Chromium Code Reviews Chromium Code Reviews
Issue 8568040:
Refuse to accept certificate chains containing any RSA public key smaller (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src/| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/base/x509_certificate.h" | 5 #include "net/base/x509_certificate.h" |
| 6 | 6 |
| 7 #include <stdlib.h> | 7 #include <stdlib.h> |
| 8 | 8 |
| 9 #include <algorithm> | 9 #include <algorithm> |
| 10 #include <map> | 10 #include <map> |
| (...skipping 206 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 217 CERT_STORE_ADD_USE_EXISTING, &cert_handle); | 217 CERT_STORE_ADD_USE_EXISTING, &cert_handle); |
| 218 return ok ? cert_handle : NULL; | 218 return ok ? cert_handle : NULL; |
| 219 } | 219 } |
| 220 #else | 220 #else |
| 221 X509Certificate::OSCertHandle CreateOSCert(base::StringPiece der_cert) { | 221 X509Certificate::OSCertHandle CreateOSCert(base::StringPiece der_cert) { |
| 222 return X509Certificate::CreateOSCertHandleFromBytes( | 222 return X509Certificate::CreateOSCertHandleFromBytes( |
| 223 const_cast<char*>(der_cert.data()), der_cert.size()); | 223 const_cast<char*>(der_cert.data()), der_cert.size()); |
| 224 } | 224 } |
| 225 #endif | 225 #endif |
| 226 | 226 |
| 227 bool IsWeakKey(X509Certificate::PublicKeyType type, size_t size_bits) { | |
| 228 return size_bits < 1024 && | |
| 229 (type == X509Certificate::kPublicKeyTypeRSA || | |
| 230 type == X509Certificate::kPublicKeyTypeDSA); | |
|
wtc
2011/12/13 21:56:18
To allow easy future expansion, please implement t
| |
| 231 } | |
| 232 | |
| 227 } // namespace | 233 } // namespace |
| 228 | 234 |
| 229 bool X509Certificate::LessThan::operator()(X509Certificate* lhs, | 235 bool X509Certificate::LessThan::operator()(X509Certificate* lhs, |
| 230 X509Certificate* rhs) const { | 236 X509Certificate* rhs) const { |
| 231 if (lhs == rhs) | 237 if (lhs == rhs) |
| 232 return false; | 238 return false; |
| 233 | 239 |
| 234 int rv = memcmp(lhs->fingerprint_.data, rhs->fingerprint_.data, | 240 int rv = memcmp(lhs->fingerprint_.data, rhs->fingerprint_.data, |
| 235 sizeof(lhs->fingerprint_.data)); | 241 sizeof(lhs->fingerprint_.data)); |
| 236 if (rv != 0) | 242 if (rv != 0) |
| (...skipping 346 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 583 verify_result->Reset(); | 589 verify_result->Reset(); |
| 584 verify_result->verified_cert = const_cast<X509Certificate*>(this); | 590 verify_result->verified_cert = const_cast<X509Certificate*>(this); |
| 585 | 591 |
| 586 if (IsBlacklisted()) { | 592 if (IsBlacklisted()) { |
| 587 verify_result->cert_status |= CERT_STATUS_REVOKED; | 593 verify_result->cert_status |= CERT_STATUS_REVOKED; |
| 588 return ERR_CERT_REVOKED; | 594 return ERR_CERT_REVOKED; |
| 589 } | 595 } |
| 590 | 596 |
| 591 int rv = VerifyInternal(hostname, flags, crl_set, verify_result); | 597 int rv = VerifyInternal(hostname, flags, crl_set, verify_result); |
| 592 | 598 |
| 599 // Check for weak keys in the entire verified chain. | |
| 600 size_t size_bits = 0; | |
| 601 PublicKeyType type = kPublicKeyTypeUnknown; | |
| 602 bool weak_key = false; | |
| 603 | |
| 604 GetPublicKeyInfo(verify_result->verified_cert->os_cert_handle(), &size_bits, | |
| 605 &type); | |
| 606 if (IsWeakKey(type, size_bits)) { | |
| 607 weak_key = true; | |
| 608 } else { | |
| 609 const OSCertHandles& intermediates = | |
| 610 verify_result->verified_cert->GetIntermediateCertificates(); | |
| 611 for (OSCertHandles::const_iterator i = intermediates.begin(); | |
| 612 i != intermediates.end(); ++i) { | |
| 613 GetPublicKeyInfo(*i, &size_bits, &type); | |
| 614 if (IsWeakKey(type, size_bits)) | |
| 615 weak_key = true; | |
| 616 } | |
| 617 } | |
| 618 | |
| 619 if (weak_key) { | |
| 620 verify_result->cert_status |= CERT_STATUS_WEAK_KEY; | |
| 621 return MapCertStatusToNetError(verify_result->cert_status); | |
|
wtc
2011/12/13 21:56:18
IMPORTANT: I think we should fall through to check
| |
| 622 } | |
| 623 | |
| 593 // This check is done after VerifyInternal so that VerifyInternal can fill in | 624 // This check is done after VerifyInternal so that VerifyInternal can fill in |
| 594 // the list of public key hashes. | 625 // the list of public key hashes. |
| 595 if (IsPublicKeyBlacklisted(verify_result->public_key_hashes)) { | 626 if (IsPublicKeyBlacklisted(verify_result->public_key_hashes)) { |
| 596 verify_result->cert_status |= CERT_STATUS_REVOKED; | 627 verify_result->cert_status |= CERT_STATUS_REVOKED; |
| 597 rv = MapCertStatusToNetError(verify_result->cert_status); | 628 rv = MapCertStatusToNetError(verify_result->cert_status); |
| 598 } | 629 } |
| 599 | 630 |
| 600 return rv; | 631 return rv; |
| 601 } | 632 } |
| 602 | 633 |
| (...skipping 195 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 798 bool X509Certificate::IsSHA1HashInSortedArray(const SHA1Fingerprint& hash, | 829 bool X509Certificate::IsSHA1HashInSortedArray(const SHA1Fingerprint& hash, |
| 799 const uint8* array, | 830 const uint8* array, |
| 800 size_t array_byte_len) { | 831 size_t array_byte_len) { |
| 801 DCHECK_EQ(0u, array_byte_len % base::kSHA1Length); | 832 DCHECK_EQ(0u, array_byte_len % base::kSHA1Length); |
| 802 const size_t arraylen = array_byte_len / base::kSHA1Length; | 833 const size_t arraylen = array_byte_len / base::kSHA1Length; |
| 803 return NULL != bsearch(hash.data, array, arraylen, base::kSHA1Length, | 834 return NULL != bsearch(hash.data, array, arraylen, base::kSHA1Length, |
| 804 CompareSHA1Hashes); | 835 CompareSHA1Hashes); |
| 805 } | 836 } |
| 806 | 837 |
| 807 } // namespace net | 838 } // namespace net |
| OLD | NEW |
