Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(228)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/cert/internal/signature_policy.cc

Issue 2728953003: Add support for MD2, MD4, and MD5 to SignatureAlgorithm. (Closed)
Patch Set: wow. dumb Created 3 years, 9 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « net/cert/internal/signature_algorithm_unittest.cc ('k') | net/cert/internal/verify_signed_data.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2015 The Chromium Authors. All rights reserved. 1 // Copyright 2015 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/cert/internal/signature_policy.h" 5 #include "net/cert/internal/signature_policy.h"
6 6
7 #include "base/logging.h" 7 #include "base/logging.h"
8 #include "net/cert/internal/cert_error_params.h" 8 #include "net/cert/internal/cert_error_params.h"
9 #include "net/cert/internal/cert_errors.h" 9 #include "net/cert/internal/cert_errors.h"
10 #include "third_party/boringssl/src/include/openssl/obj.h" 10 #include "third_party/boringssl/src/include/openssl/obj.h"
(...skipping 11 matching lines...) Expand all
22 CertErrors* errors) { 22 CertErrors* errors) {
23 if (modulus_length_bits < min_length_bits) { 23 if (modulus_length_bits < min_length_bits) {
24 errors->AddError(kRsaModulusTooSmall, 24 errors->AddError(kRsaModulusTooSmall,
25 CreateCertErrorParams2SizeT("actual", modulus_length_bits, 25 CreateCertErrorParams2SizeT("actual", modulus_length_bits,
26 "minimum", min_length_bits)); 26 "minimum", min_length_bits));
27 return false; 27 return false;
28 } 28 }
29 return true; 29 return true;
30 } 30 }
31 31
32 // Whitelist of default permitted signature digest algorithms.
33 WARN_UNUSED_RESULT bool IsAcceptableDigest(DigestAlgorithm digest) {
34 switch (digest) {
35 case DigestAlgorithm::Md2:
36 case DigestAlgorithm::Md4:
37 case DigestAlgorithm::Md5:
38 return false;
39
40 case DigestAlgorithm::Sha1:
41 case DigestAlgorithm::Sha256:
42 case DigestAlgorithm::Sha384:
43 case DigestAlgorithm::Sha512:
44 return true;
45 }
46
47 return false;
48 }
49
32 } // namespace 50 } // namespace
33 51
34 bool SignaturePolicy::IsAcceptableSignatureAlgorithm( 52 bool SignaturePolicy::IsAcceptableSignatureAlgorithm(
35 const SignatureAlgorithm& algorithm, 53 const SignatureAlgorithm& algorithm,
36 CertErrors* errors) const { 54 CertErrors* errors) const {
37 return true; 55 // Whitelist default permitted signature algorithms to:
56 //
57 // RSA PKCS#1 v1.5
58 // RSASSA-PSS
59 // ECDSA
60 //
61 // When used with digest algorithms:
62 //
63 // SHA1
64 // SHA256
65 // SHA384
66 // SHA512
67 switch (algorithm.algorithm()) {
68 case SignatureAlgorithmId::Ecdsa:
69 case SignatureAlgorithmId::RsaPkcs1:
70 return IsAcceptableDigest(algorithm.digest());
71 case SignatureAlgorithmId::RsaPss:
72 return IsAcceptableDigest(algorithm.digest()) &&
73 IsAcceptableDigest(algorithm.ParamsForRsaPss()->mgf1_hash());
74 }
75
76 return false;
38 } 77 }
39 78
40 bool SignaturePolicy::IsAcceptableCurveForEcdsa(int curve_nid, 79 bool SignaturePolicy::IsAcceptableCurveForEcdsa(int curve_nid,
41 CertErrors* errors) const { 80 CertErrors* errors) const {
81 // Whitelist default permitted named curves.
42 switch (curve_nid) { 82 switch (curve_nid) {
43 case NID_X9_62_prime256v1: 83 case NID_X9_62_prime256v1:
44 case NID_secp384r1: 84 case NID_secp384r1:
45 case NID_secp521r1: 85 case NID_secp521r1:
46 return true; 86 return true;
47 } 87 }
48 88
49 errors->AddError(kUnacceptableCurveForEcdsa); 89 errors->AddError(kUnacceptableCurveForEcdsa);
50 return false; 90 return false;
51 } 91 }
52 92
53 bool SignaturePolicy::IsAcceptableModulusLengthForRsa( 93 bool SignaturePolicy::IsAcceptableModulusLengthForRsa(
54 size_t modulus_length_bits, 94 size_t modulus_length_bits,
55 CertErrors* errors) const { 95 CertErrors* errors) const {
56 return IsModulusSizeGreaterOrEqual(modulus_length_bits, 2048, errors); 96 return IsModulusSizeGreaterOrEqual(modulus_length_bits, 2048, errors);
57 } 97 }
58 98
59 SimpleSignaturePolicy::SimpleSignaturePolicy(size_t min_rsa_modulus_length_bits) 99 SimpleSignaturePolicy::SimpleSignaturePolicy(size_t min_rsa_modulus_length_bits)
60 : min_rsa_modulus_length_bits_(min_rsa_modulus_length_bits) {} 100 : min_rsa_modulus_length_bits_(min_rsa_modulus_length_bits) {}
61 101
62 bool SimpleSignaturePolicy::IsAcceptableModulusLengthForRsa( 102 bool SimpleSignaturePolicy::IsAcceptableModulusLengthForRsa(
63 size_t modulus_length_bits, 103 size_t modulus_length_bits,
64 CertErrors* errors) const { 104 CertErrors* errors) const {
65 return IsModulusSizeGreaterOrEqual(modulus_length_bits, 105 return IsModulusSizeGreaterOrEqual(modulus_length_bits,
66 min_rsa_modulus_length_bits_, errors); 106 min_rsa_modulus_length_bits_, errors);
67 } 107 }
68 108
69 } // namespace net 109 } // namespace net
OLDNEW
« no previous file with comments | « net/cert/internal/signature_algorithm_unittest.cc ('k') | net/cert/internal/verify_signed_data.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698