Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(266)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/cert/internal/signature_algorithm.cc

Issue 1690123002: Reduce Certificate Parsing Strictness (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Removing 21 octet weakness. Created 4 years, 9 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « net/cert/internal/parse_certificate.cc ('k') | net/cert/internal/signature_algorithm_unittest.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2015 The Chromium Authors. All rights reserved. 1 // Copyright 2015 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/cert/internal/signature_algorithm.h" 5 #include "net/cert/internal/signature_algorithm.h"
6 6
7 #include <utility> 7 #include <utility>
8 8
9 #include "base/numerics/safe_math.h" 9 #include "base/numerics/safe_math.h"
10 #include "net/der/input.h" 10 #include "net/der/input.h"
(...skipping 208 matching lines...) Expand 10 before | Expand all | Expand 10 after
219 return !parser.HasMore(); 219 return !parser.HasMore();
220 } 220 }
221 221
222 // Parses an RSA PKCS#1 v1.5 signature algorithm given the DER-encoded 222 // Parses an RSA PKCS#1 v1.5 signature algorithm given the DER-encoded
223 // "parameters" from the parsed AlgorithmIdentifier, and the hash algorithm 223 // "parameters" from the parsed AlgorithmIdentifier, and the hash algorithm
224 // that was implied by the AlgorithmIdentifier's OID. 224 // that was implied by the AlgorithmIdentifier's OID.
225 // 225 //
226 // Returns a nullptr on failure. 226 // Returns a nullptr on failure.
227 // 227 //
228 // RFC 5912 requires that the parameters for RSA PKCS#1 v1.5 algorithms be NULL 228 // RFC 5912 requires that the parameters for RSA PKCS#1 v1.5 algorithms be NULL
229 // ("PARAMS TYPE NULL ARE required"): 229 // ("PARAMS TYPE NULL ARE required"), however an empty parameter is also
230 // allowed for compatibility with non-compliant OCSP responders:
230 // 231 //
231 // sa-rsaWithSHA1 SIGNATURE-ALGORITHM ::= { 232 // sa-rsaWithSHA1 SIGNATURE-ALGORITHM ::= {
232 // IDENTIFIER sha1WithRSAEncryption 233 // IDENTIFIER sha1WithRSAEncryption
233 // PARAMS TYPE NULL ARE required 234 // PARAMS TYPE NULL ARE required
234 // HASHES { mda-sha1 } 235 // HASHES { mda-sha1 }
235 // PUBLIC-KEYS { pk-rsa } 236 // PUBLIC-KEYS { pk-rsa }
236 // SMIME-CAPS {IDENTIFIED BY sha1WithRSAEncryption } 237 // SMIME-CAPS {IDENTIFIED BY sha1WithRSAEncryption }
237 // } 238 // }
238 // 239 //
239 // sa-sha256WithRSAEncryption SIGNATURE-ALGORITHM ::= { 240 // sa-sha256WithRSAEncryption SIGNATURE-ALGORITHM ::= {
(...skipping 14 matching lines...) Expand all
254 // 255 //
255 // sa-sha512WithRSAEncryption SIGNATURE-ALGORITHM ::= { 256 // sa-sha512WithRSAEncryption SIGNATURE-ALGORITHM ::= {
256 // IDENTIFIER sha512WithRSAEncryption 257 // IDENTIFIER sha512WithRSAEncryption
257 // PARAMS TYPE NULL ARE required 258 // PARAMS TYPE NULL ARE required
258 // HASHES { mda-sha512 } 259 // HASHES { mda-sha512 }
259 // PUBLIC-KEYS { pk-rsa } 260 // PUBLIC-KEYS { pk-rsa }
260 // SMIME-CAPS { IDENTIFIED BY sha512WithRSAEncryption } 261 // SMIME-CAPS { IDENTIFIED BY sha512WithRSAEncryption }
261 // } 262 // }
262 scoped_ptr<SignatureAlgorithm> ParseRsaPkcs1(DigestAlgorithm digest, 263 scoped_ptr<SignatureAlgorithm> ParseRsaPkcs1(DigestAlgorithm digest,
263 const der::Input& params) { 264 const der::Input& params) {
264 if (!IsNull(params)) 265 // TODO(svaldez): Add warning about non-strict parsing.
266 if (!IsNull(params) && !IsEmpty(params))
265 return nullptr; 267 return nullptr;
266 268
267 return SignatureAlgorithm::CreateRsaPkcs1(digest); 269 return SignatureAlgorithm::CreateRsaPkcs1(digest);
268 } 270 }
269 271
270 // Parses an ECDSA signature algorithm given the DER-encoded "parameters" from 272 // Parses an ECDSA signature algorithm given the DER-encoded "parameters" from
271 // the parsed AlgorithmIdentifier, and the hash algorithm that was implied by 273 // the parsed AlgorithmIdentifier, and the hash algorithm that was implied by
272 // the AlgorithmIdentifier's OID. 274 // the AlgorithmIdentifier's OID.
273 // 275 //
274 // On failure returns a nullptr. 276 // On failure returns a nullptr.
(...skipping 340 matching lines...) Expand 10 before | Expand all | Expand 10 after
615 return nullptr; 617 return nullptr;
616 } 618 }
617 619
618 SignatureAlgorithm::SignatureAlgorithm( 620 SignatureAlgorithm::SignatureAlgorithm(
619 SignatureAlgorithmId algorithm, 621 SignatureAlgorithmId algorithm,
620 DigestAlgorithm digest, 622 DigestAlgorithm digest,
621 scoped_ptr<SignatureAlgorithmParameters> params) 623 scoped_ptr<SignatureAlgorithmParameters> params)
622 : algorithm_(algorithm), digest_(digest), params_(std::move(params)) {} 624 : algorithm_(algorithm), digest_(digest), params_(std::move(params)) {}
623 625
624 } // namespace net 626 } // namespace net
OLDNEW
« no previous file with comments | « net/cert/internal/parse_certificate.cc ('k') | net/cert/internal/signature_algorithm_unittest.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698