Index: net/base/x509_certificate.cc |
diff --git a/net/base/x509_certificate.cc b/net/base/x509_certificate.cc |
index e1fca4e77597f664ec7b0da2fd384c314e638b39..966b61654ad0a208872620848e1a5195be1b9b91 100644 |
--- a/net/base/x509_certificate.cc |
+++ b/net/base/x509_certificate.cc |
@@ -590,6 +590,18 @@ int X509Certificate::Verify(const std::string& hostname, |
rv = MapCertStatusToNetError(verify_result->cert_status); |
} |
+ // Treat certificates signed using broken signature algorithms as invalid. |
+ if (verify_result->has_md2 || verify_result->has_md4) { |
+ verify_result->cert_status |= CERT_STATUS_INVALID; |
+ rv = MapCertStatusToNetError(verify_result->cert_status); |
+ } |
+ |
+ // Flag certificates using weak signature algorithms. |
+ if (verify_result->has_md5) { |
+ verify_result->cert_status |= CERT_STATUS_WEAK_SIGNATURE_ALGORITHM; |
+ rv = MapCertStatusToNetError(verify_result->cert_status); |
joth
2011/11/03 09:09:38
I just noticed all three of these MapCertStatusToN
palmer
2011/11/03 17:47:04
As I understand it, only CERT_STATUS_WEAK_SIGNATUR
joth
2011/11/03 20:01:27
The case I was thinking of was VerifyInternal may
Ryan Sleevi
2011/11/03 23:22:45
Good catch. You're absolutely correct that this co
|
+ } |
+ |
return rv; |
} |