OLD | NEW |
---|---|
1 // Copyright 2015 The Chromium Authors. All rights reserved. | 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/cert/internal/verify_certificate_chain.h" | 5 #include "net/cert/internal/verify_certificate_chain.h" |
6 | 6 |
7 #include <memory> | 7 #include <memory> |
8 | 8 |
9 #include "base/logging.h" | 9 #include "base/logging.h" |
10 #include "base/memory/ptr_util.h" | 10 #include "base/memory/ptr_util.h" |
(...skipping 117 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
128 } | 128 } |
129 | 129 |
130 if (cert.tbs().validity_not_after < time) { | 130 if (cert.tbs().validity_not_after < time) { |
131 errors->AddError(kValidityFailedNotAfter); | 131 errors->AddError(kValidityFailedNotAfter); |
132 return false; | 132 return false; |
133 } | 133 } |
134 | 134 |
135 return true; | 135 return true; |
136 } | 136 } |
137 | 137 |
138 // Returns true if |signature_algorithm_tlv| is a valid algorithm encoding for | |
139 // RSA with SHA1. | |
140 WARN_UNUSED_RESULT bool IsRsaWithSha1SignatureAlgorithm( | |
141 const der::Input& signature_algorithm_tlv) { | |
142 std::unique_ptr<SignatureAlgorithm> algorithm = | |
143 SignatureAlgorithm::Create(signature_algorithm_tlv, nullptr); | |
144 | |
145 return algorithm && | |
146 algorithm->algorithm() == SignatureAlgorithmId::RsaPkcs1 && | |
147 algorithm->digest() == DigestAlgorithm::Sha1; | |
148 } | |
149 | |
150 // Returns true if |cert| has internally consistent signature algorithms. | 138 // Returns true if |cert| has internally consistent signature algorithms. |
151 // | 139 // |
152 // X.509 certificates contain two different signature algorithms: | 140 // X.509 certificates contain two different signature algorithms: |
153 // (1) The signatureAlgorithm field of Certificate | 141 // (1) The signatureAlgorithm field of Certificate |
154 // (2) The signature field of TBSCertificate | 142 // (2) The signature field of TBSCertificate |
155 // | 143 // |
156 // According to RFC 5280 section 4.1.1.2 and 4.1.2.3 these two fields must be | 144 // According to RFC 5280 section 4.1.1.2 and 4.1.2.3 these two fields must be |
157 // equal: | 145 // equal: |
158 // | 146 // |
159 // This field MUST contain the same algorithm identifier as the | 147 // This field MUST contain the same algorithm identifier as the |
(...skipping 10 matching lines...) Expand all Loading... | |
170 const ParsedCertificate& cert, | 158 const ParsedCertificate& cert, |
171 CertErrors* errors) { | 159 CertErrors* errors) { |
172 const der::Input& alg1_tlv = cert.signature_algorithm_tlv(); | 160 const der::Input& alg1_tlv = cert.signature_algorithm_tlv(); |
173 const der::Input& alg2_tlv = cert.tbs().signature_algorithm_tlv; | 161 const der::Input& alg2_tlv = cert.tbs().signature_algorithm_tlv; |
174 | 162 |
175 // Ensure that the two DER-encoded signature algorithms are byte-for-byte | 163 // Ensure that the two DER-encoded signature algorithms are byte-for-byte |
176 // equal. | 164 // equal. |
177 if (alg1_tlv == alg2_tlv) | 165 if (alg1_tlv == alg2_tlv) |
178 return true; | 166 return true; |
179 | 167 |
180 // But make a compatibility concession for RSA with SHA1. | 168 // But make a compatibility concession if alternate encodings are used |
181 if (IsRsaWithSha1SignatureAlgorithm(alg1_tlv) && | 169 // TODO(eroman): Turn this warning into an error. |
182 IsRsaWithSha1SignatureAlgorithm(alg2_tlv)) { | 170 if (!SignatureAlgorithm::IsEquivalent(alg1_tlv, alg2_tlv)) { |
mattm
2017/03/04 02:34:27
is the ! here correct? Seems like that's backwards
eroman
2017/03/07 23:43:00
Thanks for spotting that bug!
Ugh. I will follow-u
| |
183 errors->AddWarning( | 171 errors->AddWarning( |
184 kSignatureAlgorithmsDifferentEncoding, | 172 kSignatureAlgorithmsDifferentEncoding, |
185 CreateCertErrorParams2Der("Certificate.algorithm", alg1_tlv, | 173 CreateCertErrorParams2Der("Certificate.algorithm", alg1_tlv, |
186 "TBSCertificate.signature", alg2_tlv)); | 174 "TBSCertificate.signature", alg2_tlv)); |
187 return true; | 175 return true; |
188 } | 176 } |
189 | 177 |
190 errors->AddError( | 178 errors->AddError( |
191 kSignatureAlgorithmMismatch, | 179 kSignatureAlgorithmMismatch, |
192 CreateCertErrorParams2Der("Certificate.algorithm", alg1_tlv, | 180 CreateCertErrorParams2Der("Certificate.algorithm", alg1_tlv, |
(...skipping 424 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
617 | 605 |
618 // TODO(eroman): RFC 5280 forbids duplicate certificates per section 6.1: | 606 // TODO(eroman): RFC 5280 forbids duplicate certificates per section 6.1: |
619 // | 607 // |
620 // A certificate MUST NOT appear more than once in a prospective | 608 // A certificate MUST NOT appear more than once in a prospective |
621 // certification path. | 609 // certification path. |
622 | 610 |
623 return true; | 611 return true; |
624 } | 612 } |
625 | 613 |
626 } // namespace net | 614 } // namespace net |
OLD | NEW |