OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/cert/cert_verify_proc_mac.h" | 5 #include "net/cert/cert_verify_proc_mac.h" |
6 | 6 |
7 #include <CommonCrypto/CommonDigest.h> | 7 #include <CommonCrypto/CommonDigest.h> |
8 #include <CoreServices/CoreServices.h> | 8 #include <CoreServices/CoreServices.h> |
9 #include <Security/Security.h> | 9 #include <Security/Security.h> |
10 | 10 |
(...skipping 186 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
197 } | 197 } |
198 if (!verified_cert) { | 198 if (!verified_cert) { |
199 NOTREACHED(); | 199 NOTREACHED(); |
200 return; | 200 return; |
201 } | 201 } |
202 | 202 |
203 verify_result->verified_cert = | 203 verify_result->verified_cert = |
204 X509Certificate::CreateFromHandle(verified_cert, verified_chain); | 204 X509Certificate::CreateFromHandle(verified_cert, verified_chain); |
205 } | 205 } |
206 | 206 |
| 207 // Returns true if the certificate uses MD2, MD4, MD5, or SHA1, and false |
| 208 // otherwise. A return of false also includes the case where the signature |
| 209 // algorithm couldn't be conclusively labeled as weak. |
| 210 bool CertUsesWeakHash(X509Certificate::OSCertHandle cert_handle) { |
| 211 x509_util::CSSMCachedCertificate cached_cert; |
| 212 OSStatus status = cached_cert.Init(cert_handle); |
| 213 if (status) |
| 214 return false; |
| 215 |
| 216 x509_util::CSSMFieldValue signature_field; |
| 217 status = |
| 218 cached_cert.GetField(&CSSMOID_X509V1SignatureAlgorithm, &signature_field); |
| 219 if (status || !signature_field.field()) |
| 220 return false; |
| 221 |
| 222 const CSSM_X509_ALGORITHM_IDENTIFIER* sig_algorithm = |
| 223 signature_field.GetAs<CSSM_X509_ALGORITHM_IDENTIFIER>(); |
| 224 if (!sig_algorithm) |
| 225 return false; |
| 226 |
| 227 const CSSM_OID* alg_oid = &sig_algorithm->algorithm; |
| 228 |
| 229 return (CSSMOIDEqual(alg_oid, &CSSMOID_MD2WithRSA) || |
| 230 CSSMOIDEqual(alg_oid, &CSSMOID_MD4WithRSA) || |
| 231 CSSMOIDEqual(alg_oid, &CSSMOID_MD5WithRSA) || |
| 232 CSSMOIDEqual(alg_oid, &CSSMOID_SHA1WithRSA) || |
| 233 CSSMOIDEqual(alg_oid, &CSSMOID_SHA1WithRSA_OIW) || |
| 234 CSSMOIDEqual(alg_oid, &CSSMOID_SHA1WithDSA) || |
| 235 CSSMOIDEqual(alg_oid, &CSSMOID_SHA1WithDSA_CMS) || |
| 236 CSSMOIDEqual(alg_oid, &CSSMOID_SHA1WithDSA_JDK) || |
| 237 CSSMOIDEqual(alg_oid, &CSSMOID_ECDSA_WithSHA1)); |
| 238 } |
| 239 |
207 // Returns true if the intermediates (excluding trusted certificates) use a | 240 // Returns true if the intermediates (excluding trusted certificates) use a |
208 // weak hashing algorithm, but the target does not use a weak hash. | 241 // weak hashing algorithm, but the target does not use a weak hash. |
209 bool IsWeakChainBasedOnHashingAlgorithms( | 242 bool IsWeakChainBasedOnHashingAlgorithms( |
210 CFArrayRef cert_chain, | 243 CFArrayRef cert_chain, |
211 CSSM_TP_APPLE_EVIDENCE_INFO* chain_info) { | 244 CSSM_TP_APPLE_EVIDENCE_INFO* chain_info) { |
212 DCHECK_LT(0, CFArrayGetCount(cert_chain)); | 245 DCHECK_LT(0, CFArrayGetCount(cert_chain)); |
213 | 246 |
214 bool intermediates_contain_weak_hash = false; | 247 bool intermediates_contain_weak_hash = false; |
215 bool leaf_uses_weak_hash = false; | 248 bool leaf_uses_weak_hash = false; |
216 | 249 |
217 for (CFIndex i = 0, count = CFArrayGetCount(cert_chain); i < count; ++i) { | 250 for (CFIndex i = 0, count = CFArrayGetCount(cert_chain); i < count; ++i) { |
218 SecCertificateRef chain_cert = reinterpret_cast<SecCertificateRef>( | 251 SecCertificateRef chain_cert = reinterpret_cast<SecCertificateRef>( |
219 const_cast<void*>(CFArrayGetValueAtIndex(cert_chain, i))); | 252 const_cast<void*>(CFArrayGetValueAtIndex(cert_chain, i))); |
220 | 253 |
221 if ((chain_info[i].StatusBits & CSSM_CERT_STATUS_IS_IN_ANCHORS) || | 254 if ((chain_info[i].StatusBits & CSSM_CERT_STATUS_IS_IN_ANCHORS) || |
222 (chain_info[i].StatusBits & CSSM_CERT_STATUS_IS_ROOT)) { | 255 (chain_info[i].StatusBits & CSSM_CERT_STATUS_IS_ROOT)) { |
223 // The current certificate is either in the user's trusted store or is | 256 // The current certificate is either in the user's trusted store or is |
224 // a root (self-signed) certificate. Ignore the signature algorithm for | 257 // a root (self-signed) certificate. Ignore the signature algorithm for |
225 // these certificates, as it is meaningless for security. We allow | 258 // these certificates, as it is meaningless for security. We allow |
226 // self-signed certificates (i == 0 & IS_ROOT), since we accept that | 259 // self-signed certificates (i == 0 & IS_ROOT), since we accept that |
227 // any security assertions by such a cert are inherently meaningless. | 260 // any security assertions by such a cert are inherently meaningless. |
228 continue; | 261 continue; |
229 } | 262 } |
230 | 263 |
231 X509Certificate::SignatureHashAlgorithm hash_algorithm = | 264 if (CertUsesWeakHash(chain_cert)) { |
232 X509Certificate::GetSignatureHashAlgorithm(chain_cert); | 265 if (i == 0) { |
233 | 266 leaf_uses_weak_hash = true; |
234 switch (hash_algorithm) { | 267 } else { |
235 case X509Certificate::kSignatureHashAlgorithmMd2: | 268 intermediates_contain_weak_hash = true; |
236 case X509Certificate::kSignatureHashAlgorithmMd4: | 269 } |
237 case X509Certificate::kSignatureHashAlgorithmMd5: | |
238 case X509Certificate::kSignatureHashAlgorithmSha1: | |
239 if (i == 0) { | |
240 leaf_uses_weak_hash = true; | |
241 } else { | |
242 intermediates_contain_weak_hash = true; | |
243 } | |
244 break; | |
245 case X509Certificate::kSignatureHashAlgorithmOther: | |
246 break; | |
247 } | 270 } |
248 } | 271 } |
249 | 272 |
250 return !leaf_uses_weak_hash && intermediates_contain_weak_hash; | 273 return !leaf_uses_weak_hash && intermediates_contain_weak_hash; |
251 } | 274 } |
252 | 275 |
253 using ExtensionsMap = std::map<net::der::Input, net::ParsedExtension>; | 276 using ExtensionsMap = std::map<net::der::Input, net::ParsedExtension>; |
254 | 277 |
255 // Helper that looks up an extension by OID given a map of extensions. | 278 // Helper that looks up an extension by OID given a map of extensions. |
256 bool GetExtensionValue(const ExtensionsMap& extensions, | 279 bool GetExtensionValue(const ExtensionsMap& extensions, |
(...skipping 816 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1073 // EV cert and it was covered by CRLSets or revocation checking passed. | 1096 // EV cert and it was covered by CRLSets or revocation checking passed. |
1074 verify_result->cert_status |= CERT_STATUS_IS_EV; | 1097 verify_result->cert_status |= CERT_STATUS_IS_EV; |
1075 } | 1098 } |
1076 | 1099 |
1077 return OK; | 1100 return OK; |
1078 } | 1101 } |
1079 | 1102 |
1080 } // namespace net | 1103 } // namespace net |
1081 | 1104 |
1082 #pragma clang diagnostic pop // "-Wdeprecated-declarations" | 1105 #pragma clang diagnostic pop // "-Wdeprecated-declarations" |
OLD | NEW |