return false;
}
-static const size_t kMaxTLDLength = 4;
+static const size_t kMaxDomainLength = 18;
// CheckNameConstraints verifies that every name in |dns_names| is in one of
-// the domains specified by |tlds|. The |tlds| array is terminated by an empty
-// string.
+// the domains specified by |domains|. The |domains| array is terminated by an
+// empty string.
static bool CheckNameConstraints(const std::vector<std::string>& dns_names,
- const char tlds[][kMaxTLDLength]) {
+ const char domains[][kMaxDomainLength]) {
for (std::vector<std::string>::const_iterator i = dns_names.begin();
i != dns_names.end(); ++i) {
bool ok = false;
if (registry_len == 0)
continue;
- for (size_t j = 0; tlds[j][0]; ++j) {
- const size_t tld_length = strlen(tlds[j]);
- // The DNS name must have "." + tlds[j] as a suffix.
- if (i->size() <= (1 /* period before TLD */ + tld_length))
+ for (size_t j = 0; domains[j][0]; ++j) {
+ const size_t domain_length = strlen(domains[j]);
+ // The DNS name must have "." + domains[j] as a suffix.
+ if (i->size() <= (1 /* period before domain */ + domain_length))
continue;
- const char* suffix = &dns_name[i->size() - tld_length - 1];
+ const char* suffix = &dns_name[i->size() - domain_length - 1];
if (suffix[0] != '.')
continue;
- if (memcmp(&suffix[1], tlds[j], tld_length) != 0)
+ if (memcmp(&suffix[1], domains[j], domain_length) != 0)
continue;
ok = true;
break;
return true;
}
-// PublicKeyTLDLimitation contains a SHA1, SPKI hash and a pointer to an array
-// of fixed-length strings that contain the TLDs that the SPKI is allowed to
-// issue for.
-struct PublicKeyTLDLimitation {
+// PublicKeyDomainLimitation contains a SHA1, SPKI hash and a pointer to an
+// array of fixed-length strings that contain the domains that the SPKI is
+// allowed to issue for.
+struct PublicKeyDomainLimitation {
uint8 public_key[base::kSHA1Length];
- const char (*tlds)[kMaxTLDLength];
+ const char (*domains)[kMaxDomainLength];
};
// static
const std::string& common_name,
const std::vector<std::string>& dns_names,
const std::vector<std::string>& ip_addrs) {
- static const char kTLDsANSSI[][kMaxTLDLength] = {
+ static const char kDomainsANSSI[][kMaxDomainLength] = {
"fr", // France
"gp", // Guadeloupe
"gf", // Guyane
"",
};
- static const char kTLDsTest[][kMaxTLDLength] = {
- "com",
+ static const char kDomainsIndiaCCA[][kMaxDomainLength] = {
+ "gov.in",
+ "nic.in",
+ "ac.in",
+ "rbi.org.in",
+ "bankofindia.co.in",
+ "ncode.in",
+ "tcs.co.in",
"",
};
- static const PublicKeyTLDLimitation kLimits[] = {
+ static const char kDomainsTest[][kMaxDomainLength] = {
+ "example.com",
+ "",
+ };
+
+ static const PublicKeyDomainLimitation kLimits[] = {
// C=FR, ST=France, L=Paris, O=PM/SGDN, OU=DCSSI,
// CN=IGC/A/emailAddress=igca@sgdn.pm.gouv.fr
{
{0x79, 0x23, 0xd5, 0x8d, 0x0f, 0xe0, 0x3c, 0xe6, 0xab, 0xad,
0xae, 0x27, 0x1a, 0x6d, 0x94, 0xf4, 0x14, 0xd1, 0xa8, 0x73},
- kTLDsANSSI,
+ kDomainsANSSI,
+ },
+ // C=IN, O=India PKI, CN=CCA India 2007
+ // Expires: July 4th 2015.
+ {
+ {0xfe, 0xe3, 0x95, 0x21, 0x2d, 0x5f, 0xea, 0xfc, 0x7e, 0xdc,
+ 0xcf, 0x88, 0x3f, 0x1e, 0xc0, 0x58, 0x27, 0xd8, 0xb8, 0xe4},
+ kDomainsIndiaCCA,
+ },
+ // C=IN, O=India PKI, CN=CCA India 2011
+ // Expires: March 11 2016.
+ {
+ {0xf1, 0x42, 0xf6, 0xa2, 0x7d, 0x29, 0x3e, 0xa8, 0xf9, 0x64,
+ 0x52, 0x56, 0xed, 0x07, 0xa8, 0x63, 0xf2, 0xdb, 0x1c, 0xdf},
+ kDomainsIndiaCCA,
+ },
+ // C=IN, O=India PKI, CN=CCA India 2014
+ // Expires: March 5 2024.
+ {
+ {0x36, 0x8c, 0x4a, 0x1e, 0x2d, 0xb7, 0x81, 0xe8, 0x6b, 0xed,
+ 0x5a, 0x0a, 0x42, 0xb8, 0xc5, 0xcf, 0x6d, 0xb3, 0x57, 0xe1},
+ kDomainsIndiaCCA,
},
// Not a real certificate - just for testing. This is the SPKI hash of
// the keys used in net/data/ssl/certificates/name_constraint_*.crt.
{
{0x15, 0x45, 0xd7, 0x3b, 0x58, 0x6b, 0x47, 0xcf, 0xc1, 0x44,
0xa2, 0xc9, 0xaa, 0xab, 0x98, 0x3d, 0x21, 0xcc, 0x42, 0xde},
- kTLDsTest,
+ kDomainsTest,
},
};
if (dns_names.empty() && ip_addrs.empty()) {
std::vector<std::string> dns_names;
dns_names.push_back(common_name);
- if (!CheckNameConstraints(dns_names, kLimits[i].tlds))
+ if (!CheckNameConstraints(dns_names, kLimits[i].domains))
return true;
} else {
- if (!CheckNameConstraints(dns_names, kLimits[i].tlds))
+ if (!CheckNameConstraints(dns_names, kLimits[i].domains))
return true;
}
}