Chromium Code Reviews Chromium Code Reviews
Issue 2777383002:
Update SSL error handling code to account for Subject CN deprecation (Closed)
| Index: components/ssl_errors/error_classification.cc |
| diff --git a/components/ssl_errors/error_classification.cc b/components/ssl_errors/error_classification.cc |
| index 2ce6dbbd15761073ec8b8bdaa0dd266206464e58..beb55f78ff74987cc67c314fc4a89eae8accde82 100644 |
| --- a/components/ssl_errors/error_classification.cc |
| +++ b/components/ssl_errors/error_classification.cc |
| @@ -104,15 +104,6 @@ int FindSubdomainDifference(const HostnameTokens& potential_subdomain, |
| return diff_size; |
| } |
| -// We accept the inverse case for www for historical reasons. |
| -bool IsWWWSubDomainMatch(const GURL& request_url, |
| - const net::X509Certificate& cert) { |
| - std::string www_host; |
| - std::vector<std::string> dns_names; |
| - cert.GetDNSNames(&dns_names); |
| - return GetWWWSubDomainMatch(request_url, dns_names, &www_host); |
| -} |
| - |
| // The time to use when doing build time operations in browser tests. |
| base::LazyInstance<base::Time>::DestructorAtExit g_testing_build_time = |
| LAZY_INSTANCE_INITIALIZER; |
| @@ -156,7 +147,7 @@ void RecordUMAStatistics(bool overridable, |
| if (IsSubDomainOutsideWildcard(request_url, cert)) |
| RecordSSLInterstitialCause(overridable, SUBDOMAIN_OUTSIDE_WILDCARD); |
| std::vector<std::string> dns_names; |
| - cert.GetDNSNames(&dns_names); |
| + cert.GetSubjectAltName(&dns_names, nullptr); |
| std::vector<HostnameTokens> dns_name_tokens = |
| GetTokenizedDNSNames(dns_names); |
| if (NameUnderAnyNames(host_name_tokens, dns_name_tokens)) |
| @@ -290,6 +281,15 @@ HostnameTokens Tokenize(const std::string& name) { |
| base::SPLIT_WANT_ALL); |
| } |
| +// We accept the inverse case for www for historical reasons. |
| +bool IsWWWSubDomainMatch(const GURL& request_url, |
| + const net::X509Certificate& cert) { |
| + std::string www_host; |
| + std::vector<std::string> dns_names; |
| + cert.GetSubjectAltName(&dns_names, nullptr); |
| + return GetWWWSubDomainMatch(request_url, dns_names, &www_host); |
| +} |
| + |
| bool GetWWWSubDomainMatch(const GURL& request_url, |
| const std::vector<std::string>& dns_names, |
| std::string* www_match_host_name) { |
| @@ -383,7 +383,7 @@ bool IsSubDomainOutsideWildcard(const GURL& request_url, |
| std::string host_name = request_url.host(); |
| HostnameTokens host_name_tokens = Tokenize(host_name); |
| std::vector<std::string> dns_names; |
| - cert.GetDNSNames(&dns_names); |
| + cert.GetSubjectAltName(&dns_names, nullptr); |
|
estark
2017/04/03 02:01:42
Blegh, I suppose all these will affect existing hi
elawrence
2017/04/04 15:52:28
yes.
|
| bool result = false; |
| // This method requires that the host name be longer than the dns name on |
| @@ -411,7 +411,7 @@ bool IsCertLikelyFromMultiTenantHosting(const GURL& request_url, |
| std::string host_name = request_url.host(); |
| std::vector<std::string> dns_names; |
| std::vector<std::string> dns_names_domain; |
| - cert.GetDNSNames(&dns_names); |
| + cert.GetSubjectAltName(&dns_names, nullptr); |
| size_t dns_names_size = dns_names.size(); |
| // If there is only 1 DNS name then it is definitely not a shared certificate. |
| @@ -458,7 +458,9 @@ bool IsCertLikelyFromSameDomain(const GURL& request_url, |
| const net::X509Certificate& cert) { |
| std::string host_name = request_url.host(); |
| std::vector<std::string> dns_names; |
| - cert.GetDNSNames(&dns_names); |
| + cert.GetSubjectAltName(&dns_names, nullptr); |
| + if (dns_names.empty()) |
| + return false; |
| dns_names.push_back(host_name); |
| std::vector<std::string> dns_names_domain; |
