OLD | NEW |
---|---|
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/base/x509_certificate.h" | 5 #include "net/base/x509_certificate.h" |
6 | 6 |
7 #include <stdlib.h> | 7 #include <stdlib.h> |
8 | 8 |
9 #include <algorithm> | 9 #include <algorithm> |
10 #include <map> | 10 #include <map> |
(...skipping 572 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
583 | 583 |
584 int rv = VerifyInternal(hostname, flags, crl_set, verify_result); | 584 int rv = VerifyInternal(hostname, flags, crl_set, verify_result); |
585 | 585 |
586 // This check is done after VerifyInternal so that VerifyInternal can fill in | 586 // This check is done after VerifyInternal so that VerifyInternal can fill in |
587 // the list of public key hashes. | 587 // the list of public key hashes. |
588 if (IsPublicKeyBlacklisted(verify_result->public_key_hashes)) { | 588 if (IsPublicKeyBlacklisted(verify_result->public_key_hashes)) { |
589 verify_result->cert_status |= CERT_STATUS_AUTHORITY_INVALID; | 589 verify_result->cert_status |= CERT_STATUS_AUTHORITY_INVALID; |
590 rv = MapCertStatusToNetError(verify_result->cert_status); | 590 rv = MapCertStatusToNetError(verify_result->cert_status); |
591 } | 591 } |
592 | 592 |
593 // Treat certificates signed using broken signature algorithms as invalid. | |
594 if (verify_result->has_md2 || verify_result->has_md4) { | |
595 verify_result->cert_status |= CERT_STATUS_INVALID; | |
596 rv = MapCertStatusToNetError(verify_result->cert_status); | |
597 } | |
598 | |
599 // Flag certificates using weak signature algorithms. | |
600 if (verify_result->has_md5) { | |
601 verify_result->cert_status |= CERT_STATUS_WEAK_SIGNATURE_ALGORITHM; | |
602 // Only replace the error code if there is not already an error, otherwise | |
603 // this may end up replacing a fatal error (such as a library failure) | |
604 // with a benign, user-overridable error. | |
wtc
2011/11/04 22:57:42
This is a subtle problem. Perhaps the test should
| |
605 if (rv == OK) | |
606 rv = MapCertStatusToNetError(verify_result->cert_status); | |
607 } | |
608 | |
593 return rv; | 609 return rv; |
594 } | 610 } |
595 | 611 |
596 #if !defined(USE_NSS) | 612 #if !defined(USE_NSS) |
597 bool X509Certificate::VerifyNameMatch(const std::string& hostname) const { | 613 bool X509Certificate::VerifyNameMatch(const std::string& hostname) const { |
598 std::vector<std::string> dns_names, ip_addrs; | 614 std::vector<std::string> dns_names, ip_addrs; |
599 GetSubjectAltName(&dns_names, &ip_addrs); | 615 GetSubjectAltName(&dns_names, &ip_addrs); |
600 return VerifyHostname(hostname, subject_.common_name, dns_names, ip_addrs); | 616 return VerifyHostname(hostname, subject_.common_name, dns_names, ip_addrs); |
601 } | 617 } |
602 #endif | 618 #endif |
(...skipping 138 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
741 bool X509Certificate::IsSHA1HashInSortedArray(const SHA1Fingerprint& hash, | 757 bool X509Certificate::IsSHA1HashInSortedArray(const SHA1Fingerprint& hash, |
742 const uint8* array, | 758 const uint8* array, |
743 size_t array_byte_len) { | 759 size_t array_byte_len) { |
744 DCHECK_EQ(0u, array_byte_len % base::kSHA1Length); | 760 DCHECK_EQ(0u, array_byte_len % base::kSHA1Length); |
745 const size_t arraylen = array_byte_len / base::kSHA1Length; | 761 const size_t arraylen = array_byte_len / base::kSHA1Length; |
746 return NULL != bsearch(hash.data, array, arraylen, base::kSHA1Length, | 762 return NULL != bsearch(hash.data, array, arraylen, base::kSHA1Length, |
747 CompareSHA1Hashes); | 763 CompareSHA1Hashes); |
748 } | 764 } |
749 | 765 |
750 } // namespace net | 766 } // namespace net |
OLD | NEW |