Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(869)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: net/cert/cert_verify_proc.cc

Issue 2627523002: Refactor the assignment of CertVerifyResult::has_md2, etc. (Closed)
Patch Set: fix PrintTo() Created 3 years, 11 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « net/cert/cert_verify_proc.h ('k') | net/cert/cert_verify_proc_android.cc » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/cert/cert_verify_proc.cc
diff --git a/net/cert/cert_verify_proc.cc b/net/cert/cert_verify_proc.cc
index f047a7e2e45b7703718460709f8a0c7a341f22ea..a20ee3f24e29be7859a396241c23ccd30bdfdc01 100644
--- a/net/cert/cert_verify_proc.cc
+++ b/net/cert/cert_verify_proc.cc
@@ -369,6 +369,69 @@ bool AreSHA1IntermediatesAllowed() {
#endif
};
+// Sets the "has_*" boolean members in |verify_result| that correspond with
+// the the presence of |hash| somewhere in the certificate chain (excluding the
+// trust anchor).
+void MapHashAlgorithmToBool(X509Certificate::SignatureHashAlgorithm hash,
+ CertVerifyResult* verify_result) {
+ switch (hash) {
+ case X509Certificate::kSignatureHashAlgorithmMd2:
+ verify_result->has_md2 = true;
+ break;
+ case X509Certificate::kSignatureHashAlgorithmMd4:
+ verify_result->has_md4 = true;
+ break;
+ case X509Certificate::kSignatureHashAlgorithmMd5:
+ verify_result->has_md5 = true;
+ break;
+ case X509Certificate::kSignatureHashAlgorithmSha1:
+ verify_result->has_sha1 = true;
+ break;
+ case X509Certificate::kSignatureHashAlgorithmOther:
+ break;
+ }
+}
+
+// Sets to true the |verify_result->has_*| boolean members for the hash
+// algorithms present in the certificate chain.
+//
+// This considers the hash algorithms in all certificates except trusted
+// certificates.
+//
+// In the case of a successful verification the trust anchor is the final
+// certificate in the chain (either the final intermediate, or the leaf
+// certificate).
+//
+// Whereas if verification was uncessful, the chain may be partial, and the
+// final certificate may not be a trust anchor. This heuristic is used
+// in both successful and failed verifications, despite this ambiguity (failure
+// to tag one of the signature algorithms should only affect the final error).
+void ComputeSignatureHashAlgorithms(CertVerifyResult* verify_result) {
+ const X509Certificate::OSCertHandles& intermediates =
+ verify_result->verified_cert->GetIntermediateCertificates();
+
+ // If there are no intermediates, then the leaf is trusted or verification
+ // failed.
+ if (intermediates.empty())
+ return;
+
+ DCHECK(!verify_result->has_sha1);
+
+ // Fill in hash algorithms for the leaf certificate.
+ MapHashAlgorithmToBool(X509Certificate::GetSignatureHashAlgorithm(
+ verify_result->verified_cert->os_cert_handle()),
+ verify_result);
+ verify_result->has_sha1_leaf = verify_result->has_sha1;
+
+ // Fill in hash algorithms for the intermediate cerificates, excluding the
+ // final one (which is the trust anchor).
+ for (size_t i = 0; i + 1 < intermediates.size(); ++i) {
+ MapHashAlgorithmToBool(
+ X509Certificate::GetSignatureHashAlgorithm(intermediates[i]),
+ verify_result);
+ }
+}
+
} // namespace
// static
@@ -420,6 +483,8 @@ int CertVerifyProc::Verify(X509Certificate* cert,
int rv = VerifyInternal(cert, hostname, ocsp_response, flags, crl_set,
additional_trust_anchors, verify_result);
+ ComputeSignatureHashAlgorithms(verify_result);
+
UMA_HISTOGRAM_BOOLEAN("Net.CertCommonNameFallback",
verify_result->common_name_fallback_used);
if (!verify_result->is_issued_by_known_root) {
@@ -774,32 +839,4 @@ bool CertVerifyProc::HasTooLongValidity(const X509Certificate& cert) {
const base::Feature CertVerifyProc::kSHA1LegacyMode{
"SHA1LegacyMode", base::FEATURE_DISABLED_BY_DEFAULT};
-X509Certificate::SignatureHashAlgorithm FillCertVerifyResultWeakSignature(
- X509Certificate::OSCertHandle cert,
- bool is_leaf,
- CertVerifyResult* verify_result) {
- X509Certificate::SignatureHashAlgorithm hash =
- X509Certificate::GetSignatureHashAlgorithm(cert);
- switch (hash) {
- case X509Certificate::kSignatureHashAlgorithmMd2:
- verify_result->has_md2 = true;
- break;
- case X509Certificate::kSignatureHashAlgorithmMd4:
- verify_result->has_md4 = true;
- break;
- case X509Certificate::kSignatureHashAlgorithmMd5:
- verify_result->has_md5 = true;
- break;
- case X509Certificate::kSignatureHashAlgorithmSha1:
- verify_result->has_sha1 = true;
- if (is_leaf)
- verify_result->has_sha1_leaf = true;
- break;
- case X509Certificate::kSignatureHashAlgorithmOther:
- break;
- }
-
- return hash;
-}
-
} // namespace net
« no previous file with comments | « net/cert/cert_verify_proc.h ('k') | net/cert/cert_verify_proc_android.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698