components/cast_certificate/cast_cert_validator.cc - Issue 2093223002: Allow Cast certificates to have serial numbers greater than 20 bytes, as well as non-minimal INTEGE…

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: components/cast_certificate/cast_cert_validator.cc

Issue 2093223002: Allow Cast certificates to have serial numbers greater than 20 bytes, as well as non-minimal INTEGE… (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@2743

Patch Set: Created 4 years, 6 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: components/cast_certificate/cast_cert_validator.cc

diff --git a/components/cast_certificate/cast_cert_validator.cc b/components/cast_certificate/cast_cert_validator.cc

index b83ad541174068c04236a0af64260beda24bc4c5..0282b3029bb84c71c1c1c3654c69abf2be3ba2db 100644

--- a/components/cast_certificate/cast_cert_validator.cc

+++ b/components/cast_certificate/cast_cert_validator.cc

@@ -164,6 +164,22 @@ bool HasClientAuth(const std::vector<net::der::Input>& ekus) {

return false;

}

+// Returns the parsing options used for Cast certificates.

+net::ParseCertificateOptions GetCertParsingOptions() {

+ net::ParseCertificateOptions options;

+ // Some cast intermediate certificates contain serial numbers that are

+ // 21 octets long, and might also not use valid DER encoding for an

+ // INTEGER (non-minimal encoding).

+ //

+ // Allow these sorts of serial numbers.

+ //

+ // TODO(eroman): At some point in the future this workaround will no longer be

+ // necessary. Should revisit this for removal in 2017 if not earlier.

+ options.allow_invalid_serial_numbers = true;

+ return options;

// Checks properties on the target certificate.

// * The Key Usage must include Digital Signature

@@ -185,7 +201,8 @@ WARN_UNUSED_RESULT bool CheckTargetCertificate(

return false;

net::ParsedTbsCertificate tbs;

- if (!net::ParseTbsCertificate(tbs_certificate_tlv, &tbs))

+ if (!net::ParseTbsCertificate(tbs_certificate_tlv, GetCertParsingOptions(),

+ &tbs))

return false;

// Get the extensions.

@@ -273,9 +290,9 @@ bool VerifyDeviceCert(const std::vector<std::string>& certs,

// Do RFC 5280 compatible certificate verification using the two Cast

// trust anchors and Cast signature policy.

- if (!net::VerifyCertificateChain(input_chain, CastTrustStore::Get(),

- signature_policy.get(),

- ConvertExplodedTime(time))) {

+ if (!net::VerifyCertificateChain(

+ input_chain, GetCertParsingOptions(), CastTrustStore::Get(),

+ signature_policy.get(), ConvertExplodedTime(time))) {

return false;

}

« no previous file with comments | « no previous file | components/cast_certificate/cast_cert_validator_unittest.cc » ('j') | no next file with comments »