net/base/x509_certificate_openssl.cc - Issue 8568040: Refuse to accept certificate chains containing any RSA public key smaller

Side by Side Diff: net/base/x509_certificate_openssl.cc

Issue 8568040: Refuse to accept certificate chains containing any RSA public key smaller (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src/

Patch Set: '' Created 9 years ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

OLD	NEW
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "net/base/x509_certificate.h"	5 #include "net/base/x509_certificate.h"

6	6

7 #include <openssl/asn1.h>	7 #include <openssl/asn1.h>

8 #include <openssl/crypto.h>	8 #include <openssl/crypto.h>

9 #include <openssl/obj_mac.h>	9 #include <openssl/obj_mac.h>

10 #include <openssl/pem.h>	10 #include <openssl/pem.h>

(...skipping 644 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
655 Pickle* pickle) {	655 Pickle* pickle) {

656 DERCache der_cache;	656 DERCache der_cache;

657 if (!GetDERAndCacheIfNeeded(cert_handle, &der_cache))	657 if (!GetDERAndCacheIfNeeded(cert_handle, &der_cache))

658 return false;	658 return false;

659	659

660 return pickle->WriteData(	660 return pickle->WriteData(

661 reinterpret_cast<const char*>(der_cache.data),	661 reinterpret_cast<const char*>(der_cache.data),

662 der_cache.data_length);	662 der_cache.data_length);

663 }	663 }

664	664

	665 // static

	666 void X509Certificate::GetPublicKeyInfo(OSCertHandle cert_handle,

	667 size_t* size_bits,

	668 PublicKeyType* type) {

	669 EVP_PKEY* key = X509_get_pubkey(cert_handle);

	670 CHECK(key);

	671

	672 switch (key->type) {

	673 case EVP_PKEY_RSA:

	674 *type = kPublicKeyTypeRSA;

	675 size_bits = EVP_PKEY_size(key) 8;

	676 break;

	677 case EVP_PKEY_DSA:

	678 *type = kPublicKeyTypeDSA;

	679 size_bits = EVP_PKEY_size(key) 8;

	680 break;

	681 case EVP_PKEY_EC:

	682 *type = kPublicKeyTypeECDSA;

	683 *size_bits = EVP_PKEY_size(key);
	wtc 2011/12/13 21:56:18 It seems strange that EVP_PKEY_size returns a key It seems strange that EVP_PKEY_size returns a key size in either bytes or bits depending on the key type.
	684 break;

	685 case EVP_PKEY_DH:

	686 *type = kPublicKeyTypeDH;

	687 size_bits = EVP_PKEY_size(key) 8;

	688 break;

	689 default:

	690 *type = kPublicKeyTypeUnknown;

	691 *size_bits = 0;

	692 }

	693 }

	694

665 #if defined(OS_ANDROID)	695 #if defined(OS_ANDROID)

666 void X509Certificate::GetChainDEREncodedBytes(	696 void X509Certificate::GetChainDEREncodedBytes(

667 std::vector<std::string>* chain_bytes) const {	697 std::vector<std::string>* chain_bytes) const {

668 OSCertHandles cert_handles(intermediate_ca_certs_);	698 OSCertHandles cert_handles(intermediate_ca_certs_);

669 // Make sure the peer's own cert is the first in the chain, if it's not	699 // Make sure the peer's own cert is the first in the chain, if it's not

670 // already there.	700 // already there.

671 if (cert_handles.empty() \|\| cert_handles[0] != cert_handle_)	701 if (cert_handles.empty() \|\| cert_handles[0] != cert_handle_)

672 cert_handles.insert(cert_handles.begin(), cert_handle_);	702 cert_handles.insert(cert_handles.begin(), cert_handle_);

673	703

674 chain_bytes->reserve(cert_handles.size());	704 chain_bytes->reserve(cert_handles.size());

675 for (OSCertHandles::const_iterator it = cert_handles.begin();	705 for (OSCertHandles::const_iterator it = cert_handles.begin();

676 it != cert_handles.end(); ++it) {	706 it != cert_handles.end(); ++it) {

677 std::string cert_bytes;	707 std::string cert_bytes;

678 GetDEREncoded(*it, &cert_bytes);	708 GetDEREncoded(*it, &cert_bytes);

679 chain_bytes->push_back(cert_bytes);	709 chain_bytes->push_back(cert_bytes);

680 }	710 }

681 }	711 }

682 #endif	712 #endif

683	713

684 } // namespace net	714 } // namespace net

OLD	NEW

« net/base/x509_certificate_mac.cc ('K') | « net/base/x509_certificate_nss.cc ('k') | net/base/x509_certificate_unittest.cc » ('j') | net/base/x509_certificate_unittest.cc » ('J')