Disallow support for a*.example.net, *a.example.net, and a*b.example.net in certificate wildcard handling.

RFC 2818 deprecates these esoteric forms, thus RFC 6125 documents them,
but they should never appear in a publicly trusted certificate, and
are dang weird for internal certificates.

Instead, require that the wildcard
- Appear ONLY in the left-most label of a presented name. This is
  existing behaviour.
- Appear as the ONLY character in the label (e.g. it is the full
  label). This is the new behaviour.

BUG=434960
R=davidben@chromium.org

Review URL: https://codereview.chromium.org/762013002

Cr-Commit-Position: refs/heads/master@{#306603}

2 files changed, 13 insertions, 22 deletions

diff --git a/net/cert/x509_certificate.cc b/net/cert/x509_certificate.cc
index 880d487..02e0234 100644
--- a/net/cert/x509_certificate.cc
+++ b/net/cert/x509_certificate.cc
@@ -629,27 +629,16 @@ bool X509Certificate::VerifyHostname(
     if (presented_domain != reference_domain)
       continue;
 
-    base::StringPiece pattern_begin, pattern_end;
-    SplitOnChar(presented_host, '*', &pattern_begin, &pattern_end);
-
-    if (pattern_end.empty()) {  // No '*' in the presented_host
+    if (presented_host != "*") {
       if (presented_host == reference_host)
         return true;
       continue;
     }
-    pattern_end.remove_prefix(1);  // move past the *
 
     if (!allow_wildcards)
       continue;
 
-    // * must not match a substring of an IDN A label; just a whole fragment.
-    if (reference_host.starts_with("xn--") &&
-        !(pattern_begin.empty() && pattern_end.empty()))
-      continue;
-
-    if (reference_host.starts_with(pattern_begin) &&
-        reference_host.ends_with(pattern_end))
-      return true;
+    return true;
   }
   return false;
 }
diff --git a/net/cert/x509_certificate_unittest.cc b/net/cert/x509_certificate_unittest.cc
index c64da2c..f5e49f8 100644
--- a/net/cert/x509_certificate_unittest.cc
+++ b/net/cert/x509_certificate_unittest.cc
@@ -971,10 +971,10 @@ const CertificateNameVerifyTestData kNameVerifyTestData[] = {
     { false, "w.bar.foo.com", "w*.bar.foo.com" },
     { false, "www.bar.foo.com", "ww*ww.bar.foo.com" },
     { false, "wwww.bar.foo.com", "ww*ww.bar.foo.com" },
-    { true, "wwww.bar.foo.com", "w*w.bar.foo.com" },
+    { false, "wwww.bar.foo.com", "w*w.bar.foo.com" },
     { false, "wwww.bar.foo.com", "w*w.bar.foo.c0m" },
-    { true, "WALLY.bar.foo.com", "wa*.bar.foo.com" },
-    { true, "wally.bar.foo.com", "*Ly.bar.foo.com" },
+    { false, "WALLY.bar.foo.com", "wa*.bar.foo.com" },
+    { false, "wally.bar.foo.com", "*Ly.bar.foo.com" },
     { true, "ww%57.foo.com", "", "www.foo.com" },
     { true, "www&.foo.com", "www%26.foo.com" },
     // Common name must not be used if subject alternative name was provided.
@@ -998,12 +998,14 @@ const CertificateNameVerifyTestData kNameVerifyTestData[] = {
     { true, "foo.example.com", "*.example.com" },
     { false, "bar.foo.example.com", "*.example.com" },
     { false, "example.com", "*.example.com" },
-    //   (e.g., baz*.example.net and *baz.example.net and b*z.example.net would
-    //   be taken to match baz1.example.net and foobaz.example.net and
-    //   buzz.example.net, respectively
-    { true, "baz1.example.net", "baz*.example.net" },
-    { true, "foobaz.example.net", "*baz.example.net" },
-    { true, "buzz.example.net", "b*z.example.net" },
+    //   Partial wildcards are disallowed, though RFC 2818 rules allow them.
+    //   That is, forms such as baz*.example.net, *baz.example.net, and
+    //   b*z.example.net should NOT match domains. Instead, the wildcard must
+    //   always be the left-most label, and only a single label.
+    { false, "baz1.example.net", "baz*.example.net" },
+    { false, "foobaz.example.net", "*baz.example.net" },
+    { false, "buzz.example.net", "b*z.example.net" },
+    { false, "www.test.example.net", "www.*.example.net" },
     // Wildcards should not be valid for public registry controlled domains,
     // and unknown/unrecognized domains, at least three domain components must
     // be present.