empty();
-  *common_name_fallback_used = common_name_fallback;
+  if (!allow_common_name_fallback && cert_san_dns_names.empty() &&
+      cert_san_ip_addrs.empty()) {
+    // Common Name matching is not allowed, so fail fast.
+    return false;
+  }
 
   // Fully handle all cases where |hostname| contains an IP address.
   if (host_info.IsIPAddress()) {
-    if (common_name_fallback && host_info.family == url::CanonHostInfo::IPV4) {
+    if (allow_common_name_fallback && cert_san_dns_names.empty() &&
+        cert_san_ip_addrs.empty() &&
+        host_info.family == url::CanonHostInfo::IPV4) {
       // Fallback to Common name matching. As this is deprecated and only
       // supported for compatibility refuse it for IPv6 addresses.
       return reference_name == cert_common_name;
     }
     base::StringPiece ip_addr_string(
         reinterpret_cast<const char*>(host_info.address),
         host_info.AddressLength());
     return std::find(cert_san_ip_addrs.begin(), cert_san_ip_addrs.end(),
                      ip_addr_string) != cert_san_ip_addrs.end();
   }
@@ skipping 38 matching lines @@
     allow_wildcards =
         !is_registry_controlled &&
         reference_name.find_first_not_of("0123456789.") != std::string::npos;
   }
 
   // Now step through the DNS names doing wild card comparison (if necessary)
   // on each against the reference name. If subjectAltName is empty, then
   // fallback to use the common name instead.
   std::vector<std::string> common_name_as_vector;
   const std::vector<std::string>* presented_names = &cert_san_dns_names;
-  if (common_name_fallback) {
+  if (allow_common_name_fallback && cert_san_dns_names.empty() &&
+      cert_san_ip_addrs.empty()) {
     // Note: there's a small possibility cert_common_name is an international
     // domain name in non-standard encoding (e.g. UTF8String or BMPString
     // instead of A-label). As common name fallback is deprecated we're not
     // doing anything specific to deal with this.
     common_name_as_vector.push_back(cert_common_name);
     presented_names = &common_name_as_vector;
   }
   for (std::vector<std::string>::const_iterator it =
            presented_names->begin();
        it != presented_names->end(); ++it) {
@@ skipping 27 matching lines @@
 
     if (!allow_wildcards)
       continue;
 
     return true;
   }
   return false;
 }
 
 bool X509Certificate::VerifyNameMatch(const std::string& hostname,
-                                      bool* common_name_fallback_used) const {
+                                      bool allow_common_name_fallback) const {
   std::vector<std::string> dns_names, ip_addrs;
   GetSubjectAltName(&dns_names, &ip_addrs);
   return VerifyHostname(hostname, subject_.common_name, dns_names, ip_addrs,
-                        common_name_fallback_used);
+                        allow_common_name_fallback);
 }
 
 // static
 bool X509Certificate::GetPEMEncodedFromDER(const std::string& der_encoded,
                                            std::string* pem_encoded) {
   if (der_encoded.empty())
     return false;
   std::string b64_encoded;
   base::Base64Encode(der_encoded, &b64_encoded);
   *pem_encoded = "-----BEGIN CERTIFICATE-----\n";
@@ skipping 69 matching lines @@
     RemoveFromCache(cert_handle_);
     FreeOSCertHandle(cert_handle_);
   }
   for (size_t i = 0; i < intermediate_ca_certs_.size(); ++i) {
     RemoveFromCache(intermediate_ca_certs_[i]);
     FreeOSCertHandle(intermediate_ca_certs_[i]);
   }
 }
 
 }  // namespace net