OLD | NEW |
---|---|
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/base/x509_certificate.h" | 5 #include "net/base/x509_certificate.h" |
6 | 6 |
7 #include <stdlib.h> | 7 #include <stdlib.h> |
8 | 8 |
9 #include <algorithm> | 9 #include <algorithm> |
10 #include <map> | 10 #include <map> |
(...skipping 206 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
217 CERT_STORE_ADD_USE_EXISTING, &cert_handle); | 217 CERT_STORE_ADD_USE_EXISTING, &cert_handle); |
218 return ok ? cert_handle : NULL; | 218 return ok ? cert_handle : NULL; |
219 } | 219 } |
220 #else | 220 #else |
221 X509Certificate::OSCertHandle CreateOSCert(base::StringPiece der_cert) { | 221 X509Certificate::OSCertHandle CreateOSCert(base::StringPiece der_cert) { |
222 return X509Certificate::CreateOSCertHandleFromBytes( | 222 return X509Certificate::CreateOSCertHandleFromBytes( |
223 const_cast<char*>(der_cert.data()), der_cert.size()); | 223 const_cast<char*>(der_cert.data()), der_cert.size()); |
224 } | 224 } |
225 #endif | 225 #endif |
226 | 226 |
227 bool IsWeakKey(X509Certificate::PublicKeyType type, size_t size_bits) { | |
228 switch (type) { | |
229 case X509Certificate::kPublicKeyTypeRSA: | |
230 case X509Certificate::kPublicKeyTypeDSA: | |
231 return size_bits < 1024; | |
232 default: | |
233 return false; | |
wtc
2011/12/14 00:18:03
Nit: I think it's important to document here or be
| |
234 } | |
Ryan Sleevi
2011/12/13 23:54:16
nit: whitespace
| |
235 } | |
236 | |
227 } // namespace | 237 } // namespace |
228 | 238 |
229 bool X509Certificate::LessThan::operator()(X509Certificate* lhs, | 239 bool X509Certificate::LessThan::operator()(X509Certificate* lhs, |
230 X509Certificate* rhs) const { | 240 X509Certificate* rhs) const { |
231 if (lhs == rhs) | 241 if (lhs == rhs) |
232 return false; | 242 return false; |
233 | 243 |
234 int rv = memcmp(lhs->fingerprint_.data, rhs->fingerprint_.data, | 244 int rv = memcmp(lhs->fingerprint_.data, rhs->fingerprint_.data, |
235 sizeof(lhs->fingerprint_.data)); | 245 sizeof(lhs->fingerprint_.data)); |
236 if (rv != 0) | 246 if (rv != 0) |
(...skipping 353 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
590 | 600 |
591 int rv = VerifyInternal(hostname, flags, crl_set, verify_result); | 601 int rv = VerifyInternal(hostname, flags, crl_set, verify_result); |
592 | 602 |
593 // This check is done after VerifyInternal so that VerifyInternal can fill in | 603 // This check is done after VerifyInternal so that VerifyInternal can fill in |
594 // the list of public key hashes. | 604 // the list of public key hashes. |
595 if (IsPublicKeyBlacklisted(verify_result->public_key_hashes)) { | 605 if (IsPublicKeyBlacklisted(verify_result->public_key_hashes)) { |
596 verify_result->cert_status |= CERT_STATUS_REVOKED; | 606 verify_result->cert_status |= CERT_STATUS_REVOKED; |
597 rv = MapCertStatusToNetError(verify_result->cert_status); | 607 rv = MapCertStatusToNetError(verify_result->cert_status); |
598 } | 608 } |
599 | 609 |
610 // Check for weak keys in the entire verified chain. | |
611 size_t size_bits = 0; | |
612 PublicKeyType type = kPublicKeyTypeUnknown; | |
613 bool weak_key = false; | |
614 | |
615 GetPublicKeyInfo(verify_result->verified_cert->os_cert_handle(), &size_bits, | |
616 &type); | |
617 if (IsWeakKey(type, size_bits)) { | |
618 weak_key = true; | |
619 } else { | |
620 const OSCertHandles& intermediates = | |
621 verify_result->verified_cert->GetIntermediateCertificates(); | |
622 for (OSCertHandles::const_iterator i = intermediates.begin(); | |
623 i != intermediates.end(); ++i) { | |
624 GetPublicKeyInfo(*i, &size_bits, &type); | |
625 if (IsWeakKey(type, size_bits)) | |
626 weak_key = true; | |
627 } | |
628 } | |
629 | |
630 if (weak_key) { | |
631 verify_result->cert_status |= CERT_STATUS_WEAK_KEY; | |
632 return MapCertStatusToNetError(verify_result->cert_status); | |
wtc
2011/12/14 00:18:03
IMPORTANT: this needs the same kind of care that r
| |
633 } | |
634 | |
600 return rv; | 635 return rv; |
601 } | 636 } |
602 | 637 |
603 #if !defined(USE_NSS) | 638 #if !defined(USE_NSS) |
604 bool X509Certificate::VerifyNameMatch(const std::string& hostname) const { | 639 bool X509Certificate::VerifyNameMatch(const std::string& hostname) const { |
605 std::vector<std::string> dns_names, ip_addrs; | 640 std::vector<std::string> dns_names, ip_addrs; |
606 GetSubjectAltName(&dns_names, &ip_addrs); | 641 GetSubjectAltName(&dns_names, &ip_addrs); |
607 return VerifyHostname(hostname, subject_.common_name, dns_names, ip_addrs); | 642 return VerifyHostname(hostname, subject_.common_name, dns_names, ip_addrs); |
608 } | 643 } |
609 #endif | 644 #endif |
(...skipping 188 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
798 bool X509Certificate::IsSHA1HashInSortedArray(const SHA1Fingerprint& hash, | 833 bool X509Certificate::IsSHA1HashInSortedArray(const SHA1Fingerprint& hash, |
799 const uint8* array, | 834 const uint8* array, |
800 size_t array_byte_len) { | 835 size_t array_byte_len) { |
801 DCHECK_EQ(0u, array_byte_len % base::kSHA1Length); | 836 DCHECK_EQ(0u, array_byte_len % base::kSHA1Length); |
802 const size_t arraylen = array_byte_len / base::kSHA1Length; | 837 const size_t arraylen = array_byte_len / base::kSHA1Length; |
803 return NULL != bsearch(hash.data, array, arraylen, base::kSHA1Length, | 838 return NULL != bsearch(hash.data, array, arraylen, base::kSHA1Length, |
804 CompareSHA1Hashes); | 839 CompareSHA1Hashes); |
805 } | 840 } |
806 | 841 |
807 } // namespace net | 842 } // namespace net |
OLD | NEW |