net/base/x509_certificate_openssl.cc - Issue 8568040: Refuse to accept certificate chains containing any RSA public key smaller

Side by Side Diff: net/base/x509_certificate_openssl.cc

Issue 8568040: Refuse to accept certificate chains containing any RSA public key smaller (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src/

Patch Set: '' Created 9 years, 1 month ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

OLD	NEW
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "net/base/x509_certificate.h"	5 #include "net/base/x509_certificate.h"

6	6

7 #include <openssl/asn1.h>	7 #include <openssl/asn1.h>

8 #include <openssl/crypto.h>	8 #include <openssl/crypto.h>

9 #include <openssl/obj_mac.h>	9 #include <openssl/obj_mac.h>

10 #include <openssl/pem.h>	10 #include <openssl/pem.h>

(...skipping 601 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
612 Pickle* pickle) {	612 Pickle* pickle) {

613 DERCache der_cache;	613 DERCache der_cache;

614 if (!GetDERAndCacheIfNeeded(cert_handle, &der_cache))	614 if (!GetDERAndCacheIfNeeded(cert_handle, &der_cache))

615 return false;	615 return false;

616	616

617 return pickle->WriteData(	617 return pickle->WriteData(

618 reinterpret_cast<const char*>(der_cache.data),	618 reinterpret_cast<const char*>(der_cache.data),

619 der_cache.data_length);	619 der_cache.data_length);

620 }	620 }

621	621

	622 // static

	623 void X509Certificate::GetPublicKeyInfo(OSCertHandle cert_handle,

	624 size_t* size_bits,

	625 PublicKeyType* type) {

	626 EVP_PKEY* key = X509_get_pubkey(cert_handle);

	627 CHECK(key);

	628 size_bits = EVP_PKEY_size(key) 8;
	wtc 2011/11/17 02:52:18 Is there an OpenSSL function that returns the key Is there an OpenSSL function that returns the key size in bits? Some EC key sizes are not a multiple of 8 (e.g., 521). Ryan Sleevi 2011/11/17 03:20:33 That was on me. EVP_PKEY_bits, but then it gets i Show quoted text On 2011/11/17 02:52:18, wtc wrote: > > Is there an OpenSSL function that returns the key size in > bits? Some EC key sizes are not a multiple of 8 (e.g., 521). That was on me. EVP_PKEY_bits, but then it gets into the weird 1023/1024 bit size IIRC. For DSA/EC/RSA/DH, it's just a wrapper for BN_num_bits. EVP_PKEY_size does the right thing for RSA, but for DSA/ECDH returns [EC]DSA_size, which is the maximum length of an [EC]DSA signature created with that key. So there's no good solution that solves both cases. FWIW, the OpenSSL code (command-line, etc) in 0.9.8 just uses a series of ifs switched off pkey->type, so perhaps both size_bits and type should be handled in the switch. palmer 2011/12/13 18:55:44 Done. Show quoted text On 2011/11/17 03:20:33, Ryan Sleevi wrote: > On 2011/11/17 02:52:18, wtc wrote: > > > > Is there an OpenSSL function that returns the key size in > > bits? Some EC key sizes are not a multiple of 8 (e.g., 521). > > That was on me. > > EVP_PKEY_bits, but then it gets into the weird 1023/1024 bit size IIRC. For > DSA/EC/RSA/DH, it's just a wrapper for BN_num_bits. > > EVP_PKEY_size does the right thing for RSA, but for DSA/ECDH returns > [EC]DSA_size, which is the maximum length of an [EC]DSA signature created with > that key. > > So there's no good solution that solves both cases. > > FWIW, the OpenSSL code (command-line, etc) in 0.9.8 just uses a series of ifs > switched off pkey->type, so perhaps both size_bits and type should be handled > in the switch. Done.
	629

	630 switch (key->type) {

	631 case EVP_PKEY_RSA:

	632 *type = kPublicKeyTypeRSA;

	633 break;

	634 case EVP_PKEY_DSA:

	635 *type = kPublicKeyTypeDSA;

	636 break;

	637 case EVP_PKEY_EC:

	638 *type = kPublicKeyTypeECDSA;

	639 break;

	640 case EVP_PKEY_DH:

	641 *type = kPublicKeyTypeDH;

	642 break;

	643 default:

	644 *type = kPublicKeyTypeUnknown;

	645 }

	646 }

	647

622 } // namespace net	648 } // namespace net

OLD	NEW

« net/base/x509_certificate_mac.cc ('K') | « net/base/x509_certificate_nss.cc ('k') | net/base/x509_certificate_unittest.cc » ('j') | net/data/ssl/certificates/strong-key-weak-signer.pem » ('J')