Record when certificates signed with md[2,4,5] are encountered when using OpenSSL

net/base/x509_certificate_openssl.cc

Index: net/base/x509_certificate_openssl.cc
diff --git a/net/base/x509_certificate_openssl.cc b/net/base/x509_certificate_openssl.cc
index 80e2517a0be870ea269589ab259128772f3246a9..0bdcff0b3967dbf7313288d31a2b4eeaed578572 100644
--- a/net/base/x509_certificate_openssl.cc
+++ b/net/base/x509_certificate_openssl.cc
@@ -475,6 +475,19 @@ int X509Certificate::VerifyInternal(const std::string& hostname,
       verified_chain.push_back(cert);
     }
 
+    int sig_alg = OBJ_obj2nid(cert->sig_alg->algorithm);
+    if (sig_alg == NID_md2WithRSAEncryption) {
+      verify_result->has_md2 = true;
+      if (i != 0)
+        verify_result->has_md2_ca = true;
+    } else if (sig_alg == NID_md4WithRSAEncryption) {
+      verify_result->has_md4 = true;

[palmer, 2011/10/25 19:44:48]

Even if we never expect to see it, perhaps we should also check for MD4 CAs and
set true in that case?

[wtc, 2011/10/25 20:37:31]

Thank you for the suggestion.  I should explain why there
is no has_md4_ca.

The reason there are has_md2_ca and has_md5_ca is that
they allow us to disallow MD2 or MD5 CA certificates
first, before disallowing MD2 or MD5 server certificates.

MD4 is more broken than MD2 and MD5 and probably was only
supported by Windows.  Therefore we can directly ban all MD4
certificates.  A two-phase banning isn't necessary.

+    } else if (sig_alg == NID_md5WithRSAEncryption) {
+      verify_result->has_md5 = true;
+      if (i != 0)
+        verify_result->has_md5_ca = true;
+    }
+
     DERCache der_cache;
     if (!GetDERAndCacheIfNeeded(cert, &der_cache))
       continue;