Refuse to accept certificate chains containing any RSA public key smaller

net/base/x509_certificate_win.cc

Index: net/base/x509_certificate_win.cc
===================================================================
--- net/base/x509_certificate_win.cc	(revision 110129)
+++ net/base/x509_certificate_win.cc	(working copy)
@@ -1153,4 +1153,35 @@
                            length);
 }
 
+// static
+void X509Certificate::GetPublicKeyInfo(OSCertHandle cert_handle,
+                                       size_t* size_bits,
+                                       PublicKeyType* type) {
+  *size_bits = CertGetPublicKeyLength(
+      X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
+      cert_handle->pCertInfo->SubjectPublicKeyInfo);
+
+  PCCRYPT_OID_INFO oid_info = CryptFindOIDInfo(
+      CRYPT_OID_INFO_OID_KEY,
+      cert_handle->pCertInfo->SubjectPublicKeyInfo->Algorithm->pszObjId,
+      CRYPT_SIGN_ALG_OID_GROUP_ID);
+  CHECK(oid_info->dwGroupId == CRYPT_SIGN_ALG_OID_GROUP_ID);
+  CHECK(iod_info->ExtraInfo.cbData >= sizeof(DWORD));

[Ryan Sleevi, 2011/11/16 23:40:54]

Do we want to crash on unrecognized extensions? oid_info may be NULL if Windows
doesn't recognize the OID.

Should probably short-circuit here (without a check) if not oid_info, and only
check the rest (which in poking around in IDA, CryptoAPI is equally paranoid
about the results being valid)

+  DWORD id = *reinterpret_cast<DWORD*>(oid_info->ExtraInfo.pbData);
+
+  switch (id) {
+    case CALG_RSA_SIGN:
+      *type = kPublicKeyTypeRSA;
+      break;
+    case CALG_DSS_SIGN:
+      *type = kPublicKeyTypeDSA;
+      break;
+    case CALG_ECDSA:
+      *type = kPublicKeyTypeECDSA;
+      break;
+    default:

[Ryan Sleevi, 2011/11/16 23:40:54]

case CALG_ECDH:
  *type = kPublicKeyTypeECDH;
  break;

+      *type = kPublicKeyTypeUnknown;
+  }
+}
+
 }  // namespace net