net/base/x509_certificate.cc - Issue 8374020: Make it a fatal SSL error when encountering certs signed with md[2,4], and interstitial md5

Side by Side Diff: net/base/x509_certificate.cc

Issue 8374020: Make it a fatal SSL error when encountering certs signed with md[2,4], and interstitial md5 (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: Created 9 years, 2 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

OLD	NEW
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "net/base/x509_certificate.h"	5 #include "net/base/x509_certificate.h"

6	6

7 #include <stdlib.h>	7 #include <stdlib.h>

8	8

9 #include <algorithm>	9 #include <algorithm>

10 #include <map>	10 #include <map>

(...skipping 585 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
596	596

597 int rv = VerifyInternal(hostname, flags, verify_result);	597 int rv = VerifyInternal(hostname, flags, verify_result);

598	598

599 // This check is done after VerifyInternal so that VerifyInternal can fill in	599 // This check is done after VerifyInternal so that VerifyInternal can fill in

600 // the list of public key hashes.	600 // the list of public key hashes.

601 if (IsPublicKeyBlacklisted(verify_result->public_key_hashes)) {	601 if (IsPublicKeyBlacklisted(verify_result->public_key_hashes)) {

602 verify_result->cert_status \|= CERT_STATUS_AUTHORITY_INVALID;	602 verify_result->cert_status \|= CERT_STATUS_AUTHORITY_INVALID;

603 rv = MapCertStatusToNetError(verify_result->cert_status);	603 rv = MapCertStatusToNetError(verify_result->cert_status);

604 }	604 }

605	605

	606 if (verify_result->has_md2 \|\| verify_result->has_md4 \|\|

	607 verify_result->has_md5) {
	palmer 2011/10/24 18:22:31 wtc does not want to ban MD5 yet. To ban MD5, and wtc does not want to ban MD5 yet. To ban MD5, and we ultimately must, we will want to collaborate with other browser vendors and CA/B Forum. For now, let's only ban MD2 and MD5. NOTE that we MUST NOT ban the 4 known Verisign MD2-signed root certs. (I don't know if this code applies to roots, or just end entities and intermediaries?) We could conceivably ban MD2 (and MD4) also for roots but special-case the 4 known MD2 root certs. That would be the tightest solution, if feasible. wtc 2011/10/24 22:41:14 The signatures in the self-signed certificates of Show quoted text On 2011/10/24 18:22:31, Chris P. wrote: > > NOTE that we MUST NOT ban the 4 known Verisign MD2-signed root certs. (I don't > know if this code applies to roots, or just end entities and intermediaries?) The signatures in the self-signed certificates of root CAs used as trust anchors are not important. rsleevi: please make sure verify_result->has_md[2,4,5] do not include the root CA certificates. We should document their meanings in net/base/cert_verify_result.h. Thanks! Ryan Sleevi 2011/10/24 23:16:32 The logic currently includes roots (both has_mdX a Show quoted text On 2011/10/24 22:41:14, wtc wrote: > > On 2011/10/24 18:22:31, Chris P. wrote: > > > > NOTE that we MUST NOT ban the 4 known Verisign MD2-signed root certs. (I don't > > know if this code applies to roots, or just end entities and intermediaries?) > > The signatures in the self-signed certificates of root CAs > used as trust anchors are not important. > > rsleevi: please make sure verify_result->has_md[2,4,5] > do not include the root CA certificates. We should document > their meanings in net/base/cert_verify_result.h. Thanks! The logic currently includes roots (both has_mdX and has_mdX_ca have made no remark towards roots]. I will adjust that accordingly.
	608 verify_result->cert_status \|= CERT_STATUS_WEAK_SIGNATURE_ALGORITHM;

	609 rv = MapCertStatusToNetError(verify_result->cert_status);

	610 }

	611

606 return rv;	612 return rv;

607 }	613 }

608	614

609 #if !defined(USE_NSS)	615 #if !defined(USE_NSS)

610 bool X509Certificate::VerifyNameMatch(const std::string& hostname) const {	616 bool X509Certificate::VerifyNameMatch(const std::string& hostname) const {

611 std::vector<std::string> dns_names, ip_addrs;	617 std::vector<std::string> dns_names, ip_addrs;

612 GetSubjectAltName(&dns_names, &ip_addrs);	618 GetSubjectAltName(&dns_names, &ip_addrs);

613 return VerifyHostname(hostname, subject_.common_name, dns_names, ip_addrs);	619 return VerifyHostname(hostname, subject_.common_name, dns_names, ip_addrs);

614 }	620 }

615 #endif	621 #endif

(...skipping 386 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
1002 bool X509Certificate::IsSHA1HashInSortedArray(const SHA1Fingerprint& hash,	1008 bool X509Certificate::IsSHA1HashInSortedArray(const SHA1Fingerprint& hash,

1003 const uint8* array,	1009 const uint8* array,

1004 size_t array_byte_len) {	1010 size_t array_byte_len) {

1005 DCHECK_EQ(0u, array_byte_len % base::kSHA1Length);	1011 DCHECK_EQ(0u, array_byte_len % base::kSHA1Length);

1006 const size_t arraylen = array_byte_len / base::kSHA1Length;	1012 const size_t arraylen = array_byte_len / base::kSHA1Length;

1007 return NULL != bsearch(hash.data, array, arraylen, base::kSHA1Length,	1013 return NULL != bsearch(hash.data, array, arraylen, base::kSHA1Length,

1008 CompareSHA1Hashes);	1014 CompareSHA1Hashes);

1009 }	1015 }

1010	1016

1011 } // namespace net	1017 } // namespace net

OLD	NEW

« no previous file with comments | « net/base/cert_status_flags.cc ('k') | net/base/x509_certificate_openssl.cc » ('j') | net/base/x509_certificate_openssl.cc » ('J')