net: enforce domain limitations on India CCA.

See http://googleonlinesecurity.blogspot.com/2014/07/maintaining-digital-certificate-security.html

BUG=392251

Review URL: https://codereview.chromium.org/380033002

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@282276 0039d316-1c4b-4281-b951-d872f2087c98

net/cert/cert_verify_proc.cc

@@ -456,13 +456,13 @@ bool CertVerifyProc::IsPublicKeyBlacklisted(
   return false;
 }
 
-static const size_t kMaxTLDLength = 4;
+static const size_t kMaxDomainLength = 18;
 
 // CheckNameConstraints verifies that every name in |dns_names| is in one of
-// the domains specified by |tlds|. The |tlds| array is terminated by an empty
-// string.
+// the domains specified by |domains|. The |domains| array is terminated by an
+// empty string.
 static bool CheckNameConstraints(const std::vector<std::string>& dns_names,
-                                 const char tlds[][kMaxTLDLength]) {
+                                 const char domains[][kMaxDomainLength]) {
   for (std::vector<std::string>::const_iterator i = dns_names.begin();
        i != dns_names.end(); ++i) {
     bool ok = false;
@@ -480,16 +480,16 @@ static bool CheckNameConstraints(const std::vector<std::string>& dns_names,
     if (registry_len == 0)
       continue;
 
-    for (size_t j = 0; tlds[j][0]; ++j) {
-      const size_t tld_length = strlen(tlds[j]);
-      // The DNS name must have "." + tlds[j] as a suffix.
-      if (i->size() <= (1 /* period before TLD */ + tld_length))
+    for (size_t j = 0; domains[j][0]; ++j) {
+      const size_t domain_length = strlen(domains[j]);
+      // The DNS name must have "." + domains[j] as a suffix.
+      if (i->size() <= (1 /* period before domain */ + domain_length))
         continue;
 
-      const char* suffix = &dns_name[i->size() - tld_length - 1];
+      const char* suffix = &dns_name[i->size() - domain_length - 1];
       if (suffix[0] != '.')
         continue;
-      if (memcmp(&suffix[1], tlds[j], tld_length) != 0)
+      if (memcmp(&suffix[1], domains[j], domain_length) != 0)
         continue;
       ok = true;
       break;
@@ -502,12 +502,12 @@ static bool CheckNameConstraints(const std::vector<std::string>& dns_names,
   return true;
 }
 
-// PublicKeyTLDLimitation contains a SHA1, SPKI hash and a pointer to an array
-// of fixed-length strings that contain the TLDs that the SPKI is allowed to
-// issue for.
-struct PublicKeyTLDLimitation {
+// PublicKeyDomainLimitation contains a SHA1, SPKI hash and a pointer to an
+// array of fixed-length strings that contain the domains that the SPKI is
+// allowed to issue for.
+struct PublicKeyDomainLimitation {
   uint8 public_key[base::kSHA1Length];
-  const char (*tlds)[kMaxTLDLength];
+  const char (*domains)[kMaxDomainLength];
 };
 
 // static
@@ -516,7 +516,7 @@ bool CertVerifyProc::HasNameConstraintsViolation(
     const std::string& common_name,
     const std::vector<std::string>& dns_names,
     const std::vector<std::string>& ip_addrs) {
-  static const char kTLDsANSSI[][kMaxTLDLength] = {
+  static const char kDomainsANSSI[][kMaxDomainLength] = {
     "fr",  // France
     "gp",  // Guadeloupe
     "gf",  // Guyane
@@ -533,25 +533,57 @@ bool CertVerifyProc::HasNameConstraintsViolation(
     "",
   };
 
-  static const char kTLDsTest[][kMaxTLDLength] = {
-    "com",
+  static const char kDomainsIndiaCCA[][kMaxDomainLength] = {
+    "gov.in",
+    "nic.in",
+    "ac.in",
+    "rbi.org.in",
+    "bankofindia.co.in",
+    "ncode.in",
+    "tcs.co.in",
     "",
   };
 
-  static const PublicKeyTLDLimitation kLimits[] = {
+  static const char kDomainsTest[][kMaxDomainLength] = {
+    "example.com",
+    "",
+  };
+
+  static const PublicKeyDomainLimitation kLimits[] = {
     // C=FR, ST=France, L=Paris, O=PM/SGDN, OU=DCSSI,
     // CN=IGC/A/emailAddress=igca@sgdn.pm.gouv.fr
     {
       {0x79, 0x23, 0xd5, 0x8d, 0x0f, 0xe0, 0x3c, 0xe6, 0xab, 0xad,
        0xae, 0x27, 0x1a, 0x6d, 0x94, 0xf4, 0x14, 0xd1, 0xa8, 0x73},
-      kTLDsANSSI,
+      kDomainsANSSI,
+    },
+    // C=IN, O=India PKI, CN=CCA India 2007
+    // Expires: July 4th 2015.
+    {
+      {0xfe, 0xe3, 0x95, 0x21, 0x2d, 0x5f, 0xea, 0xfc, 0x7e, 0xdc,
+       0xcf, 0x88, 0x3f, 0x1e, 0xc0, 0x58, 0x27, 0xd8, 0xb8, 0xe4},
+      kDomainsIndiaCCA,
+    },
+    // C=IN, O=India PKI, CN=CCA India 2011
+    // Expires: March 11 2016.
+    {
+      {0xf1, 0x42, 0xf6, 0xa2, 0x7d, 0x29, 0x3e, 0xa8, 0xf9, 0x64,
+       0x52, 0x56, 0xed, 0x07, 0xa8, 0x63, 0xf2, 0xdb, 0x1c, 0xdf},
+      kDomainsIndiaCCA,
+    },
+    // C=IN, O=India PKI, CN=CCA India 2014
+    // Expires: March 5 2024.
+    {
+      {0x36, 0x8c, 0x4a, 0x1e, 0x2d, 0xb7, 0x81, 0xe8, 0x6b, 0xed,
+       0x5a, 0x0a, 0x42, 0xb8, 0xc5, 0xcf, 0x6d, 0xb3, 0x57, 0xe1},
+      kDomainsIndiaCCA,
     },
     // Not a real certificate - just for testing. This is the SPKI hash of
     // the keys used in net/data/ssl/certificates/name_constraint_*.crt.
     {
       {0x15, 0x45, 0xd7, 0x3b, 0x58, 0x6b, 0x47, 0xcf, 0xc1, 0x44,
        0xa2, 0xc9, 0xaa, 0xab, 0x98, 0x3d, 0x21, 0xcc, 0x42, 0xde},
-      kTLDsTest,
+      kDomainsTest,
     },
   };
 
@@ -563,10 +595,10 @@ bool CertVerifyProc::HasNameConstraintsViolation(
         if (dns_names.empty() && ip_addrs.empty()) {
           std::vector<std::string> dns_names;
           dns_names.push_back(common_name);
-          if (!CheckNameConstraints(dns_names, kLimits[i].tlds))
+          if (!CheckNameConstraints(dns_names, kLimits[i].domains))
             return true;
         } else {
-          if (!CheckNameConstraints(dns_names, kLimits[i].tlds))
+          if (!CheckNameConstraints(dns_names, kLimits[i].domains))
             return true;
         }
       }