Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(189)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: net/cert/x509_certificate_unittest.cc

Issue 762013002: Disallow support for a*.example.net, *a.example.net, and a*b.example.net in certificate wildcard ha… (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Created 6 years, 1 month ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « net/cert/x509_certificate.cc ('k') | no next file » | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/cert/x509_certificate_unittest.cc
diff --git a/net/cert/x509_certificate_unittest.cc b/net/cert/x509_certificate_unittest.cc
index c64da2ca430bed747b9c436e289d9083c8a1309a..f5e49f8b3cd1f6053affecdac6acf1b2f935c5b6 100644
--- a/net/cert/x509_certificate_unittest.cc
+++ b/net/cert/x509_certificate_unittest.cc
@@ -971,10 +971,10 @@ const CertificateNameVerifyTestData kNameVerifyTestData[] = {
{ false, "w.bar.foo.com", "w*.bar.foo.com" },
{ false, "www.bar.foo.com", "ww*ww.bar.foo.com" },
{ false, "wwww.bar.foo.com", "ww*ww.bar.foo.com" },
- { true, "wwww.bar.foo.com", "w*w.bar.foo.com" },
+ { false, "wwww.bar.foo.com", "w*w.bar.foo.com" },
{ false, "wwww.bar.foo.com", "w*w.bar.foo.c0m" },
- { true, "WALLY.bar.foo.com", "wa*.bar.foo.com" },
- { true, "wally.bar.foo.com", "*Ly.bar.foo.com" },
+ { false, "WALLY.bar.foo.com", "wa*.bar.foo.com" },
+ { false, "wally.bar.foo.com", "*Ly.bar.foo.com" },
{ true, "ww%57.foo.com", "", "www.foo.com" },
{ true, "www&.foo.com", "www%26.foo.com" },
// Common name must not be used if subject alternative name was provided.
@@ -998,12 +998,14 @@ const CertificateNameVerifyTestData kNameVerifyTestData[] = {
{ true, "foo.example.com", "*.example.com" },
{ false, "bar.foo.example.com", "*.example.com" },
{ false, "example.com", "*.example.com" },
- // (e.g., baz*.example.net and *baz.example.net and b*z.example.net would
- // be taken to match baz1.example.net and foobaz.example.net and
- // buzz.example.net, respectively
- { true, "baz1.example.net", "baz*.example.net" },
- { true, "foobaz.example.net", "*baz.example.net" },
- { true, "buzz.example.net", "b*z.example.net" },
+ // Partial wildcards are disallowed, though RFC 2818 rules allow them.
+ // That is, forms such as baz*.example.net, *baz.example.net, and
+ // b*z.example.net should NOT match domains. Instead, the wildcard must
+ // always be the left-most label, and only a single label.
+ { false, "baz1.example.net", "baz*.example.net" },
+ { false, "foobaz.example.net", "*baz.example.net" },
+ { false, "buzz.example.net", "b*z.example.net" },
+ { false, "www.test.example.net", "www.*.example.net" },
// Wildcards should not be valid for public registry controlled domains,
// and unknown/unrecognized domains, at least three domain components must
// be present.
« no previous file with comments | « net/cert/x509_certificate.cc ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698