net/base/x509_certificate.cc - Issue 8568040: Refuse to accept certificate chains containing any RSA public key smaller

Side by Side Diff: net/base/x509_certificate.cc

Issue 8568040: Refuse to accept certificate chains containing any RSA public key smaller (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src/

Patch Set: '' Created 9 years, 1 month ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

OLD	NEW
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "net/base/x509_certificate.h"	5 #include "net/base/x509_certificate.h"

6	6

7 #include <stdlib.h>	7 #include <stdlib.h>

8	8

9 #include <algorithm>	9 #include <algorithm>

10 #include <map>	10 #include <map>

(...skipping 570 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
581 CRLSet* crl_set,	581 CRLSet* crl_set,

582 CertVerifyResult* verify_result) const {	582 CertVerifyResult* verify_result) const {

583 verify_result->Reset();	583 verify_result->Reset();

584 verify_result->verified_cert = const_cast<X509Certificate*>(this);	584 verify_result->verified_cert = const_cast<X509Certificate*>(this);

585	585

586 if (IsBlacklisted()) {	586 if (IsBlacklisted()) {

587 verify_result->cert_status \|= CERT_STATUS_REVOKED;	587 verify_result->cert_status \|= CERT_STATUS_REVOKED;

588 return ERR_CERT_REVOKED;	588 return ERR_CERT_REVOKED;

589 }	589 }

590	590

	591 // Check for weak keys (in the entire chain) first.

	592 size_t size_bits = 0;

	593 PublicKeyType type = kPublicKeyTypeUnknown;

	594 GetPublicKeyInfo(cert_handle_, &size_bits, &type);

	595 if (type == kPublicKeyTypeRSA && size_bits < 1023) {
	Ryan Sleevi 2011/11/16 23:40:54 As AGL noted over on the Mozilla bug, the '1023' i As AGL noted over on the Mozilla bug, the '1023' is likely an artifact of OpenSSL reporting, not the actual key size. We should be able to use 1024 here.
	596 verify_result->cert_status \|= CERT_STATUS_WEAK_KEY;

	597 return MapCertStatusToNetError(verify_result->cert_status);
	Ryan Sleevi 2011/11/16 23:40:54 Rather than duplicating this logic with the lines Rather than duplicating this logic with the lines on 603/604, just use a bool and have a single exit point from this function for week keys?
	598 }

	599 for (OSCertHandles::const_iterator i = intermediate_ca_certs_.begin();

	600 i != intermediate_ca_certs_.end(); ++i) {

	601 GetPublicKeyInfo(*i, &size_bits, &type);
	Ryan Sleevi 2011/11/16 23:40:54 bug: If GetPublicKeyInfo fails, \|type\| is not muta bug: If GetPublicKeyInfo fails, \|type\| is not mutated, but \|size_bits\| is. This will cause unknown types to be rejected as weak keys. Intentional? Should this API return a bool? It's less of a concern if moved to after verification.
	602 if (type == kPublicKeyTypeRSA && size_bits < 1023) {

	603 verify_result->cert_status \|= CERT_STATUS_WEAK_KEY;

	604 return MapCertStatusToNetError(verify_result->cert_status);

	605 }

	606 }

	607

591 int rv = VerifyInternal(hostname, flags, crl_set, verify_result);	608 int rv = VerifyInternal(hostname, flags, crl_set, verify_result);

592	609

593 // This check is done after VerifyInternal so that VerifyInternal can fill in	610 // This check is done after VerifyInternal so that VerifyInternal can fill in

594 // the list of public key hashes.	611 // the list of public key hashes.

595 if (IsPublicKeyBlacklisted(verify_result->public_key_hashes)) {	612 if (IsPublicKeyBlacklisted(verify_result->public_key_hashes)) {

596 verify_result->cert_status \|= CERT_STATUS_REVOKED;	613 verify_result->cert_status \|= CERT_STATUS_REVOKED;

597 rv = MapCertStatusToNetError(verify_result->cert_status);	614 rv = MapCertStatusToNetError(verify_result->cert_status);

598 }	615 }

599	616

600 return rv;	617 return rv;

(...skipping 197 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
798 bool X509Certificate::IsSHA1HashInSortedArray(const SHA1Fingerprint& hash,	815 bool X509Certificate::IsSHA1HashInSortedArray(const SHA1Fingerprint& hash,

799 const uint8* array,	816 const uint8* array,

800 size_t array_byte_len) {	817 size_t array_byte_len) {

801 DCHECK_EQ(0u, array_byte_len % base::kSHA1Length);	818 DCHECK_EQ(0u, array_byte_len % base::kSHA1Length);

802 const size_t arraylen = array_byte_len / base::kSHA1Length;	819 const size_t arraylen = array_byte_len / base::kSHA1Length;

803 return NULL != bsearch(hash.data, array, arraylen, base::kSHA1Length,	820 return NULL != bsearch(hash.data, array, arraylen, base::kSHA1Length,

804 CompareSHA1Hashes);	821 CompareSHA1Hashes);

805 }	822 }

806	823

807 } // namespace net	824 } // namespace net

OLD	NEW

« no previous file with comments | « net/base/x509_certificate.h ('k') | net/base/x509_certificate_mac.cc » ('j') | net/base/x509_certificate_win.cc » ('J')