Chromium Code Reviews Chromium Code Reviews
Issue 4184004:
Add support for certificate name checking (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| Index: net/base/x509_openssl_util.cc |
| diff --git a/net/base/x509_openssl_util.cc b/net/base/x509_openssl_util.cc |
| index 22ab59aab3ac3a6ff8bf19abb1f0f47517972cfb..4d1bc7d9fa9e4bdb4abaccb72c64ea6d34c12a6d 100644 |
| --- a/net/base/x509_openssl_util.cc |
| +++ b/net/base/x509_openssl_util.cc |
| @@ -1,4 +1,4 @@ |
| -// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved. |
| +// Copyright (c) 2010 The Chromium Authors. All rights reserved. |
| // Use of this source code is governed by a BSD-style license that can be |
| // found in the LICENSE file. |
| @@ -7,6 +7,7 @@ |
| #include "base/logging.h" |
| #include "base/string_number_conversions.h" |
| #include "base/string_piece.h" |
| +#include "base/string_util.h" |
| #include "base/time.h" |
| namespace net { |
| @@ -108,6 +109,114 @@ bool ParseDate(ASN1_TIME* x509_time, base::Time* time) { |
| return true; |
| } |
| +// TODO(joth): Investigate if we can upstream this into the OpenSSL library, |
| +// to avoid duplicating this logic across projects. |
| +bool VerifyHostname(const std::string& hostname, |
| + const std::vector<std::string>& cert_names) { |
| + DCHECK(!hostname.empty()); |
| + |
| + // Simple host name validation. A valid domain name must only contain |
| + // alpha, digits, hyphens, and dots. An IP address may have digits and dots, |
| + // and also square braces and colons for IPv6 addresses. |
| + std::string reference_name; |
| + reference_name.reserve(hostname.length()); |
| + |
| + bool found_alpha = false; |
| + bool found_ip6_chars = false; |
| + bool found_hyphen = false; |
| + int dot_count = 0; |
| + |
| + size_t first_dot_index = std::string::npos; |
| + for (std::string::const_iterator it = hostname.begin(); |
| + it != hostname.end(); ++it) { |
|
agl
2010/11/15 17:55:04
indentation looks to be off by a space here.
joth
2010/11/16 14:01:10
Done.
|
| + char c = *it; |
| + if (IsAsciiAlpha(c)) { |
| + found_alpha = true; |
| + c = base::ToLowerASCII(c); |
| + } else if (c == '.') { |
| + ++dot_count; |
| + if (first_dot_index == std::string::npos) |
| + first_dot_index = reference_name.length(); |
| + } else if (c == ':') { |
| + found_ip6_chars = true; |
| + } else if (c == '-') { |
| + found_hyphen = true; |
| + } else if (!IsAsciiDigit(c)) { |
| + LOG(WARNING) << "Invalid char " << c << " in hostname " << hostname; |
| + return false; |
| + } |
| + reference_name.push_back(c); |
| + } |
| + DCHECK(!reference_name.empty()); |
| + |
| + // TODO(joth): Add IP address support. See http://crbug.com/62973. |
| + if (found_ip6_chars || !found_alpha) { |
| + NOTIMPLEMENTED() << hostname; |
| + return false; |
| + } |
| + |
| + // |wildcard_domain| is the remainder of |host| after the leading host |
| + // component is stripped off, but includes the leading dot e.g. |
| + // "www.f.com" -> ".f.com". |
| + // If there is no meaningful domain part to |host| (e.g. it is an IP address |
| + // or contains no dots) then |wildcard_domain| will be empty. |
| + // We required at least 3 components (i.e. 2 dots) as a basic protection |
| + // against too-broad wild-carding. |
| + base::StringPiece wildcard_domain; |
| + if (found_alpha && !found_ip6_chars && dot_count >= 2) { |
| + DCHECK(first_dot_index != std::string::npos); |
| + wildcard_domain = reference_name; |
| + wildcard_domain.remove_prefix(first_dot_index); |
| + DCHECK(wildcard_domain.starts_with(".")); |
| + } |
| + |
| + for (std::vector<std::string>::const_iterator it = cert_names.begin(); |
| + it != cert_names.end(); ++it) { |
| + // Catch badly corrupt cert names up front. |
| + if (it->empty() || it->find('\0') != std::string::npos) { |
| + LOG(WARNING) << "Bad name in cert: " << *it; |
| + continue; |
| + } |
| + const std::string cert_name_string(StringToLowerASCII(*it)); |
| + base::StringPiece cert_match(cert_name_string); |
| + |
| + // Remove trailing dot, if any. |
| + if (cert_match.ends_with(".")) |
| + cert_match.remove_suffix(1); |
| + |
| + // The hostname must be at least as long as the cert name it is matching, |
| + // as we require the wildcard (if present) to match at least one character. |
| + if (cert_match.length() > reference_name.length()) |
| + continue; |
| + |
| + if (cert_match == reference_name) |
| + return true; |
| + |
| + // Next see if this cert name starts with a wildcard, so long as the |
| + // hostname we're matching against has a valid 'domain' part to match. |
| + // Note the "-10" version of draft-saintandre-tls-server-id-check allows |
| + // the wildcard to appear anywhere in the leftmost label, rather than |
|
agl
2010/11/15 17:55:04
double space here.
joth
2010/11/16 14:01:10
Done.
|
| + // requiring it to be the only character. See |
|
agl
2010/11/15 17:55:04
'See' what?
joth
2010/11/16 14:01:10
Done.
See http://crbug.com/60719
|
| + if (wildcard_domain.empty() || !cert_match.starts_with("*")) |
| + continue; |
| + |
| + // Erase the * but not the . from the domain, as we need to include the dot |
| + // in the comparison. |
| + cert_match.remove_prefix(1); |
| + |
| + // Do character by character comparison on the remainder to see |
| + // if we have a wildcard match. This intentionally does no special handling |
| + // for any other wildcard characters in |domain|; alternatively it could |
| + // detect these and skip those candidate cert names. |
| + if (cert_match == wildcard_domain) |
| + return true; |
| + } |
| + DVLOG(1) << "Could not find any match for " << hostname |
| + << " (canonicalized as " << reference_name |
| + << ") in cert names " << JoinString(cert_names, '|'); |
| + return false; |
| +} |
| + |
| } // namespace x509_openssl_util |
| } // namespace net |
