net/base/x509_certificate_mac.cc - Issue 8568040: Refuse to accept certificate chains containing any RSA public key smaller

Side by Side Diff: net/base/x509_certificate_mac.cc

Issue 8568040: Refuse to accept certificate chains containing any RSA public key smaller (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src/

Patch Set: '' Created 9 years ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

OLD	NEW
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "net/base/x509_certificate.h"	5 #include "net/base/x509_certificate.h"

6	6

7 #include <CommonCrypto/CommonDigest.h>	7 #include <CommonCrypto/CommonDigest.h>

8 #include <CoreServices/CoreServices.h>	8 #include <CoreServices/CoreServices.h>

9 #include <Security/Security.h>	9 #include <Security/Security.h>

10 #include <time.h>	10 #include <time.h>

(...skipping 794 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
805 sint32 estTime;	805 sint32 estTime;

806 CSSM_RETURN crtn = CSSM_TP_SubmitCredRequest(tp_handle, NULL,	806 CSSM_RETURN crtn = CSSM_TP_SubmitCredRequest(tp_handle, NULL,

807 CSSM_TP_AUTHORITY_REQUEST_CERTISSUE, &reqSet, &callerAuthContext,	807 CSSM_TP_AUTHORITY_REQUEST_CERTISSUE, &reqSet, &callerAuthContext,

808 &estTime, &refId);	808 &estTime, &refId);

809 if (crtn) {	809 if (crtn) {

810 DLOG(ERROR) << "CSSM_TP_SubmitCredRequest failed " << crtn;	810 DLOG(ERROR) << "CSSM_TP_SubmitCredRequest failed " << crtn;

811 return NULL;	811 return NULL;

812 }	812 }

813	813

814 CSSM_BOOL confirmRequired;	814 CSSM_BOOL confirmRequired;

815 CSSM_TP_RESULT_SET *resultSet = NULL;	815 CSSM_TP_RESULT_SET* resultSet = NULL;

816 crtn = CSSM_TP_RetrieveCredResult(tp_handle, &refId, NULL, &estTime,	816 crtn = CSSM_TP_RetrieveCredResult(tp_handle, &refId, NULL, &estTime,

817 &confirmRequired, &resultSet);	817 &confirmRequired, &resultSet);

818 ScopedEncodedCertResults scopedResults(resultSet);	818 ScopedEncodedCertResults scopedResults(resultSet);

819 crypto::CSSMFree(refId.Data);	819 crypto::CSSMFree(refId.Data);

820 if (crtn) {	820 if (crtn) {

821 DLOG(ERROR) << "CSSM_TP_RetrieveCredResult failed " << crtn;	821 DLOG(ERROR) << "CSSM_TP_RetrieveCredResult failed " << crtn;

822 return NULL;	822 return NULL;

823 }	823 }

824	824

825 if (confirmRequired) {	825 if (confirmRequired) {

(...skipping 681 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
1507 Pickle* pickle) {	1507 Pickle* pickle) {

1508 CSSM_DATA cert_data;	1508 CSSM_DATA cert_data;

1509 OSStatus status = SecCertificateGetData(cert_handle, &cert_data);	1509 OSStatus status = SecCertificateGetData(cert_handle, &cert_data);

1510 if (status)	1510 if (status)

1511 return false;	1511 return false;

1512	1512

1513 return pickle->WriteData(reinterpret_cast<char*>(cert_data.Data),	1513 return pickle->WriteData(reinterpret_cast<char*>(cert_data.Data),

1514 cert_data.Length);	1514 cert_data.Length);

1515 }	1515 }

1516	1516

	1517 // static

	1518 void X509Certificate::GetPublicKeyInfo(OSCertHandle cert_handle,

	1519 size_t* size_bits,

	1520 PublicKeyType* type) {

	1521 // Since we might fail, set the output parameters to known values first.
	wtc 2011/12/14 00:18:03 Nit: known => default? "known values" is a little Nit: known => default? "known values" is a little confusing because kPublicKeyTypeUnknown says "Unknown" :-)
	1522 *type = kPublicKeyTypeUnknown;

	1523 *size_bits = 0;

	1524

	1525 SecKeyRef key;

	1526 OSStatus status = SecCertificateCopyPublicKey(cert_handle, &key);

	1527 if (status) {

	1528 NOTREACHED() << "SecCertificateCopyPublicKey failed: " << status;

	1529 return;

	1530 }

	1531 ScopedCFTypeRef<SecKeyRef> scoped_key;

	1532

	1533 const CSSM_KEY* cssm_key;

	1534 status = SecKeyGetCSSMKey(key, &cssm_key);

	1535 if (status) {

	1536 NOTREACHED() << "SecKeyGetCSSMKey failed: " << status;

	1537 return;

	1538 }

	1539

	1540 *size_bits = cssm_key->KeyHeader.LogicalKeySizeInBits;

	1541

	1542 switch (cssm_key->KeyHeader.AlgorithmId) {

	1543 case CSSM_ALGID_RSA:

	1544 *type = kPublicKeyTypeRSA;

	1545 break;

	1546 case CSSM_ALGID_DSA:

	1547 *type = kPublicKeyTypeDSA;

	1548 break;

	1549 case CSSM_ALGID_ECDSA:

	1550 *type = kPublicKeyTypeECDSA;

	1551 break;

	1552 case CSSM_ALGID_DH:

	1553 *type = kPublicKeyTypeDH;

	1554 break;

	1555 default:

	1556 *type = kPublicKeyTypeUnknown;

	1557 *size_bits = 0;

	1558 break;

	1559 }

	1560 }

	1561

1517 } // namespace net	1562 } // namespace net

OLD	NEW

« net/base/x509_certificate.cc ('K') | « net/base/x509_certificate.cc ('k') | net/base/x509_certificate_nss.cc » ('j') | net/base/x509_certificate_nss.cc » ('J')