Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(426)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/cert/internal/parse_certificate.cc

Issue 2079273004: Allow Cast certificates to have serial numbers greater than 20 bytes. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: remove allowance of invalid serial numbers for cast roots Created 4 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « net/cert/internal/parse_certificate.h ('k') | net/cert/internal/parse_certificate_fuzzer.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2015 The Chromium Authors. All rights reserved. 1 // Copyright 2015 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/cert/internal/parse_certificate.h" 5 #include "net/cert/internal/parse_certificate.h"
6 6
7 #include <utility> 7 #include <utility>
8 8
9 #include "base/strings/string_util.h" 9 #include "base/strings/string_util.h"
10 #include "net/der/input.h" 10 #include "net/der/input.h"
(...skipping 201 matching lines...) Expand 10 before | Expand all | Expand 10 after
212 // validity Validity, 212 // validity Validity,
213 // subject Name, 213 // subject Name,
214 // subjectPublicKeyInfo SubjectPublicKeyInfo, 214 // subjectPublicKeyInfo SubjectPublicKeyInfo,
215 // issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL, 215 // issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
216 // -- If present, version MUST be v2 or v3 216 // -- If present, version MUST be v2 or v3
217 // subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL, 217 // subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,
218 // -- If present, version MUST be v2 or v3 218 // -- If present, version MUST be v2 or v3
219 // extensions [3] EXPLICIT Extensions OPTIONAL 219 // extensions [3] EXPLICIT Extensions OPTIONAL
220 // -- If present, version MUST be v3 220 // -- If present, version MUST be v3
221 // } 221 // }
222 bool ParseTbsCertificate(const der::Input& tbs_tlv, ParsedTbsCertificate* out) { 222 bool ParseTbsCertificate(const der::Input& tbs_tlv,
223 const ParseCertificateOptions& options,
224 ParsedTbsCertificate* out) {
223 der::Parser parser(tbs_tlv); 225 der::Parser parser(tbs_tlv);
224 226
225 // Certificate ::= SEQUENCE { 227 // Certificate ::= SEQUENCE {
226 der::Parser tbs_parser; 228 der::Parser tbs_parser;
227 if (!parser.ReadSequence(&tbs_parser)) 229 if (!parser.ReadSequence(&tbs_parser))
228 return false; 230 return false;
229 231
230 // version [0] EXPLICIT Version DEFAULT v1, 232 // version [0] EXPLICIT Version DEFAULT v1,
231 der::Input version; 233 der::Input version;
232 bool has_version; 234 bool has_version;
233 if (!tbs_parser.ReadOptionalTag(der::ContextSpecificConstructed(0), &version, 235 if (!tbs_parser.ReadOptionalTag(der::ContextSpecificConstructed(0), &version,
234 &has_version)) { 236 &has_version)) {
235 return false; 237 return false;
236 } 238 }
237 if (has_version) { 239 if (has_version) {
238 if (!ParseVersion(version, &out->version)) 240 if (!ParseVersion(version, &out->version))
239 return false; 241 return false;
240 if (out->version == CertificateVersion::V1) { 242 if (out->version == CertificateVersion::V1) {
241 // The correct way to specify v1 is to omit the version field since v1 is 243 // The correct way to specify v1 is to omit the version field since v1 is
242 // the DEFAULT. 244 // the DEFAULT.
243 return false; 245 return false;
244 } 246 }
245 } else { 247 } else {
246 out->version = CertificateVersion::V1; 248 out->version = CertificateVersion::V1;
247 } 249 }
248 250
249 // serialNumber CertificateSerialNumber, 251 // serialNumber CertificateSerialNumber,
250 if (!tbs_parser.ReadTag(der::kInteger, &out->serial_number)) 252 if (!tbs_parser.ReadTag(der::kInteger, &out->serial_number))
251 return false; 253 return false;
252 if (!VerifySerialNumber(out->serial_number)) 254 if (!options.allow_invalid_serial_numbers &&
255 !VerifySerialNumber(out->serial_number)) {
253 return false; 256 return false;
257 }
254 258
255 // signature AlgorithmIdentifier, 259 // signature AlgorithmIdentifier,
256 if (!ReadSequenceTLV(&tbs_parser, &out->signature_algorithm_tlv)) 260 if (!ReadSequenceTLV(&tbs_parser, &out->signature_algorithm_tlv))
257 return false; 261 return false;
258 262
259 // issuer Name, 263 // issuer Name,
260 if (!ReadSequenceTLV(&tbs_parser, &out->issuer_tlv)) 264 if (!ReadSequenceTLV(&tbs_parser, &out->issuer_tlv))
261 return false; 265 return false;
262 266
263 // validity Validity, 267 // validity Validity,
(...skipping 404 matching lines...) Expand 10 before | Expand all | Expand 10 after
668 out_ca_issuers_uris->push_back(uri); 672 out_ca_issuers_uris->push_back(uri);
669 else if (access_method_oid == AdOcspOid()) 673 else if (access_method_oid == AdOcspOid())
670 out_ocsp_uris->push_back(uri); 674 out_ocsp_uris->push_back(uri);
671 } 675 }
672 } 676 }
673 677
674 return true; 678 return true;
675 } 679 }
676 680
677 } // namespace net 681 } // namespace net
OLDNEW
« no previous file with comments | « net/cert/internal/parse_certificate.h ('k') | net/cert/internal/parse_certificate_fuzzer.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698