OLD | NEW |
---|---|
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/base/x509_certificate.h" | 5 #include "net/base/x509_certificate.h" |
6 | 6 |
7 #include <stdlib.h> | 7 #include <stdlib.h> |
8 | 8 |
9 #include <algorithm> | 9 #include <algorithm> |
10 #include <map> | 10 #include <map> |
(...skipping 572 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
583 | 583 |
584 int rv = VerifyInternal(hostname, flags, crl_set, verify_result); | 584 int rv = VerifyInternal(hostname, flags, crl_set, verify_result); |
585 | 585 |
586 // This check is done after VerifyInternal so that VerifyInternal can fill in | 586 // This check is done after VerifyInternal so that VerifyInternal can fill in |
587 // the list of public key hashes. | 587 // the list of public key hashes. |
588 if (IsPublicKeyBlacklisted(verify_result->public_key_hashes)) { | 588 if (IsPublicKeyBlacklisted(verify_result->public_key_hashes)) { |
589 verify_result->cert_status |= CERT_STATUS_AUTHORITY_INVALID; | 589 verify_result->cert_status |= CERT_STATUS_AUTHORITY_INVALID; |
590 rv = MapCertStatusToNetError(verify_result->cert_status); | 590 rv = MapCertStatusToNetError(verify_result->cert_status); |
591 } | 591 } |
592 | 592 |
593 // Treat certificates signed using broken signature algorithms as invalid. | |
594 if (verify_result->has_md2 || verify_result->has_md4) { | |
595 verify_result->cert_status |= CERT_STATUS_INVALID; | |
596 rv = MapCertStatusToNetError(verify_result->cert_status); | |
597 } | |
598 | |
599 // Flag certificates using weak signature algorithms. | |
600 if (verify_result->has_md5) { | |
601 verify_result->cert_status |= CERT_STATUS_WEAK_SIGNATURE_ALGORITHM; | |
602 rv = MapCertStatusToNetError(verify_result->cert_status); | |
joth
2011/11/03 09:09:38
I just noticed all three of these MapCertStatusToN
palmer
2011/11/03 17:47:04
As I understand it, only CERT_STATUS_WEAK_SIGNATUR
joth
2011/11/03 20:01:27
The case I was thinking of was VerifyInternal may
Ryan Sleevi
2011/11/03 23:22:45
Good catch. You're absolutely correct that this co
| |
603 } | |
604 | |
593 return rv; | 605 return rv; |
594 } | 606 } |
595 | 607 |
596 #if !defined(USE_NSS) | 608 #if !defined(USE_NSS) |
597 bool X509Certificate::VerifyNameMatch(const std::string& hostname) const { | 609 bool X509Certificate::VerifyNameMatch(const std::string& hostname) const { |
598 std::vector<std::string> dns_names, ip_addrs; | 610 std::vector<std::string> dns_names, ip_addrs; |
599 GetSubjectAltName(&dns_names, &ip_addrs); | 611 GetSubjectAltName(&dns_names, &ip_addrs); |
600 return VerifyHostname(hostname, subject_.common_name, dns_names, ip_addrs); | 612 return VerifyHostname(hostname, subject_.common_name, dns_names, ip_addrs); |
601 } | 613 } |
602 #endif | 614 #endif |
(...skipping 138 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
741 bool X509Certificate::IsSHA1HashInSortedArray(const SHA1Fingerprint& hash, | 753 bool X509Certificate::IsSHA1HashInSortedArray(const SHA1Fingerprint& hash, |
742 const uint8* array, | 754 const uint8* array, |
743 size_t array_byte_len) { | 755 size_t array_byte_len) { |
744 DCHECK_EQ(0u, array_byte_len % base::kSHA1Length); | 756 DCHECK_EQ(0u, array_byte_len % base::kSHA1Length); |
745 const size_t arraylen = array_byte_len / base::kSHA1Length; | 757 const size_t arraylen = array_byte_len / base::kSHA1Length; |
746 return NULL != bsearch(hash.data, array, arraylen, base::kSHA1Length, | 758 return NULL != bsearch(hash.data, array, arraylen, base::kSHA1Length, |
747 CompareSHA1Hashes); | 759 CompareSHA1Hashes); |
748 } | 760 } |
749 | 761 |
750 } // namespace net | 762 } // namespace net |
OLD | NEW |