Disallow wildcards from matching top-level registry controlled domains during cert validation.

BUG=100442
TEST=net_unittests:X509CertificateNameVerifyTest.*


Committed: http://src.chromium.org/viewvc/chrome?view=rev&revision=107075

Review URL: http://codereview.chromium.org/8362023

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@107679 0039d316-1c4b-4281-b951-d872f2087c98

2 files changed, 41 insertions, 10 deletions

diff --git a/net/base/x509_certificate.cc b/net/base/x509_certificate.cc
index e144aad..5004bf4 100644
--- a/net/base/x509_certificate.cc
+++ b/net/base/x509_certificate.cc
@@ -27,6 +27,7 @@
 #include "net/base/net_errors.h"
 #include "net/base/net_util.h"
 #include "net/base/pem_tokenizer.h"
+#include "net/base/registry_controlled_domain.h"
 
 namespace net {
 
@@ -507,17 +508,36 @@ bool X509Certificate::VerifyHostname(
   // |reference_domain| is the remainder of |host| after the leading host
   // component is stripped off, but includes the leading dot e.g.
   // "www.f.com" -> ".f.com".
-  // If there is no meaningful domain part to |host| (e.g. it contains no dots)
-  // then |reference_domain| will be empty.
+  // If there is no meaningful domain part to |host| (e.g. it contains no
+  // dots) then |reference_domain| will be empty.
   base::StringPiece reference_host, reference_domain;
   SplitOnChar(reference_name, '.', &reference_host, &reference_domain);
   bool allow_wildcards = false;
   if (!reference_domain.empty()) {
     DCHECK(reference_domain.starts_with("."));
-    // We required at least 3 components (i.e. 2 dots) as a basic protection
-    // against too-broad wild-carding.
-    // Also we don't attempt wildcard matching on a purely numerical hostname.
-    allow_wildcards = reference_domain.rfind('.') != 0 &&
+
+    // Do not allow wildcards for registry controlled domains, so as to
+    // prevent accepting *.com or *.co.uk as valid presented names. Passing
+    // true for |allow_unknown_registries| so that top-level domains which are
+    // unknown (intranet domains, new TLDs/gTLDs not yet recognized) are
+    // treated as registry-controlled domains. Because the |reference_domain|
+    // must contain at least one name component that is not registry
+    // controlled, this ensures that all reference names have at least three
+    // domain components in order to permit wildcards.
+    size_t registry_length =
+        RegistryControlledDomainService::GetRegistryLength(reference_name,
+                                                           true);
+    // As the |reference_name| was already canonicalized, this should never
+    // happen.
+    CHECK_NE(registry_length, std::string::npos);
+
+    // Subtracting 1 to account for the leading dot in |reference_domain|.
+    bool is_registry_controlled = registry_length != 0 &&
+        registry_length == (reference_domain.size() - 1);
+
+    // Additionally, do not attempt wildcard matching for purely numeric
+    // hostnames.
+    allow_wildcards = !is_registry_controlled &&
         reference_name.find_first_not_of("0123456789.") != std::string::npos;
   }
 
diff --git a/net/base/x509_certificate_unittest.cc b/net/base/x509_certificate_unittest.cc
index 6dab44f..dba04e9 100644
--- a/net/base/x509_certificate_unittest.cc
+++ b/net/base/x509_certificate_unittest.cc
@@ -1305,7 +1305,6 @@ const CertificateNameVerifyTestData kNameVerifyTestData[] = {
                                             "xn--poema-*.com.br,"
                                             "xn--*-9qae5a.com.br,"
                                             "*--poema-9qae5a.com.br" },
-    { true, "xn--poema-9qae5a.com.br", "*.com.br" },
     // The following are adapted from the  examples quoted from
     // http://tools.ietf.org/html/rfc6125#section-6.4.3
     //  (e.g., *.example.com would match foo.example.com but
@@ -1319,12 +1318,21 @@ const CertificateNameVerifyTestData kNameVerifyTestData[] = {
     { true, "baz1.example.net", "baz*.example.net" },
     { true, "foobaz.example.net", "*baz.example.net" },
     { true, "buzz.example.net", "b*z.example.net" },
-    // Wildcards should not be valid unless there are at least three name
-    // components.
-    { true,  "h.co.uk", "*.co.uk" },
+    // Wildcards should not be valid for registry-controlled domains, and for
+    // unknown/unrecognized domains, at least three domain components must be
+    // present.
+    { true, "www.test.example", "*.test.example" },
+    { true, "test.example.co.uk", "*.example.co.uk" },
+    { false, "test.example", "*.example" },
+    { false, "example.co.uk", "*.co.uk" },
     { false, "foo.com", "*.com" },
     { false, "foo.us", "*.us" },
     { false, "foo", "*" },
+    //  IDN variants of wildcards and registry-controlled domains.
+    { true, "www.xn--poema-9qae5a.com.br", "*.xn--poema-9qae5a.com.br" },
+    { true, "test.example.xn--mgbaam7a8h", "*.example.xn--mgbaam7a8h" },
+    { false, "xn--poema-9qae5a.com.br", "*.com.br" },
+    { false, "example.xn--mgbaam7a8h", "*.xn--mgbaam7a8h" },
     // Multiple wildcards are not valid.
     { false, "foo.example.com", "*.*.com" },
     { false, "foo.bar.example.com", "*.bar.*.com" },
@@ -1345,6 +1353,9 @@ const CertificateNameVerifyTestData kNameVerifyTestData[] = {
     { false, "example.com.", "*.com" },
     { false, "example.com.", "*.com." },
     { false, "foo.", "*." },
+    { false, "foo", "*." },
+    { false, "foo.co.uk", "*.co.uk." },
+    { false, "foo.co.uk.", "*.co.uk." },
     // IP addresses in common name; IPv4 only.
     { true, "127.0.0.1", "127.0.0.1" },
     { true, "192.168.1.1", "192.168.1.1" },