Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(173)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/base/x509_certificate.cc

Issue 8374020: Make it a fatal SSL error when encountering certs signed with md[2,4], and interstitial md5 (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: joth feedback Created 9 years, 1 month ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « no previous file | net/base/x509_certificate_unittest.cc » ('j') | net/base/x509_certificate_unittest.cc » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/base/x509_certificate.h" 5 #include "net/base/x509_certificate.h"
6 6
7 #include <stdlib.h> 7 #include <stdlib.h>
8 8
9 #include <algorithm> 9 #include <algorithm>
10 #include <map> 10 #include <map>
(...skipping 572 matching lines...) Expand 10 before | Expand all | Expand 10 after
583 583
584 int rv = VerifyInternal(hostname, flags, crl_set, verify_result); 584 int rv = VerifyInternal(hostname, flags, crl_set, verify_result);
585 585
586 // This check is done after VerifyInternal so that VerifyInternal can fill in 586 // This check is done after VerifyInternal so that VerifyInternal can fill in
587 // the list of public key hashes. 587 // the list of public key hashes.
588 if (IsPublicKeyBlacklisted(verify_result->public_key_hashes)) { 588 if (IsPublicKeyBlacklisted(verify_result->public_key_hashes)) {
589 verify_result->cert_status |= CERT_STATUS_AUTHORITY_INVALID; 589 verify_result->cert_status |= CERT_STATUS_AUTHORITY_INVALID;
590 rv = MapCertStatusToNetError(verify_result->cert_status); 590 rv = MapCertStatusToNetError(verify_result->cert_status);
591 } 591 }
592 592
593 // Treat certificates signed using broken signature algorithms as invalid.
594 if (verify_result->has_md2 || verify_result->has_md4) {
595 verify_result->cert_status |= CERT_STATUS_INVALID;
596 rv = MapCertStatusToNetError(verify_result->cert_status);
597 }
598
599 // Flag certificates using weak signature algorithms.
600 if (verify_result->has_md5) {
601 verify_result->cert_status |= CERT_STATUS_WEAK_SIGNATURE_ALGORITHM;
602 // Only replace the error code if there is not already an error, otherwise
603 // this may end up replacing a fatal error (such as a library failure)
604 // with a benign, user-overridable error.
wtc 2011/11/04 22:57:42 This is a subtle problem. Perhaps the test should
605 if (rv == OK)
606 rv = MapCertStatusToNetError(verify_result->cert_status);
607 }
608
593 return rv; 609 return rv;
594 } 610 }
595 611
596 #if !defined(USE_NSS) 612 #if !defined(USE_NSS)
597 bool X509Certificate::VerifyNameMatch(const std::string& hostname) const { 613 bool X509Certificate::VerifyNameMatch(const std::string& hostname) const {
598 std::vector<std::string> dns_names, ip_addrs; 614 std::vector<std::string> dns_names, ip_addrs;
599 GetSubjectAltName(&dns_names, &ip_addrs); 615 GetSubjectAltName(&dns_names, &ip_addrs);
600 return VerifyHostname(hostname, subject_.common_name, dns_names, ip_addrs); 616 return VerifyHostname(hostname, subject_.common_name, dns_names, ip_addrs);
601 } 617 }
602 #endif 618 #endif
(...skipping 138 matching lines...) Expand 10 before | Expand all | Expand 10 after
741 bool X509Certificate::IsSHA1HashInSortedArray(const SHA1Fingerprint& hash, 757 bool X509Certificate::IsSHA1HashInSortedArray(const SHA1Fingerprint& hash,
742 const uint8* array, 758 const uint8* array,
743 size_t array_byte_len) { 759 size_t array_byte_len) {
744 DCHECK_EQ(0u, array_byte_len % base::kSHA1Length); 760 DCHECK_EQ(0u, array_byte_len % base::kSHA1Length);
745 const size_t arraylen = array_byte_len / base::kSHA1Length; 761 const size_t arraylen = array_byte_len / base::kSHA1Length;
746 return NULL != bsearch(hash.data, array, arraylen, base::kSHA1Length, 762 return NULL != bsearch(hash.data, array, arraylen, base::kSHA1Length,
747 CompareSHA1Hashes); 763 CompareSHA1Hashes);
748 } 764 }
749 765
750 } // namespace net 766 } // namespace net
OLDNEW
« no previous file with comments | « no previous file | net/base/x509_certificate_unittest.cc » ('j') | net/base/x509_certificate_unittest.cc » ('J')

Powered by Google App Engine
This is Rietveld 408576698