OLD | NEW |
---|---|
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/base/x509_certificate.h" | 5 #include "net/base/x509_certificate.h" |
6 | 6 |
7 #include <stdlib.h> | 7 #include <stdlib.h> |
8 | 8 |
9 #include <algorithm> | 9 #include <algorithm> |
10 #include <map> | 10 #include <map> |
(...skipping 579 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
590 | 590 |
591 int rv = VerifyInternal(hostname, flags, crl_set, verify_result); | 591 int rv = VerifyInternal(hostname, flags, crl_set, verify_result); |
592 | 592 |
593 // This check is done after VerifyInternal so that VerifyInternal can fill in | 593 // This check is done after VerifyInternal so that VerifyInternal can fill in |
594 // the list of public key hashes. | 594 // the list of public key hashes. |
595 if (IsPublicKeyBlacklisted(verify_result->public_key_hashes)) { | 595 if (IsPublicKeyBlacklisted(verify_result->public_key_hashes)) { |
596 verify_result->cert_status |= CERT_STATUS_REVOKED; | 596 verify_result->cert_status |= CERT_STATUS_REVOKED; |
597 rv = MapCertStatusToNetError(verify_result->cert_status); | 597 rv = MapCertStatusToNetError(verify_result->cert_status); |
598 } | 598 } |
599 | 599 |
600 // Treat certificates signed using broken signature algorithms as invalid. | |
601 if (verify_result->has_md2 || verify_result->has_md4) { | |
602 verify_result->cert_status |= CERT_STATUS_INVALID; | |
603 rv = MapCertStatusToNetError(verify_result->cert_status); | |
604 } | |
605 | |
606 // Flag certificates using weak signature algorithms. | |
607 if (verify_result->has_md5) { | |
608 bool has_cert_status_error = | |
wtc
2011/12/02 23:04:59
Nit: has_cert_status_error => cert_status_has_erro
| |
609 IsCertStatusError(verify_result->cert_status); | |
610 verify_result->cert_status |= CERT_STATUS_WEAK_SIGNATURE_ALGORITHM; | |
611 // Only replace the error code if verification was successful or if the | |
612 // error has also been reported in |cert_status|. This is to avoid the | |
613 // possibility of replacing a more fatal error (such as an OS/library | |
wtc
2011/12/02 23:04:59
Nit: remove "the possibility of".
| |
614 // failure), which may not be reported in |cert_status|. | |
615 if (rv == OK || (IsCertificateError(rv) && has_cert_status_error)) | |
Ryan Sleevi
2011/11/20 00:17:00
I believe the following check should be a sufficie
wtc
2011/12/02 23:04:59
I'm still not convinced that we should check
has_c
Ryan Sleevi
2011/12/02 23:54:28
Then it's a bug - MapSecurityError() can return a
wtc
2011/12/06 00:56:17
It is true that MapSecurityError in x509_certifica
| |
616 rv = MapCertStatusToNetError(verify_result->cert_status); | |
617 } | |
618 | |
600 return rv; | 619 return rv; |
601 } | 620 } |
602 | 621 |
603 #if !defined(USE_NSS) | 622 #if !defined(USE_NSS) |
604 bool X509Certificate::VerifyNameMatch(const std::string& hostname) const { | 623 bool X509Certificate::VerifyNameMatch(const std::string& hostname) const { |
605 std::vector<std::string> dns_names, ip_addrs; | 624 std::vector<std::string> dns_names, ip_addrs; |
606 GetSubjectAltName(&dns_names, &ip_addrs); | 625 GetSubjectAltName(&dns_names, &ip_addrs); |
607 return VerifyHostname(hostname, subject_.common_name, dns_names, ip_addrs); | 626 return VerifyHostname(hostname, subject_.common_name, dns_names, ip_addrs); |
608 } | 627 } |
609 #endif | 628 #endif |
(...skipping 188 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
798 bool X509Certificate::IsSHA1HashInSortedArray(const SHA1Fingerprint& hash, | 817 bool X509Certificate::IsSHA1HashInSortedArray(const SHA1Fingerprint& hash, |
799 const uint8* array, | 818 const uint8* array, |
800 size_t array_byte_len) { | 819 size_t array_byte_len) { |
801 DCHECK_EQ(0u, array_byte_len % base::kSHA1Length); | 820 DCHECK_EQ(0u, array_byte_len % base::kSHA1Length); |
802 const size_t arraylen = array_byte_len / base::kSHA1Length; | 821 const size_t arraylen = array_byte_len / base::kSHA1Length; |
803 return NULL != bsearch(hash.data, array, arraylen, base::kSHA1Length, | 822 return NULL != bsearch(hash.data, array, arraylen, base::kSHA1Length, |
804 CompareSHA1Hashes); | 823 CompareSHA1Hashes); |
805 } | 824 } |
806 | 825 |
807 } // namespace net | 826 } // namespace net |
OLD | NEW |