Revert 107679 - Broke https for appspot.com - http://crbug.com/102507

Disallow wildcards from matching top-level registry controlled domains during cert validation.

BUG=100442
TEST=net_unittests:X509CertificateNameVerifyTest.*


Committed: http://src.chromium.org/viewvc/chrome?view=rev&revision=107075

Review URL: http://codereview.chromium.org/8362023

TBR=rsleevi@chromium.org
Review URL: http://codereview.chromium.org/8438024

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@108216 0039d316-1c4b-4281-b951-d872f2087c98

net/base/x509_certificate.cc

@@ -27,7 +27,6 @@
 #include "net/base/net_errors.h"
 #include "net/base/net_util.h"
 #include "net/base/pem_tokenizer.h"
-#include "net/base/registry_controlled_domain.h"
 
 namespace net {
 
@@ -509,36 +508,17 @@ bool X509Certificate::VerifyHostname(
   // |reference_domain| is the remainder of |host| after the leading host
   // component is stripped off, but includes the leading dot e.g.
   // "www.f.com" -> ".f.com".
-  // If there is no meaningful domain part to |host| (e.g. it contains no
-  // dots) then |reference_domain| will be empty.
+  // If there is no meaningful domain part to |host| (e.g. it contains no dots)
+  // then |reference_domain| will be empty.
   base::StringPiece reference_host, reference_domain;
   SplitOnChar(reference_name, '.', &reference_host, &reference_domain);
   bool allow_wildcards = false;
   if (!reference_domain.empty()) {
     DCHECK(reference_domain.starts_with("."));
-
-    // Do not allow wildcards for registry controlled domains, so as to
-    // prevent accepting *.com or *.co.uk as valid presented names. Passing
-    // true for |allow_unknown_registries| so that top-level domains which are
-    // unknown (intranet domains, new TLDs/gTLDs not yet recognized) are
-    // treated as registry-controlled domains. Because the |reference_domain|
-    // must contain at least one name component that is not registry
-    // controlled, this ensures that all reference names have at least three
-    // domain components in order to permit wildcards.
-    size_t registry_length =
-        RegistryControlledDomainService::GetRegistryLength(reference_name,
-                                                           true);
-    // As the |reference_name| was already canonicalized, this should never
-    // happen.
-    CHECK_NE(registry_length, std::string::npos);
-
-    // Subtracting 1 to account for the leading dot in |reference_domain|.
-    bool is_registry_controlled = registry_length != 0 &&
-        registry_length == (reference_domain.size() - 1);
-
-    // Additionally, do not attempt wildcard matching for purely numeric
-    // hostnames.
-    allow_wildcards = !is_registry_controlled &&
+    // We required at least 3 components (i.e. 2 dots) as a basic protection
+    // against too-broad wild-carding.
+    // Also we don't attempt wildcard matching on a purely numerical hostname.
+    allow_wildcards = reference_domain.rfind('.') != 0 &&
         reference_name.find_first_not_of("0123456789.") != std::string::npos;
   }
 

net/base/x509_certificate_unittest.cc

@@ -1345,6 +1345,7 @@ const CertificateNameVerifyTestData kNameVerifyTestData[] = {
                                             "xn--poema-*.com.br,"
                                             "xn--*-9qae5a.com.br,"
                                             "*--poema-9qae5a.com.br" },
+    { true, "xn--poema-9qae5a.com.br", "*.com.br" },
     // The following are adapted from the  examples quoted from
     // http://tools.ietf.org/html/rfc6125#section-6.4.3
     //  (e.g., *.example.com would match foo.example.com but
@@ -1358,21 +1359,12 @@ const CertificateNameVerifyTestData kNameVerifyTestData[] = {
     { true, "baz1.example.net", "baz*.example.net" },
     { true, "foobaz.example.net", "*baz.example.net" },
     { true, "buzz.example.net", "b*z.example.net" },
-    // Wildcards should not be valid for registry-controlled domains, and for
-    // unknown/unrecognized domains, at least three domain components must be
-    // present.
-    { true, "www.test.example", "*.test.example" },
-    { true, "test.example.co.uk", "*.example.co.uk" },
-    { false, "test.example", "*.example" },
-    { false, "example.co.uk", "*.co.uk" },
+    // Wildcards should not be valid unless there are at least three name
+    // components.
+    { true,  "h.co.uk", "*.co.uk" },
     { false, "foo.com", "*.com" },
     { false, "foo.us", "*.us" },
     { false, "foo", "*" },
-    //  IDN variants of wildcards and registry-controlled domains.
-    { true, "www.xn--poema-9qae5a.com.br", "*.xn--poema-9qae5a.com.br" },
-    { true, "test.example.xn--mgbaam7a8h", "*.example.xn--mgbaam7a8h" },
-    { false, "xn--poema-9qae5a.com.br", "*.com.br" },
-    { false, "example.xn--mgbaam7a8h", "*.xn--mgbaam7a8h" },
     // Multiple wildcards are not valid.
     { false, "foo.example.com", "*.*.com" },
     { false, "foo.bar.example.com", "*.bar.*.com" },
@@ -1393,9 +1385,6 @@ const CertificateNameVerifyTestData kNameVerifyTestData[] = {
     { false, "example.com.", "*.com" },
     { false, "example.com.", "*.com." },
     { false, "foo.", "*." },
-    { false, "foo", "*." },
-    { false, "foo.co.uk", "*.co.uk." },
-    { false, "foo.co.uk.", "*.co.uk." },
     // IP addresses in common name; IPv4 only.
     { true, "127.0.0.1", "127.0.0.1" },
     { true, "192.168.1.1", "192.168.1.1" },