Refuse to accept certificate chains containing any RSA public key smaller

net/base/x509_certificate_unittest.cc

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
+#if defined(USE_NSS)
+#include <cert.h>
+#endif

[Ryan Sleevi, 2011/11/16 23:40:54]

This was in the correct place originally. Please move it back.

http://www.chromium.org/developers/coding-style#TOC-Platform-defines

+
 #include "base/file_path.h"
 #include "base/file_util.h"
 #include "base/path_service.h"
 #include "base/pickle.h"
 #include "base/sha1.h"
 #include "base/string_number_conversions.h"
 #include "base/string_split.h"
 #include "crypto/rsa_private_key.h"
 #include "net/base/asn1_util.h"
 #include "net/base/cert_status_flags.h"
 #include "net/base/cert_test_util.h"
 #include "net/base/cert_verify_result.h"
 #include "net/base/net_errors.h"
 #include "net/base/test_certificate_data.h"
 #include "net/base/test_root_certs.h"
 #include "net/base/x509_certificate.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
-#if defined(USE_NSS)
-#include <cert.h>
-#endif
-
 // Unit tests aren't allowed to access external resources. Unfortunately, to
 // properly verify the EV-ness of a cert, we need to check for its revocation
 // through online servers. If you're manually running unit tests, feel free to
 // turn this on to test EV certs. But leave it turned off for the automated
 // testing.
 #define ALLOW_EXTERNAL_ACCESS 0
 
 #if ALLOW_EXTERNAL_ACCESS && defined(OS_WIN)
 #define TEST_EV 1  // Test CERT_STATUS_IS_EV
 #endif
@@ skipping 548 matching lines @@
                                  &verify_result);
   EXPECT_NE(OK, error);
 
   // Now turn off revocation checking.  Certificate verification should still
   // fail.
   flags = 0;
   error = cert_chain->Verify("mail.google.com", flags, NULL, &verify_result);
   EXPECT_NE(OK, error);
 }
 
+TEST(X509CertificateTest, RejectWeakKeys) {
+  FilePath certs_dir = GetTestCertsDirectory();
+
+  // Self-signed cert with weak (768-bit) key.
+  scoped_refptr<X509Certificate> weak_cert =
+      ImportCertFromFile(certs_dir, "weak-key.pem");
+  ASSERT_NE(static_cast<X509Certificate*>(NULL), weak_cert);
+
+  CertVerifyResult verify_result;
+  int flags = 0;
+  int error = weak_cert->Verify("broken.example.com", flags, NULL,
+                                &verify_result);
+  EXPECT_NE(OK, error);
+  EXPECT_EQ(CERT_STATUS_WEAK_KEY, verify_result.cert_status);
+
+  // EE has 2048-bit key, signer is weak_cert. Even though the EE is fine,
+  // we must still reject it.
+  scoped_refptr<X509Certificate> good_cert =
+      ImportCertFromFile(certs_dir, "strong-key-weak-signer.pem");
+  ASSERT_NE(static_cast<X509Certificate*>(NULL), good_cert);
+
+  X509Certificate::OSCertHandles intermediates;
+  intermediates.push_back(weak_cert->os_cert_handle());
+  scoped_refptr<X509Certificate> cert_chain =
+      X509Certificate::CreateFromHandle(good_cert->os_cert_handle(),
+                                        intermediates);
+
+  error = cert_chain->Verify("www.example.org", flags, NULL, &verify_result);
+  EXPECT_NE(OK, error);
+  EXPECT_EQ(CERT_STATUS_WEAK_KEY, verify_result.cert_status);
+}
+
 TEST(X509CertificateTest, DigiNotarCerts) {
   static const char* const kDigiNotarFilenames[] = {
     "diginotar_root_ca.pem",
     "diginotar_cyber_ca.pem",
     "diginotar_services_1024_ca.pem",
     "diginotar_pkioverheid.pem",
     "diginotar_pkioverheid_g2.pem",
     NULL,
   };
 
@@ skipping 65 matching lines @@
   EXPECT_TRUE(X509Certificate::GetDEREncoded(cert->os_cert_handle(),
                                              &derBytes));
 
   base::StringPiece spkiBytes;
   EXPECT_TRUE(asn1::ExtractSPKIFromDERCert(derBytes, &spkiBytes));
 
   uint8 hash[base::kSHA1Length];
   base::SHA1HashBytes(reinterpret_cast<const uint8*>(spkiBytes.data()),
                       spkiBytes.size(), hash);
 
-  EXPECT_TRUE(0 == memcmp(hash, nistSPKIHash, sizeof(hash)));
+  EXPECT_EQ(0, memcmp(hash, nistSPKIHash, sizeof(hash)));
 }
 
 TEST(X509CertificateTest, ExtractCRLURLsFromDERCert) {
   FilePath certs_dir = GetTestCertsDirectory();
   scoped_refptr<X509Certificate> cert =
       ImportCertFromFile(certs_dir, "nist.der");
   ASSERT_NE(static_cast<X509Certificate*>(NULL), cert);
 
   std::string derBytes;
   EXPECT_TRUE(X509Certificate::GetDEREncoded(cert->os_cert_handle(),
@@ skipping 634 matching lines @@
     { true, "f", "f" },
     { false, "h", "i" },
     { true, "bar.foo.com", "*.foo.com" },
     { true, "www.test.fr", "common.name",
         "*.test.com,*.test.co.uk,*.test.de,*.test.fr" },
     { true, "wwW.tESt.fr",  "common.name",
         ",*.*,*.test.de,*.test.FR,www" },
     { false, "f.uk", ".uk" },
     { false, "w.bar.foo.com", "?.bar.foo.com" },
     { false, "www.foo.com", "(www|ftp).foo.com" },
-    { false, "www.foo.com", "www.foo.com#" }, // # = null char.
+    { false, "www.foo.com", "www.foo.com#" },  // # = null char.
     { false, "www.foo.com", "", "www.foo.com#*.foo.com,#,#" },
     { false, "www.house.example", "ww.house.example" },
     { false, "test.org", "", "www.test.org,*.test.org,*.org" },
     { false, "w.bar.foo.com", "w*.bar.foo.com" },
     { false, "www.bar.foo.com", "ww*ww.bar.foo.com" },
     { false, "wwww.bar.foo.com", "ww*ww.bar.foo.com" },
     { true, "wwww.bar.foo.com", "w*w.bar.foo.com" },
     { false, "wwww.bar.foo.com", "w*w.bar.foo.c0m" },
     { true, "WALLY.bar.foo.com", "wa*.bar.foo.com" },
     { true, "wally.bar.foo.com", "*Ly.bar.foo.com" },
@@ skipping 117 matching lines @@
   }
 
   if (test_data.ip_addrs) {
     // Build up the certificate IP address list.
     std::string ip_addrs_line(test_data.ip_addrs);
     std::vector<std::string> ip_addressses_ascii;
     base::SplitString(ip_addrs_line, ',', &ip_addressses_ascii);
     for (size_t i = 0; i < ip_addressses_ascii.size(); ++i) {
       std::string& addr_ascii = ip_addressses_ascii[i];
       ASSERT_NE(0U, addr_ascii.length());
-      if (addr_ascii[0] == 'x') { // Hex encoded address
+      if (addr_ascii[0] == 'x') {  // Hex encoded address
         addr_ascii.erase(0, 1);
         std::vector<uint8> bytes;
         EXPECT_TRUE(base::HexStringToBytes(addr_ascii, &bytes))
             << "Could not parse hex address " << addr_ascii << " i = " << i;
         ip_addressses.push_back(std::string(reinterpret_cast<char*>(&bytes[0]),
                                             bytes.size()));
         ASSERT_EQ(16U, ip_addressses.back().size()) << i;
       } else {  // Decimal groups
         std::vector<std::string> decimals_ascii;
         base::SplitString(addr_ascii, '.', &decimals_ascii);
@@ skipping 217 matching lines @@
 #define MAYBE_VerifyMixed DISABLED_VerifyMixed
 #else
 #define MAYBE_VerifyMixed VerifyMixed
 #endif
 WRAPPED_INSTANTIATE_TEST_CASE_P(
     MAYBE_VerifyMixed,
     X509CertificateWeakDigestTest,
     testing::ValuesIn(kVerifyMixedTestData));
 
 }  // namespace net