| Index: net/cert/cert_verify_proc.cc
|
| diff --git a/net/cert/cert_verify_proc.cc b/net/cert/cert_verify_proc.cc
|
| index f598acc6998abdb73d984651c6461dd64a8091dd..e9b3575a85e93fbd42f22e4f1dc845336ce28843 100644
|
| --- a/net/cert/cert_verify_proc.cc
|
| +++ b/net/cert/cert_verify_proc.cc
|
| @@ -456,13 +456,13 @@ bool CertVerifyProc::IsPublicKeyBlacklisted(
|
| return false;
|
| }
|
|
|
| -static const size_t kMaxTLDLength = 4;
|
| +static const size_t kMaxDomainLength = 18;
|
|
|
| // CheckNameConstraints verifies that every name in |dns_names| is in one of
|
| -// the domains specified by |tlds|. The |tlds| array is terminated by an empty
|
| -// string.
|
| +// the domains specified by |domains|. The |domains| array is terminated by an
|
| +// empty string.
|
| static bool CheckNameConstraints(const std::vector<std::string>& dns_names,
|
| - const char tlds[][kMaxTLDLength]) {
|
| + const char domains[][kMaxDomainLength]) {
|
| for (std::vector<std::string>::const_iterator i = dns_names.begin();
|
| i != dns_names.end(); ++i) {
|
| bool ok = false;
|
| @@ -480,16 +480,16 @@ static bool CheckNameConstraints(const std::vector<std::string>& dns_names,
|
| if (registry_len == 0)
|
| continue;
|
|
|
| - for (size_t j = 0; tlds[j][0]; ++j) {
|
| - const size_t tld_length = strlen(tlds[j]);
|
| - // The DNS name must have "." + tlds[j] as a suffix.
|
| - if (i->size() <= (1 /* period before TLD */ + tld_length))
|
| + for (size_t j = 0; domains[j][0]; ++j) {
|
| + const size_t domain_length = strlen(domains[j]);
|
| + // The DNS name must have "." + domains[j] as a suffix.
|
| + if (i->size() <= (1 /* period before domain */ + domain_length))
|
| continue;
|
|
|
| - const char* suffix = &dns_name[i->size() - tld_length - 1];
|
| + const char* suffix = &dns_name[i->size() - domain_length - 1];
|
| if (suffix[0] != '.')
|
| continue;
|
| - if (memcmp(&suffix[1], tlds[j], tld_length) != 0)
|
| + if (memcmp(&suffix[1], domains[j], domain_length) != 0)
|
| continue;
|
| ok = true;
|
| break;
|
| @@ -502,12 +502,12 @@ static bool CheckNameConstraints(const std::vector<std::string>& dns_names,
|
| return true;
|
| }
|
|
|
| -// PublicKeyTLDLimitation contains a SHA1, SPKI hash and a pointer to an array
|
| -// of fixed-length strings that contain the TLDs that the SPKI is allowed to
|
| -// issue for.
|
| -struct PublicKeyTLDLimitation {
|
| +// PublicKeyDomainLimitation contains a SHA1, SPKI hash and a pointer to an
|
| +// array of fixed-length strings that contain the domains that the SPKI is
|
| +// allowed to issue for.
|
| +struct PublicKeyDomainLimitation {
|
| uint8 public_key[base::kSHA1Length];
|
| - const char (*tlds)[kMaxTLDLength];
|
| + const char (*domains)[kMaxDomainLength];
|
| };
|
|
|
| // static
|
| @@ -516,7 +516,7 @@ bool CertVerifyProc::HasNameConstraintsViolation(
|
| const std::string& common_name,
|
| const std::vector<std::string>& dns_names,
|
| const std::vector<std::string>& ip_addrs) {
|
| - static const char kTLDsANSSI[][kMaxTLDLength] = {
|
| + static const char kDomainsANSSI[][kMaxDomainLength] = {
|
| "fr", // France
|
| "gp", // Guadeloupe
|
| "gf", // Guyane
|
| @@ -533,25 +533,57 @@ bool CertVerifyProc::HasNameConstraintsViolation(
|
| "",
|
| };
|
|
|
| - static const char kTLDsTest[][kMaxTLDLength] = {
|
| - "com",
|
| + static const char kDomainsIndiaCCA[][kMaxDomainLength] = {
|
| + "gov.in",
|
| + "nic.in",
|
| + "ac.in",
|
| + "rbi.org.in",
|
| + "bankofindia.co.in",
|
| + "ncode.in",
|
| + "tcs.co.in",
|
| "",
|
| };
|
|
|
| - static const PublicKeyTLDLimitation kLimits[] = {
|
| + static const char kDomainsTest[][kMaxDomainLength] = {
|
| + "example.com",
|
| + "",
|
| + };
|
| +
|
| + static const PublicKeyDomainLimitation kLimits[] = {
|
| // C=FR, ST=France, L=Paris, O=PM/SGDN, OU=DCSSI,
|
| // CN=IGC/A/emailAddress=igca@sgdn.pm.gouv.fr
|
| {
|
| {0x79, 0x23, 0xd5, 0x8d, 0x0f, 0xe0, 0x3c, 0xe6, 0xab, 0xad,
|
| 0xae, 0x27, 0x1a, 0x6d, 0x94, 0xf4, 0x14, 0xd1, 0xa8, 0x73},
|
| - kTLDsANSSI,
|
| + kDomainsANSSI,
|
| + },
|
| + // C=IN, O=India PKI, CN=CCA India 2007
|
| + // Expires: July 4th 2015.
|
| + {
|
| + {0xfe, 0xe3, 0x95, 0x21, 0x2d, 0x5f, 0xea, 0xfc, 0x7e, 0xdc,
|
| + 0xcf, 0x88, 0x3f, 0x1e, 0xc0, 0x58, 0x27, 0xd8, 0xb8, 0xe4},
|
| + kDomainsIndiaCCA,
|
| + },
|
| + // C=IN, O=India PKI, CN=CCA India 2011
|
| + // Expires: March 11 2016.
|
| + {
|
| + {0xf1, 0x42, 0xf6, 0xa2, 0x7d, 0x29, 0x3e, 0xa8, 0xf9, 0x64,
|
| + 0x52, 0x56, 0xed, 0x07, 0xa8, 0x63, 0xf2, 0xdb, 0x1c, 0xdf},
|
| + kDomainsIndiaCCA,
|
| + },
|
| + // C=IN, O=India PKI, CN=CCA India 2014
|
| + // Expires: March 5 2024.
|
| + {
|
| + {0x36, 0x8c, 0x4a, 0x1e, 0x2d, 0xb7, 0x81, 0xe8, 0x6b, 0xed,
|
| + 0x5a, 0x0a, 0x42, 0xb8, 0xc5, 0xcf, 0x6d, 0xb3, 0x57, 0xe1},
|
| + kDomainsIndiaCCA,
|
| },
|
| // Not a real certificate - just for testing. This is the SPKI hash of
|
| // the keys used in net/data/ssl/certificates/name_constraint_*.crt.
|
| {
|
| {0x15, 0x45, 0xd7, 0x3b, 0x58, 0x6b, 0x47, 0xcf, 0xc1, 0x44,
|
| 0xa2, 0xc9, 0xaa, 0xab, 0x98, 0x3d, 0x21, 0xcc, 0x42, 0xde},
|
| - kTLDsTest,
|
| + kDomainsTest,
|
| },
|
| };
|
|
|
| @@ -563,10 +595,10 @@ bool CertVerifyProc::HasNameConstraintsViolation(
|
| if (dns_names.empty() && ip_addrs.empty()) {
|
| std::vector<std::string> dns_names;
|
| dns_names.push_back(common_name);
|
| - if (!CheckNameConstraints(dns_names, kLimits[i].tlds))
|
| + if (!CheckNameConstraints(dns_names, kLimits[i].domains))
|
| return true;
|
| } else {
|
| - if (!CheckNameConstraints(dns_names, kLimits[i].tlds))
|
| + if (!CheckNameConstraints(dns_names, kLimits[i].domains))
|
| return true;
|
| }
|
| }
|
|
|
Chromium Code Reviews
Issue 380033002:
net: enforce domain limitations on India CCA. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src