Chromium Code Reviews Chromium Code Reviews
Issue 8568040:
Refuse to accept certificate chains containing any RSA public key smaller (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src/| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "base/file_path.h" | 5 #include "base/file_path.h" |
| 6 #include "base/file_util.h" | 6 #include "base/file_util.h" |
| 7 #include "base/path_service.h" | 7 #include "base/path_service.h" |
| 8 #include "base/pickle.h" | 8 #include "base/pickle.h" |
| 9 #include "base/sha1.h" | 9 #include "base/sha1.h" |
| 10 #include "base/string_number_conversions.h" | 10 #include "base/string_number_conversions.h" |
| (...skipping 593 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 604 int flags = X509Certificate::VERIFY_REV_CHECKING_ENABLED | | 604 int flags = X509Certificate::VERIFY_REV_CHECKING_ENABLED | |
| 605 X509Certificate::VERIFY_EV_CERT; | 605 X509Certificate::VERIFY_EV_CERT; |
| 606 int error = cert_chain->Verify("2029.globalsign.com", flags, NULL, | 606 int error = cert_chain->Verify("2029.globalsign.com", flags, NULL, |
| 607 &verify_result); | 607 &verify_result); |
| 608 if (error == OK) | 608 if (error == OK) |
| 609 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_IS_EV); | 609 EXPECT_TRUE(verify_result.cert_status & CERT_STATUS_IS_EV); |
| 610 else | 610 else |
| 611 EXPECT_EQ(ERR_CERT_DATE_INVALID, error); | 611 EXPECT_EQ(ERR_CERT_DATE_INVALID, error); |
| 612 } | 612 } |
| 613 | 613 |
| 614 // Currently, only RSA and DSA keys are checked for weakness, and our example | |
| 615 // weak size is 768. These could change in the future. | |
| 616 // | |
| 617 // Note that this means there may be false negatives: keys for other | |
| 618 // algorithms and which are weak will pass this test. | |
| 619 static bool IsWeakKeyType(const std::string& key_type) { | |
| 620 size_t pos = key_type.find("-"); | |
| 621 std::string size = key_type.substr(0, pos); | |
| 622 std::string type = key_type.substr(pos + 1); | |
| 623 | |
| 624 if (type == "rsa" || type == "dsa") | |
| 625 return size == "768"; | |
| 626 | |
| 627 return false; | |
| 628 } | |
| 629 | |
| 630 TEST(X509CertificateTest, RejectWeakKeys) { | |
| 631 FilePath certs_dir = GetTestCertsDirectory(); | |
| 632 typedef std::vector<std::string> Strings; | |
| 633 Strings key_types; | |
| 634 | |
| 635 // generate-weak-test-chains.sh currently has: | |
| 636 // key_types="768-rsa 1024-rsa 2048-rsa prime256v1-ecdsa" | |
| 637 // We must use the same key types here. The filenames generated look like: | |
| 638 // 2048-rsa-ee-by-768-rsa-intermediate.pem | |
| 639 key_types.push_back("768-rsa"); | |
| 640 key_types.push_back("1024-rsa"); | |
| 641 key_types.push_back("2048-rsa"); | |
| 642 key_types.push_back("prime256v1-ecdsa"); | |
|
Ryan Sleevi
2011/12/14 03:11:01
Quick follow-up:
This ("prime256v1-ecdsa") will p
wtc
2011/12/15 02:10:36
Will "prime256v1-ecdsa" also fail on Mac OS X 10.5
| |
| 643 | |
| 644 // Add the root that signed the intermediates for this test. | |
| 645 scoped_refptr<X509Certificate> root_cert = | |
| 646 ImportCertFromFile(certs_dir, "2048-rsa-root.pem"); | |
| 647 ASSERT_NE(static_cast<X509Certificate*>(NULL), root_cert); | |
| 648 TestRootCerts::GetInstance()->Add(root_cert.get()); | |
| 649 | |
| 650 // Now test each chain. | |
| 651 for (Strings::const_iterator ee_type = key_types.begin(); | |
| 652 ee_type != key_types.end(); ++ee_type) { | |
| 653 for (Strings::const_iterator signer_type = key_types.begin(); | |
| 654 signer_type != key_types.end(); ++signer_type) { | |
| 655 std::string basename = *ee_type + "-ee-by-" + *signer_type + | |
| 656 "-intermediate.pem"; | |
| 657 scoped_refptr<X509Certificate> ee_cert = | |
| 658 ImportCertFromFile(certs_dir, basename); | |
| 659 ASSERT_NE(static_cast<X509Certificate*>(NULL), ee_cert); | |
| 660 | |
| 661 basename = *signer_type + "-intermediate.pem"; | |
| 662 scoped_refptr<X509Certificate> intermediate = | |
| 663 ImportCertFromFile(certs_dir, basename); | |
| 664 ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate); | |
| 665 | |
| 666 X509Certificate::OSCertHandles intermediates; | |
| 667 intermediates.push_back(intermediate->os_cert_handle()); | |
| 668 scoped_refptr<X509Certificate> cert_chain = | |
| 669 X509Certificate::CreateFromHandle(ee_cert->os_cert_handle(), | |
| 670 intermediates); | |
| 671 | |
| 672 CertVerifyResult verify_result; | |
| 673 int error = cert_chain->Verify("127.0.0.1", 0, NULL, &verify_result); | |
| 674 | |
| 675 if (IsWeakKeyType(*ee_type) || IsWeakKeyType(*signer_type)) { | |
| 676 EXPECT_NE(OK, error); | |
| 677 EXPECT_EQ(CERT_STATUS_WEAK_KEY, | |
| 678 verify_result.cert_status & CERT_STATUS_WEAK_KEY); | |
| 679 } else { | |
| 680 EXPECT_EQ(OK, error); | |
| 681 EXPECT_EQ(0U, verify_result.cert_status & CERT_STATUS_WEAK_KEY); | |
| 682 } | |
| 683 } | |
| 684 } | |
| 685 | |
| 686 TestRootCerts::GetInstance()->Clear(); | |
| 687 } | |
| 688 | |
| 614 // Test for bug 94673. | 689 // Test for bug 94673. |
| 615 TEST(X509CertificateTest, GoogleDigiNotarTest) { | 690 TEST(X509CertificateTest, GoogleDigiNotarTest) { |
| 616 FilePath certs_dir = GetTestCertsDirectory(); | 691 FilePath certs_dir = GetTestCertsDirectory(); |
| 617 | 692 |
| 618 scoped_refptr<X509Certificate> server_cert = | 693 scoped_refptr<X509Certificate> server_cert = |
| 619 ImportCertFromFile(certs_dir, "google_diginotar.pem"); | 694 ImportCertFromFile(certs_dir, "google_diginotar.pem"); |
| 620 ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert); | 695 ASSERT_NE(static_cast<X509Certificate*>(NULL), server_cert); |
| 621 | 696 |
| 622 scoped_refptr<X509Certificate> intermediate_cert = | 697 scoped_refptr<X509Certificate> intermediate_cert = |
| 623 ImportCertFromFile(certs_dir, "diginotar_public_ca_2025.pem"); | 698 ImportCertFromFile(certs_dir, "diginotar_public_ca_2025.pem"); |
| (...skipping 96 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 720 EXPECT_TRUE(X509Certificate::GetDEREncoded(cert->os_cert_handle(), | 795 EXPECT_TRUE(X509Certificate::GetDEREncoded(cert->os_cert_handle(), |
| 721 &derBytes)); | 796 &derBytes)); |
| 722 | 797 |
| 723 base::StringPiece spkiBytes; | 798 base::StringPiece spkiBytes; |
| 724 EXPECT_TRUE(asn1::ExtractSPKIFromDERCert(derBytes, &spkiBytes)); | 799 EXPECT_TRUE(asn1::ExtractSPKIFromDERCert(derBytes, &spkiBytes)); |
| 725 | 800 |
| 726 uint8 hash[base::kSHA1Length]; | 801 uint8 hash[base::kSHA1Length]; |
| 727 base::SHA1HashBytes(reinterpret_cast<const uint8*>(spkiBytes.data()), | 802 base::SHA1HashBytes(reinterpret_cast<const uint8*>(spkiBytes.data()), |
| 728 spkiBytes.size(), hash); | 803 spkiBytes.size(), hash); |
| 729 | 804 |
| 730 EXPECT_TRUE(0 == memcmp(hash, nistSPKIHash, sizeof(hash))); | 805 EXPECT_EQ(0, memcmp(hash, nistSPKIHash, sizeof(hash))); |
| 731 } | 806 } |
| 732 | 807 |
| 733 TEST(X509CertificateTest, ExtractCRLURLsFromDERCert) { | 808 TEST(X509CertificateTest, ExtractCRLURLsFromDERCert) { |
| 734 FilePath certs_dir = GetTestCertsDirectory(); | 809 FilePath certs_dir = GetTestCertsDirectory(); |
| 735 scoped_refptr<X509Certificate> cert = | 810 scoped_refptr<X509Certificate> cert = |
| 736 ImportCertFromFile(certs_dir, "nist.der"); | 811 ImportCertFromFile(certs_dir, "nist.der"); |
| 737 ASSERT_NE(static_cast<X509Certificate*>(NULL), cert); | 812 ASSERT_NE(static_cast<X509Certificate*>(NULL), cert); |
| 738 | 813 |
| 739 std::string derBytes; | 814 std::string derBytes; |
| 740 EXPECT_TRUE(X509Certificate::GetDEREncoded(cert->os_cert_handle(), | 815 EXPECT_TRUE(X509Certificate::GetDEREncoded(cert->os_cert_handle(), |
| (...skipping 634 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1375 { true, "f", "f" }, | 1450 { true, "f", "f" }, |
| 1376 { false, "h", "i" }, | 1451 { false, "h", "i" }, |
| 1377 { true, "bar.foo.com", "*.foo.com" }, | 1452 { true, "bar.foo.com", "*.foo.com" }, |
| 1378 { true, "www.test.fr", "common.name", | 1453 { true, "www.test.fr", "common.name", |
| 1379 "*.test.com,*.test.co.uk,*.test.de,*.test.fr" }, | 1454 "*.test.com,*.test.co.uk,*.test.de,*.test.fr" }, |
| 1380 { true, "wwW.tESt.fr", "common.name", | 1455 { true, "wwW.tESt.fr", "common.name", |
| 1381 ",*.*,*.test.de,*.test.FR,www" }, | 1456 ",*.*,*.test.de,*.test.FR,www" }, |
| 1382 { false, "f.uk", ".uk" }, | 1457 { false, "f.uk", ".uk" }, |
| 1383 { false, "w.bar.foo.com", "?.bar.foo.com" }, | 1458 { false, "w.bar.foo.com", "?.bar.foo.com" }, |
| 1384 { false, "www.foo.com", "(www|ftp).foo.com" }, | 1459 { false, "www.foo.com", "(www|ftp).foo.com" }, |
| 1385 { false, "www.foo.com", "www.foo.com#" }, // # = null char. | 1460 { false, "www.foo.com", "www.foo.com#" }, // # = null char. |
| 1386 { false, "www.foo.com", "", "www.foo.com#*.foo.com,#,#" }, | 1461 { false, "www.foo.com", "", "www.foo.com#*.foo.com,#,#" }, |
| 1387 { false, "www.house.example", "ww.house.example" }, | 1462 { false, "www.house.example", "ww.house.example" }, |
| 1388 { false, "test.org", "", "www.test.org,*.test.org,*.org" }, | 1463 { false, "test.org", "", "www.test.org,*.test.org,*.org" }, |
| 1389 { false, "w.bar.foo.com", "w*.bar.foo.com" }, | 1464 { false, "w.bar.foo.com", "w*.bar.foo.com" }, |
| 1390 { false, "www.bar.foo.com", "ww*ww.bar.foo.com" }, | 1465 { false, "www.bar.foo.com", "ww*ww.bar.foo.com" }, |
| 1391 { false, "wwww.bar.foo.com", "ww*ww.bar.foo.com" }, | 1466 { false, "wwww.bar.foo.com", "ww*ww.bar.foo.com" }, |
| 1392 { true, "wwww.bar.foo.com", "w*w.bar.foo.com" }, | 1467 { true, "wwww.bar.foo.com", "w*w.bar.foo.com" }, |
| 1393 { false, "wwww.bar.foo.com", "w*w.bar.foo.c0m" }, | 1468 { false, "wwww.bar.foo.com", "w*w.bar.foo.c0m" }, |
| 1394 { true, "WALLY.bar.foo.com", "wa*.bar.foo.com" }, | 1469 { true, "WALLY.bar.foo.com", "wa*.bar.foo.com" }, |
| 1395 { true, "wally.bar.foo.com", "*Ly.bar.foo.com" }, | 1470 { true, "wally.bar.foo.com", "*Ly.bar.foo.com" }, |
| (...skipping 117 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1513 } | 1588 } |
| 1514 | 1589 |
| 1515 if (test_data.ip_addrs) { | 1590 if (test_data.ip_addrs) { |
| 1516 // Build up the certificate IP address list. | 1591 // Build up the certificate IP address list. |
| 1517 std::string ip_addrs_line(test_data.ip_addrs); | 1592 std::string ip_addrs_line(test_data.ip_addrs); |
| 1518 std::vector<std::string> ip_addressses_ascii; | 1593 std::vector<std::string> ip_addressses_ascii; |
| 1519 base::SplitString(ip_addrs_line, ',', &ip_addressses_ascii); | 1594 base::SplitString(ip_addrs_line, ',', &ip_addressses_ascii); |
| 1520 for (size_t i = 0; i < ip_addressses_ascii.size(); ++i) { | 1595 for (size_t i = 0; i < ip_addressses_ascii.size(); ++i) { |
| 1521 std::string& addr_ascii = ip_addressses_ascii[i]; | 1596 std::string& addr_ascii = ip_addressses_ascii[i]; |
| 1522 ASSERT_NE(0U, addr_ascii.length()); | 1597 ASSERT_NE(0U, addr_ascii.length()); |
| 1523 if (addr_ascii[0] == 'x') { // Hex encoded address | 1598 if (addr_ascii[0] == 'x') { // Hex encoded address |
| 1524 addr_ascii.erase(0, 1); | 1599 addr_ascii.erase(0, 1); |
| 1525 std::vector<uint8> bytes; | 1600 std::vector<uint8> bytes; |
| 1526 EXPECT_TRUE(base::HexStringToBytes(addr_ascii, &bytes)) | 1601 EXPECT_TRUE(base::HexStringToBytes(addr_ascii, &bytes)) |
| 1527 << "Could not parse hex address " << addr_ascii << " i = " << i; | 1602 << "Could not parse hex address " << addr_ascii << " i = " << i; |
| 1528 ip_addressses.push_back(std::string(reinterpret_cast<char*>(&bytes[0]), | 1603 ip_addressses.push_back(std::string(reinterpret_cast<char*>(&bytes[0]), |
| 1529 bytes.size())); | 1604 bytes.size())); |
| 1530 ASSERT_EQ(16U, ip_addressses.back().size()) << i; | 1605 ASSERT_EQ(16U, ip_addressses.back().size()) << i; |
| 1531 } else { // Decimal groups | 1606 } else { // Decimal groups |
| 1532 std::vector<std::string> decimals_ascii; | 1607 std::vector<std::string> decimals_ascii; |
| 1533 base::SplitString(addr_ascii, '.', &decimals_ascii); | 1608 base::SplitString(addr_ascii, '.', &decimals_ascii); |
| (...skipping 217 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1751 #define MAYBE_VerifyMixed DISABLED_VerifyMixed | 1826 #define MAYBE_VerifyMixed DISABLED_VerifyMixed |
| 1752 #else | 1827 #else |
| 1753 #define MAYBE_VerifyMixed VerifyMixed | 1828 #define MAYBE_VerifyMixed VerifyMixed |
| 1754 #endif | 1829 #endif |
| 1755 WRAPPED_INSTANTIATE_TEST_CASE_P( | 1830 WRAPPED_INSTANTIATE_TEST_CASE_P( |
| 1756 MAYBE_VerifyMixed, | 1831 MAYBE_VerifyMixed, |
| 1757 X509CertificateWeakDigestTest, | 1832 X509CertificateWeakDigestTest, |
| 1758 testing::ValuesIn(kVerifyMixedTestData)); | 1833 testing::ValuesIn(kVerifyMixedTestData)); |
| 1759 | 1834 |
| 1760 } // namespace net | 1835 } // namespace net |
| OLD | NEW |
