Index: net/base/x509_certificate.cc |
=================================================================== |
--- net/base/x509_certificate.cc (revision 110129) |
+++ net/base/x509_certificate.cc (working copy) |
@@ -590,6 +590,30 @@ |
int rv = VerifyInternal(hostname, flags, crl_set, verify_result); |
+ // Check for weak keys in the entire verified chain. |
+ size_t size_bits = 0; |
+ PublicKeyType type = kPublicKeyTypeUnknown; |
+ bool weak_key = false; |
+ |
+ GetPublicKeyInfo(verify_result->verified_cert->os_cert_handle(), &size_bits, |
+ &type); |
+ if (type == kPublicKeyTypeRSA && size_bits < 1024) |
+ weak_key = true; |
wtc
2011/11/17 02:52:18
It seems that a IsWeakPublicKey/ContainsWeakPublic
|
+ |
+ const OSCertHandles& intermediates = |
+ verify_result->verified_cert->GetIntermediateCertificates(); |
+ for (OSCertHandles::const_iterator i = intermediates.begin(); |
+ i != intermediates.end(); ++i) { |
+ GetPublicKeyInfo(*i, &size_bits, &type); |
+ if (type == kPublicKeyTypeRSA && size_bits < 1024) |
+ weak_key = true; |
+ } |
+ |
+ if (weak_key) { |
+ verify_result->cert_status |= CERT_STATUS_WEAK_KEY; |
+ return MapCertStatusToNetError(verify_result->cert_status); |
+ } |
+ |
// This check is done after VerifyInternal so that VerifyInternal can fill in |
// the list of public key hashes. |
if (IsPublicKeyBlacklisted(verify_result->public_key_hashes)) { |