| Index: net/cert/internal/verify_signed_data.cc
|
| diff --git a/net/cert/internal/verify_signed_data.cc b/net/cert/internal/verify_signed_data.cc
|
| index fd68328694be015b60e39de5d041bfdd3a875678..a18ccfac4df66cc80a9042376bd23ef394224e55 100644
|
| --- a/net/cert/internal/verify_signed_data.cc
|
| +++ b/net/cert/internal/verify_signed_data.cc
|
| @@ -18,7 +18,8 @@ namespace net {
|
| bool VerifySignedData(const SignatureAlgorithm& signature_algorithm,
|
| const der::Input& signed_data,
|
| const der::Input& signature_value_bit_string,
|
| - const der::Input& public_key) {
|
| + const der::Input& public_key,
|
| + const SignaturePolicy* policy) {
|
| NOTIMPLEMENTED();
|
| return false;
|
| }
|
| @@ -38,6 +39,7 @@ bool VerifySignedData(const SignatureAlgorithm& signature_algorithm,
|
| #include "crypto/openssl_util.h"
|
| #include "crypto/scoped_openssl_types.h"
|
| #include "net/cert/internal/signature_algorithm.h"
|
| +#include "net/cert/internal/signature_policy.h"
|
| #include "net/der/input.h"
|
| #include "net/der/parser.h"
|
|
|
| @@ -160,8 +162,18 @@ WARN_UNUSED_RESULT bool ImportPkeyFromSpki(const der::Input& spki,
|
| //
|
| // Following RFC 3279 in this case.
|
| WARN_UNUSED_RESULT bool ParseRsaKeyFromSpki(const der::Input& public_key_spki,
|
| - crypto::ScopedEVP_PKEY* pkey) {
|
| - return ImportPkeyFromSpki(public_key_spki, EVP_PKEY_RSA, pkey);
|
| + crypto::ScopedEVP_PKEY* pkey,
|
| + const SignaturePolicy* policy) {
|
| + if (!ImportPkeyFromSpki(public_key_spki, EVP_PKEY_RSA, pkey))
|
| + return false;
|
| +
|
| + // Extract the modulus length from the key.
|
| + crypto::ScopedRSA rsa(EVP_PKEY_get1_RSA(pkey->get()));
|
| + if (!rsa)
|
| + return false;
|
| + unsigned int modulus_length_bits = BN_num_bits(rsa->n);
|
| +
|
| + return policy->IsAcceptableModulusLengthForRsa(modulus_length_bits);
|
| }
|
|
|
| // Does signature verification using either RSA or ECDSA.
|
| @@ -203,21 +215,6 @@ WARN_UNUSED_RESULT bool DoVerify(const SignatureAlgorithm& algorithm,
|
| signature_value.Length());
|
| }
|
|
|
| -// Returns true if the given curve is allowed for ECDSA. The input is a
|
| -// BoringSSL NID.
|
| -//
|
| -// TODO(eroman): Extract policy decisions such as allowed curves, hashes, RSA
|
| -// modulus size, to somewhere more central.
|
| -WARN_UNUSED_RESULT bool IsAllowedCurveName(int curve_nid) {
|
| - switch (curve_nid) {
|
| - case NID_X9_62_prime256v1:
|
| - case NID_secp384r1:
|
| - case NID_secp521r1:
|
| - return true;
|
| - }
|
| - return false;
|
| -}
|
| -
|
| // Parses an EC public key from SPKI to an EVP_PKEY.
|
| //
|
| // Returns true on success.
|
| @@ -263,18 +260,18 @@ WARN_UNUSED_RESULT bool IsAllowedCurveName(int curve_nid) {
|
| // ... -- Extensible
|
| // }
|
| WARN_UNUSED_RESULT bool ParseEcKeyFromSpki(const der::Input& public_key_spki,
|
| - crypto::ScopedEVP_PKEY* pkey) {
|
| + crypto::ScopedEVP_PKEY* pkey,
|
| + const SignaturePolicy* policy) {
|
| if (!ImportPkeyFromSpki(public_key_spki, EVP_PKEY_EC, pkey))
|
| return false;
|
|
|
| - // Enforce policy on allowed curves in case ImportPkeyFromSpki() were to
|
| - // recognize and allow use of a weak curve.
|
| + // Extract the curve name.
|
| crypto::ScopedEC_KEY ec(EVP_PKEY_get1_EC_KEY(pkey->get()));
|
| if (!ec.get())
|
| return false; // Unexpected.
|
| -
|
| int curve_nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec.get()));
|
| - return IsAllowedCurveName(curve_nid);
|
| +
|
| + return policy->IsAcceptableCurveForEcdsa(curve_nid);
|
| }
|
|
|
| } // namespace
|
| @@ -282,18 +279,22 @@ WARN_UNUSED_RESULT bool ParseEcKeyFromSpki(const der::Input& public_key_spki,
|
| bool VerifySignedData(const SignatureAlgorithm& signature_algorithm,
|
| const der::Input& signed_data,
|
| const der::Input& signature_value_bit_string,
|
| - const der::Input& public_key_spki) {
|
| + const der::Input& public_key_spki,
|
| + const SignaturePolicy* policy) {
|
| + if (!policy->IsAcceptableSignatureAlgorithm(signature_algorithm))
|
| + return false;
|
| +
|
| crypto::ScopedEVP_PKEY public_key;
|
|
|
| // Parse the SPKI to an EVP_PKEY appropriate for the signature algorithm.
|
| switch (signature_algorithm.algorithm()) {
|
| case SignatureAlgorithmId::RsaPkcs1:
|
| case SignatureAlgorithmId::RsaPss:
|
| - if (!ParseRsaKeyFromSpki(public_key_spki, &public_key))
|
| + if (!ParseRsaKeyFromSpki(public_key_spki, &public_key, policy))
|
| return false;
|
| break;
|
| case SignatureAlgorithmId::Ecdsa:
|
| - if (!ParseEcKeyFromSpki(public_key_spki, &public_key))
|
| + if (!ParseEcKeyFromSpki(public_key_spki, &public_key, policy))
|
| return false;
|
| break;
|
| }
|
|
|
Chromium Code Reviews
Issue 1259313002:
Add some policy controls for VerifySignedData(). (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@add_python