Refuse to accept certificate chains containing any RSA public key smaller

net/base/x509_certificate.h

Index: net/base/x509_certificate.h
===================================================================
--- net/base/x509_certificate.h	(revision 110129)
+++ net/base/x509_certificate.h	(working copy)
@@ -74,6 +74,14 @@
 
   typedef std::vector<OSCertHandle> OSCertHandles;
 
+  enum {
+    NONE,

[Ryan Sleevi, 2011/11/16 03:46:11]

nit: UNKNOWN?

If it causes a name collision, it might be time to revisit the naming style for
these enums, as per
http://google-styleguide.googlecode.com/svn/trunk/cppguide.xml#Enumerator_Names

+    RSA,
+    DSA,
+    ECDSA,
+    DH,
+  } PublicKeyType;

[Ryan Sleevi, 2011/11/16 03:46:11]

I believe you mean

enum PublicKeyType { }. Here, you're declaring an unnamed enum that is a member
of X509Certificate.

+
   // Predicate functor used in maps when X509Certificate is used as the key.
   class NET_EXPORT LessThan {
    public:
@@ -404,6 +412,9 @@
   // the first element.
   bool GetPEMEncodedChain(std::vector<std::string>* pem_encoded) const;
 
+  // Returns the length of the public key in bits.
+  static unsigned int GetPublicKeyLengthInBits(OSCertHandle cert_handle);

[Ryan Sleevi, 2011/11/16 03:46:11]

Sig here doesn't match your new functions.

+
   // Returns the OSCertHandle of this object. Because of caching, this may
   // differ from the OSCertHandle originally supplied during initialization.
   // Note: On Windows, CryptoAPI may return unexpected results if this handle