Refuse to accept certificate chains containing any RSA public key smaller

net/base/x509_certificate_unittest.cc

Index: net/base/x509_certificate_unittest.cc
===================================================================
--- net/base/x509_certificate_unittest.cc	(revision 110129)
+++ net/base/x509_certificate_unittest.cc	(working copy)
@@ -2,6 +2,10 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
+#if defined(USE_NSS)
+#include <cert.h>
+#endif

[Ryan Sleevi, 2011/11/16 23:40:54]

This was in the correct place originally. Please move it back.

http://www.chromium.org/developers/coding-style#TOC-Platform-defines

+
 #include "base/file_path.h"
 #include "base/file_util.h"
 #include "base/path_service.h"
@@ -20,10 +24,6 @@
 #include "net/base/x509_certificate.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
-#if defined(USE_NSS)
-#include <cert.h>
-#endif
-
 // Unit tests aren't allowed to access external resources. Unfortunately, to
 // properly verify the EV-ness of a cert, we need to check for its revocation
 // through online servers. If you're manually running unit tests, feel free to
@@ -592,6 +592,38 @@
   EXPECT_NE(OK, error);
 }
 
+TEST(X509CertificateTest, RejectWeakKeys) {
+  FilePath certs_dir = GetTestCertsDirectory();
+
+  // Self-signed cert with weak (768-bit) key.
+  scoped_refptr<X509Certificate> weak_cert =
+      ImportCertFromFile(certs_dir, "weak-key.pem");
+  ASSERT_NE(static_cast<X509Certificate*>(NULL), weak_cert);
+
+  CertVerifyResult verify_result;
+  int flags = 0;
+  int error = weak_cert->Verify("broken.example.com", flags, NULL,
+                                &verify_result);
+  EXPECT_NE(OK, error);
+  EXPECT_EQ(CERT_STATUS_WEAK_KEY, verify_result.cert_status);
+
+  // EE has 2048-bit key, signer is weak_cert. Even though the EE is fine,
+  // we must still reject it.
+  scoped_refptr<X509Certificate> good_cert =
+      ImportCertFromFile(certs_dir, "strong-key-weak-signer.pem");
+  ASSERT_NE(static_cast<X509Certificate*>(NULL), good_cert);
+
+  X509Certificate::OSCertHandles intermediates;
+  intermediates.push_back(weak_cert->os_cert_handle());
+  scoped_refptr<X509Certificate> cert_chain =
+      X509Certificate::CreateFromHandle(good_cert->os_cert_handle(),
+                                        intermediates);
+
+  error = cert_chain->Verify("www.example.org", flags, NULL, &verify_result);
+  EXPECT_NE(OK, error);
+  EXPECT_EQ(CERT_STATUS_WEAK_KEY, verify_result.cert_status);
+}
+
 TEST(X509CertificateTest, DigiNotarCerts) {
   static const char* const kDigiNotarFilenames[] = {
     "diginotar_root_ca.pem",
@@ -677,7 +709,7 @@
   base::SHA1HashBytes(reinterpret_cast<const uint8*>(spkiBytes.data()),
                       spkiBytes.size(), hash);
 
-  EXPECT_TRUE(0 == memcmp(hash, nistSPKIHash, sizeof(hash)));
+  EXPECT_EQ(0, memcmp(hash, nistSPKIHash, sizeof(hash)));
 }
 
 TEST(X509CertificateTest, ExtractCRLURLsFromDERCert) {
@@ -1332,7 +1364,7 @@
     { false, "f.uk", ".uk" },
     { false, "w.bar.foo.com", "?.bar.foo.com" },
     { false, "www.foo.com", "(www|ftp).foo.com" },
-    { false, "www.foo.com", "www.foo.com#" }, // # = null char.
+    { false, "www.foo.com", "www.foo.com#" },  // # = null char.
     { false, "www.foo.com", "", "www.foo.com#*.foo.com,#,#" },
     { false, "www.house.example", "ww.house.example" },
     { false, "test.org", "", "www.test.org,*.test.org,*.org" },
@@ -1470,7 +1502,7 @@
     for (size_t i = 0; i < ip_addressses_ascii.size(); ++i) {
       std::string& addr_ascii = ip_addressses_ascii[i];
       ASSERT_NE(0U, addr_ascii.length());
-      if (addr_ascii[0] == 'x') { // Hex encoded address
+      if (addr_ascii[0] == 'x') {  // Hex encoded address
         addr_ascii.erase(0, 1);
         std::vector<uint8> bytes;
         EXPECT_TRUE(base::HexStringToBytes(addr_ascii, &bytes))