Chromium Code Reviews Chromium Code Reviews
Issue 8568040:
Refuse to accept certificate chains containing any RSA public key smaller (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src/| Index: net/base/x509_certificate.cc |
| =================================================================== |
| --- net/base/x509_certificate.cc (revision 113824) |
| +++ net/base/x509_certificate.cc (working copy) |
| @@ -576,6 +576,12 @@ |
| return false; |
| } |
| +static bool IsWeakKey(X509Certificate::PublicKeyType type, size_t size_bits) { |
|
Ryan Sleevi
2011/12/13 05:45:35
nit: Given that this file makes use of an unnamed
|
| + return size_bits < 1024 && |
| + (type == X509Certificate::kPublicKeyTypeRSA || |
| + type == X509Certificate::kPublicKeyTypeDSA); |
| +} |
| + |
| int X509Certificate::Verify(const std::string& hostname, |
| int flags, |
| CRLSet* crl_set, |
| @@ -590,6 +596,31 @@ |
| int rv = VerifyInternal(hostname, flags, crl_set, verify_result); |
| + // Check for weak keys in the entire verified chain. |
| + size_t size_bits = 0; |
| + PublicKeyType type = kPublicKeyTypeUnknown; |
| + bool weak_key = false; |
| + |
| + GetPublicKeyInfo(verify_result->verified_cert->os_cert_handle(), &size_bits, |
| + &type); |
| + if (IsWeakKey(type, size_bits)) { |
| + weak_key = true; |
| + } else { |
| + const OSCertHandles& intermediates = |
| + verify_result->verified_cert->GetIntermediateCertificates(); |
| + for (OSCertHandles::const_iterator i = intermediates.begin(); |
| + i != intermediates.end(); ++i) { |
| + GetPublicKeyInfo(*i, &size_bits, &type); |
| + if (IsWeakKey(type, size_bits)) |
| + weak_key = true; |
| + } |
| + } |
| + |
| + if (weak_key) { |
| + verify_result->cert_status |= CERT_STATUS_WEAK_KEY; |
| + return MapCertStatusToNetError(verify_result->cert_status); |
| + } |
| + |
| // This check is done after VerifyInternal so that VerifyInternal can fill in |
| // the list of public key hashes. |
| if (IsPublicKeyBlacklisted(verify_result->public_key_hashes)) { |
