OLD | NEW |
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/base/x509_certificate.h" | 5 #include "net/base/x509_certificate.h" |
6 | 6 |
7 #include <stdlib.h> | 7 #include <stdlib.h> |
8 | 8 |
9 #include <algorithm> | 9 #include <algorithm> |
10 #include <map> | 10 #include <map> |
(...skipping 206 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
217 CERT_STORE_ADD_USE_EXISTING, &cert_handle); | 217 CERT_STORE_ADD_USE_EXISTING, &cert_handle); |
218 return ok ? cert_handle : NULL; | 218 return ok ? cert_handle : NULL; |
219 } | 219 } |
220 #else | 220 #else |
221 X509Certificate::OSCertHandle CreateOSCert(base::StringPiece der_cert) { | 221 X509Certificate::OSCertHandle CreateOSCert(base::StringPiece der_cert) { |
222 return X509Certificate::CreateOSCertHandleFromBytes( | 222 return X509Certificate::CreateOSCertHandleFromBytes( |
223 const_cast<char*>(der_cert.data()), der_cert.size()); | 223 const_cast<char*>(der_cert.data()), der_cert.size()); |
224 } | 224 } |
225 #endif | 225 #endif |
226 | 226 |
| 227 // Returns true if |type| is |kPublicKeyTypeRSA| or |kPublicKeyTypeDSA|, and |
| 228 // if |size_bits| is < 1024. Note that this means there may be false |
| 229 // negatives: keys for other algorithms and which are weak will pass this |
| 230 // test. |
| 231 bool IsWeakKey(X509Certificate::PublicKeyType type, size_t size_bits) { |
| 232 switch (type) { |
| 233 case X509Certificate::kPublicKeyTypeRSA: |
| 234 case X509Certificate::kPublicKeyTypeDSA: |
| 235 return size_bits < 1024; |
| 236 default: |
| 237 return false; |
| 238 } |
| 239 } |
| 240 |
227 } // namespace | 241 } // namespace |
228 | 242 |
229 bool X509Certificate::LessThan::operator()(X509Certificate* lhs, | 243 bool X509Certificate::LessThan::operator()(X509Certificate* lhs, |
230 X509Certificate* rhs) const { | 244 X509Certificate* rhs) const { |
231 if (lhs == rhs) | 245 if (lhs == rhs) |
232 return false; | 246 return false; |
233 | 247 |
234 int rv = memcmp(lhs->fingerprint_.data, rhs->fingerprint_.data, | 248 int rv = memcmp(lhs->fingerprint_.data, rhs->fingerprint_.data, |
235 sizeof(lhs->fingerprint_.data)); | 249 sizeof(lhs->fingerprint_.data)); |
236 if (rv != 0) | 250 if (rv != 0) |
(...skipping 353 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
590 | 604 |
591 int rv = VerifyInternal(hostname, flags, crl_set, verify_result); | 605 int rv = VerifyInternal(hostname, flags, crl_set, verify_result); |
592 | 606 |
593 // This check is done after VerifyInternal so that VerifyInternal can fill in | 607 // This check is done after VerifyInternal so that VerifyInternal can fill in |
594 // the list of public key hashes. | 608 // the list of public key hashes. |
595 if (IsPublicKeyBlacklisted(verify_result->public_key_hashes)) { | 609 if (IsPublicKeyBlacklisted(verify_result->public_key_hashes)) { |
596 verify_result->cert_status |= CERT_STATUS_REVOKED; | 610 verify_result->cert_status |= CERT_STATUS_REVOKED; |
597 rv = MapCertStatusToNetError(verify_result->cert_status); | 611 rv = MapCertStatusToNetError(verify_result->cert_status); |
598 } | 612 } |
599 | 613 |
| 614 // Check for weak keys in the entire verified chain. |
| 615 size_t size_bits = 0; |
| 616 PublicKeyType type = kPublicKeyTypeUnknown; |
| 617 bool weak_key = false; |
| 618 |
| 619 GetPublicKeyInfo(verify_result->verified_cert->os_cert_handle(), &size_bits, |
| 620 &type); |
| 621 if (IsWeakKey(type, size_bits)) { |
| 622 weak_key = true; |
| 623 } else { |
| 624 const OSCertHandles& intermediates = |
| 625 verify_result->verified_cert->GetIntermediateCertificates(); |
| 626 for (OSCertHandles::const_iterator i = intermediates.begin(); |
| 627 i != intermediates.end(); ++i) { |
| 628 GetPublicKeyInfo(*i, &size_bits, &type); |
| 629 if (IsWeakKey(type, size_bits)) |
| 630 weak_key = true; |
| 631 } |
| 632 } |
| 633 |
| 634 if (weak_key) { |
| 635 verify_result->cert_status |= CERT_STATUS_WEAK_KEY; |
| 636 return MapCertStatusToNetError(verify_result->cert_status); |
| 637 } |
| 638 |
600 // Treat certificates signed using broken signature algorithms as invalid. | 639 // Treat certificates signed using broken signature algorithms as invalid. |
601 if (verify_result->has_md2 || verify_result->has_md4) { | 640 if (verify_result->has_md2 || verify_result->has_md4) { |
602 verify_result->cert_status |= CERT_STATUS_INVALID; | 641 verify_result->cert_status |= CERT_STATUS_INVALID; |
603 rv = MapCertStatusToNetError(verify_result->cert_status); | 642 rv = MapCertStatusToNetError(verify_result->cert_status); |
604 } | 643 } |
605 | 644 |
606 // Flag certificates using weak signature algorithms. | 645 // Flag certificates using weak signature algorithms. |
607 if (verify_result->has_md5) { | 646 if (verify_result->has_md5) { |
608 verify_result->cert_status |= CERT_STATUS_WEAK_SIGNATURE_ALGORITHM; | 647 verify_result->cert_status |= CERT_STATUS_WEAK_SIGNATURE_ALGORITHM; |
609 // Avoid replacing a more serious error, such as an OS/library failure, | 648 // Avoid replacing a more serious error, such as an OS/library failure, |
(...skipping 204 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
814 bool X509Certificate::IsSHA1HashInSortedArray(const SHA1Fingerprint& hash, | 853 bool X509Certificate::IsSHA1HashInSortedArray(const SHA1Fingerprint& hash, |
815 const uint8* array, | 854 const uint8* array, |
816 size_t array_byte_len) { | 855 size_t array_byte_len) { |
817 DCHECK_EQ(0u, array_byte_len % base::kSHA1Length); | 856 DCHECK_EQ(0u, array_byte_len % base::kSHA1Length); |
818 const size_t arraylen = array_byte_len / base::kSHA1Length; | 857 const size_t arraylen = array_byte_len / base::kSHA1Length; |
819 return NULL != bsearch(hash.data, array, arraylen, base::kSHA1Length, | 858 return NULL != bsearch(hash.data, array, arraylen, base::kSHA1Length, |
820 CompareSHA1Hashes); | 859 CompareSHA1Hashes); |
821 } | 860 } |
822 | 861 |
823 } // namespace net | 862 } // namespace net |
OLD | NEW |