diff options
| author | rsleevi@chromium.org <rsleevi@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2013-05-17 02:09:08 +0000 |
|---|---|---|
| committer | rsleevi@chromium.org <rsleevi@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2013-05-17 02:09:08 +0000 |
| commit | ff35321f8eb52f5f6ae54a89a07a0c729854e548 (patch) | |
| tree | 876fa0f34fdf64781e7296cb1c4693c0ce96b94f /net/cert/cert_verify_proc.h | |
| parent | e806cd78897dfcb7122bc5a69993f2c6d0c1f7e2 (diff) | |
| download | chromium_src-ff35321f8eb52f5f6ae54a89a07a0c729854e548.zip chromium_src-ff35321f8eb52f5f6ae54a89a07a0c729854e548.tar.gz chromium_src-ff35321f8eb52f5f6ae54a89a07a0c729854e548.tar.bz2 | |
Warn if a well-known/"public" CA issues a certificate for a non-TLD
In preparation for new gTLDs being issued, begin phasing out the process of
permitting publicly-trusted, well-known CAs to issue certificates for names
that the CA cannot verify exclusive control over, such as "webmail" or
"intranet.corp".
Instead, require all publicly-trusted certificates be issued for domains that
chain to an ICANN-recognized root zone (registry controlled domain).
For certs that fail to meet this basic criteria, do not display the page as
secure, as an attacker may be able to go to another CA (or even the same CA
as the 'legitimate' site) and get a valid, publicly-trusted certificate for the
same name.
This does not cause an interstitial to be shown, but represents the first step
to phasing out the practice.
BUG=119212
TEST=[to be filled in]
Review URL: https://chromiumcodereview.appspot.com/15203007
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@200704 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net/cert/cert_verify_proc.h')
| -rw-r--r-- | net/cert/cert_verify_proc.h | 20 |
1 files changed, 17 insertions, 3 deletions
diff --git a/net/cert/cert_verify_proc.h b/net/cert/cert_verify_proc.h index c85bf75..4feae19 100644 --- a/net/cert/cert_verify_proc.h +++ b/net/cert/cert_verify_proc.h @@ -67,13 +67,14 @@ class NET_EXPORT CertVerifyProc virtual bool SupportsAdditionalTrustAnchors() const = 0; protected: - friend class base::RefCountedThreadSafe<CertVerifyProc>; - FRIEND_TEST_ALL_PREFIXES(CertVerifyProcTest, DigiNotarCerts); - CertVerifyProc(); virtual ~CertVerifyProc(); private: + friend class base::RefCountedThreadSafe<CertVerifyProc>; + friend class CertVerifyProcNonUniqueNameTest; + FRIEND_TEST_ALL_PREFIXES(CertVerifyProcTest, DigiNotarCerts); + // Performs the actual verification using the desired underlying // cryptographic library. virtual int VerifyInternal(X509Certificate* cert, @@ -89,6 +90,19 @@ class NET_EXPORT CertVerifyProc // IsPublicKeyBlacklisted returns true iff one of |public_key_hashes| (which // are hashes of SubjectPublicKeyInfo structures) is explicitly blocked. static bool IsPublicKeyBlacklisted(const HashValueVector& public_key_hashes); + + // Returns true if |hostname| contains a name that is non-unique among + // certificates (eg: an "internal server name"). + // + // While such names are not scheduled to be deprecated until 1 November 2015 + // according to the CA/Browser Forum Baseline Requirements (v1.1), they + // represent a real risk for the deployment of new gTLDs, and thus being + // phased out ahead of the hard deadline. + // TODO(rsleevi): http://crbug.com/119212 - Also match internal IP address + // ranges. + static bool IsHostnameNonUnique(const std::string& hostname); + + DISALLOW_COPY_AND_ASSIGN(CertVerifyProc); }; } // namespace net |