OLD | NEW |
1 // Copyright 2015 The Chromium Authors. All rights reserved. | 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/cert/internal/signature_policy.h" | 5 #include "net/cert/internal/signature_policy.h" |
6 | 6 |
7 #include "base/logging.h" | 7 #include "base/logging.h" |
8 #include "net/cert/internal/cert_error_params.h" | 8 #include "net/cert/internal/cert_error_params.h" |
9 #include "net/cert/internal/cert_errors.h" | 9 #include "net/cert/internal/cert_errors.h" |
10 #include "third_party/boringssl/src/include/openssl/obj.h" | 10 #include "third_party/boringssl/src/include/openssl/obj.h" |
(...skipping 11 matching lines...) Expand all Loading... |
22 CertErrors* errors) { | 22 CertErrors* errors) { |
23 if (modulus_length_bits < min_length_bits) { | 23 if (modulus_length_bits < min_length_bits) { |
24 errors->AddError(kRsaModulusTooSmall, | 24 errors->AddError(kRsaModulusTooSmall, |
25 CreateCertErrorParams2SizeT("actual", modulus_length_bits, | 25 CreateCertErrorParams2SizeT("actual", modulus_length_bits, |
26 "minimum", min_length_bits)); | 26 "minimum", min_length_bits)); |
27 return false; | 27 return false; |
28 } | 28 } |
29 return true; | 29 return true; |
30 } | 30 } |
31 | 31 |
| 32 // Whitelist of default permitted signature digest algorithms. |
| 33 WARN_UNUSED_RESULT bool IsAcceptableDigest(DigestAlgorithm digest) { |
| 34 switch (digest) { |
| 35 case DigestAlgorithm::Md2: |
| 36 case DigestAlgorithm::Md4: |
| 37 case DigestAlgorithm::Md5: |
| 38 return false; |
| 39 |
| 40 case DigestAlgorithm::Sha1: |
| 41 case DigestAlgorithm::Sha256: |
| 42 case DigestAlgorithm::Sha384: |
| 43 case DigestAlgorithm::Sha512: |
| 44 return true; |
| 45 } |
| 46 |
| 47 return false; |
| 48 } |
| 49 |
32 } // namespace | 50 } // namespace |
33 | 51 |
34 bool SignaturePolicy::IsAcceptableSignatureAlgorithm( | 52 bool SignaturePolicy::IsAcceptableSignatureAlgorithm( |
35 const SignatureAlgorithm& algorithm, | 53 const SignatureAlgorithm& algorithm, |
36 CertErrors* errors) const { | 54 CertErrors* errors) const { |
37 return true; | 55 // Whitelist default permitted signature algorithms to: |
| 56 // |
| 57 // RSA PKCS#1 v1.5 |
| 58 // RSASSA-PSS |
| 59 // ECDSA |
| 60 // |
| 61 // When used with digest algorithms: |
| 62 // |
| 63 // SHA1 |
| 64 // SHA256 |
| 65 // SHA384 |
| 66 // SHA512 |
| 67 switch (algorithm.algorithm()) { |
| 68 case SignatureAlgorithmId::Ecdsa: |
| 69 case SignatureAlgorithmId::RsaPkcs1: |
| 70 return IsAcceptableDigest(algorithm.digest()); |
| 71 case SignatureAlgorithmId::RsaPss: |
| 72 return IsAcceptableDigest(algorithm.digest()) && |
| 73 IsAcceptableDigest(algorithm.ParamsForRsaPss()->mgf1_hash()); |
| 74 } |
| 75 |
| 76 return false; |
38 } | 77 } |
39 | 78 |
40 bool SignaturePolicy::IsAcceptableCurveForEcdsa(int curve_nid, | 79 bool SignaturePolicy::IsAcceptableCurveForEcdsa(int curve_nid, |
41 CertErrors* errors) const { | 80 CertErrors* errors) const { |
| 81 // Whitelist default permitted named curves. |
42 switch (curve_nid) { | 82 switch (curve_nid) { |
43 case NID_X9_62_prime256v1: | 83 case NID_X9_62_prime256v1: |
44 case NID_secp384r1: | 84 case NID_secp384r1: |
45 case NID_secp521r1: | 85 case NID_secp521r1: |
46 return true; | 86 return true; |
47 } | 87 } |
48 | 88 |
49 errors->AddError(kUnacceptableCurveForEcdsa); | 89 errors->AddError(kUnacceptableCurveForEcdsa); |
50 return false; | 90 return false; |
51 } | 91 } |
52 | 92 |
53 bool SignaturePolicy::IsAcceptableModulusLengthForRsa( | 93 bool SignaturePolicy::IsAcceptableModulusLengthForRsa( |
54 size_t modulus_length_bits, | 94 size_t modulus_length_bits, |
55 CertErrors* errors) const { | 95 CertErrors* errors) const { |
56 return IsModulusSizeGreaterOrEqual(modulus_length_bits, 2048, errors); | 96 return IsModulusSizeGreaterOrEqual(modulus_length_bits, 2048, errors); |
57 } | 97 } |
58 | 98 |
59 SimpleSignaturePolicy::SimpleSignaturePolicy(size_t min_rsa_modulus_length_bits) | 99 SimpleSignaturePolicy::SimpleSignaturePolicy(size_t min_rsa_modulus_length_bits) |
60 : min_rsa_modulus_length_bits_(min_rsa_modulus_length_bits) {} | 100 : min_rsa_modulus_length_bits_(min_rsa_modulus_length_bits) {} |
61 | 101 |
62 bool SimpleSignaturePolicy::IsAcceptableModulusLengthForRsa( | 102 bool SimpleSignaturePolicy::IsAcceptableModulusLengthForRsa( |
63 size_t modulus_length_bits, | 103 size_t modulus_length_bits, |
64 CertErrors* errors) const { | 104 CertErrors* errors) const { |
65 return IsModulusSizeGreaterOrEqual(modulus_length_bits, | 105 return IsModulusSizeGreaterOrEqual(modulus_length_bits, |
66 min_rsa_modulus_length_bits_, errors); | 106 min_rsa_modulus_length_bits_, errors); |
67 } | 107 } |
68 | 108 |
69 } // namespace net | 109 } // namespace net |
OLD | NEW |