Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(1022)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: net/base/x509_certificate_unittest.cc

Issue 8568040: Refuse to accept certificate chains containing any RSA public key smaller (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src/
Patch Set: '' Created 9 years ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« net/base/x509_certificate.cc ('K') | « net/base/x509_certificate_openssl.cc ('k') | net/base/x509_certificate_win.cc » ('j') | net/base/x509_certificate_win.cc » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/base/x509_certificate_unittest.cc
===================================================================
--- net/base/x509_certificate_unittest.cc (revision 113824)
+++ net/base/x509_certificate_unittest.cc (working copy)
@@ -611,6 +611,75 @@
EXPECT_EQ(ERR_CERT_DATE_INVALID, error);
}
+// Currently, only RSA and DSA are checked for weakness, and our example weak
+// size is 768. These could change in the future.
+static bool is_weak_key_type(const std::string& key_type) {
Ryan Sleevi 2011/12/13 05:45:35 nit: Function naming guidelines are http://google-
+ size_t pos = key_type.find("-");
+ std::string size = key_type.substr(0, pos);
+ std::string type = key_type.substr(pos + 1);
+
+ return 0 == size.compare("768") &&
Ryan Sleevi 2011/12/13 05:45:35 nit: Why use .compare() == 0 instead of the more c
+ (0 == type.compare("rsa") || 0 == type.compare("dsa"));
+}
+
+TEST(X509CertificateTest, RejectWeakKeys) {
+ FilePath certs_dir = GetTestCertsDirectory();
+ typedef std::vector<std::string> Strings;
+ Strings key_types;
+
+ // generate-weak-test-chains.sh currently has:
+ // key_types="768-rsa 1024-rsa 2048-rsa secp256k1-ecdsa"
Ryan Sleevi 2011/12/13 05:45:35 typo? You refer to secp256k1-ecdsa in the comment,
+ // We must use the same key types here. The filenames generated look like:
+ // 2048-rsa-ee-by-768-rsa-intermediate.pem
+ key_types.push_back("768-rsa");
+ key_types.push_back("1024-rsa");
+ key_types.push_back("2048-rsa");
+ key_types.push_back("prime256v1-ecdsa");
+
+ // Add the root that signed the intermediates for this test.
+ scoped_refptr<X509Certificate> root_cert =
+ ImportCertFromFile(certs_dir, "2048-rsa-root.pem");
+ ASSERT_NE(static_cast<X509Certificate*>(NULL), root_cert);
+ TestRootCerts::GetInstance()->Add(root_cert.get());
+
+ // Now test each chain.
+ for (Strings::const_iterator ee_type = key_types.begin();
+ ee_type != key_types.end(); ++ee_type) {
+ for (Strings::const_iterator signer_type = key_types.begin();
+ signer_type != key_types.end(); ++signer_type) {
Ryan Sleevi 2011/12/13 05:45:35 nit: This sort of iteration within a test, while n
+ std::string basename = *ee_type + "-ee-by-" + *signer_type +
+ "-intermediate.pem";
+ DLOG(WARNING) << "Now trying " << basename;
+ scoped_refptr<X509Certificate> ee_cert =
+ ImportCertFromFile(certs_dir, basename);
+ ASSERT_NE(static_cast<X509Certificate*>(NULL), ee_cert);
+
+ basename = *signer_type + "-intermediate.pem";
+ scoped_refptr<X509Certificate> intermediate =
+ ImportCertFromFile(certs_dir, basename);
+ ASSERT_NE(static_cast<X509Certificate*>(NULL), intermediate);
+
+ X509Certificate::OSCertHandles intermediates;
+ intermediates.push_back(intermediate->os_cert_handle());
+ scoped_refptr<X509Certificate> cert_chain =
+ X509Certificate::CreateFromHandle(ee_cert->os_cert_handle(),
+ intermediates);
+
+ CertVerifyResult verify_result;
+ int error = cert_chain->Verify("127.0.0.1", 0, NULL, &verify_result);
+
+ if (is_weak_key_type(*ee_type) || is_weak_key_type(*signer_type)) {
+ EXPECT_NE(OK, error);
+ EXPECT_EQ(CERT_STATUS_WEAK_KEY,
+ verify_result.cert_status & CERT_STATUS_WEAK_KEY);
+ } else {
+ EXPECT_EQ(OK, error);
+ EXPECT_EQ(0U, verify_result.cert_status & CERT_STATUS_WEAK_KEY);
+ }
+ }
+ }
+}
+
// Test for bug 94673.
TEST(X509CertificateTest, GoogleDigiNotarTest) {
FilePath certs_dir = GetTestCertsDirectory();
@@ -727,7 +796,7 @@
base::SHA1HashBytes(reinterpret_cast<const uint8*>(spkiBytes.data()),
spkiBytes.size(), hash);
- EXPECT_TRUE(0 == memcmp(hash, nistSPKIHash, sizeof(hash)));
+ EXPECT_EQ(0, memcmp(hash, nistSPKIHash, sizeof(hash)));
}
TEST(X509CertificateTest, ExtractCRLURLsFromDERCert) {
@@ -1382,7 +1451,7 @@
{ false, "f.uk", ".uk" },
{ false, "w.bar.foo.com", "?.bar.foo.com" },
{ false, "www.foo.com", "(www|ftp).foo.com" },
- { false, "www.foo.com", "www.foo.com#" }, // # = null char.
+ { false, "www.foo.com", "www.foo.com#" }, // # = null char.
{ false, "www.foo.com", "", "www.foo.com#*.foo.com,#,#" },
{ false, "www.house.example", "ww.house.example" },
{ false, "test.org", "", "www.test.org,*.test.org,*.org" },
@@ -1520,7 +1589,7 @@
for (size_t i = 0; i < ip_addressses_ascii.size(); ++i) {
std::string& addr_ascii = ip_addressses_ascii[i];
ASSERT_NE(0U, addr_ascii.length());
- if (addr_ascii[0] == 'x') { // Hex encoded address
+ if (addr_ascii[0] == 'x') { // Hex encoded address
addr_ascii.erase(0, 1);
std::vector<uint8> bytes;
EXPECT_TRUE(base::HexStringToBytes(addr_ascii, &bytes))
« net/base/x509_certificate.cc ('K') | « net/base/x509_certificate_openssl.cc ('k') | net/base/x509_certificate_win.cc » ('j') | net/base/x509_certificate_win.cc » ('J')

Powered by Google App Engine
This is Rietveld 408576698