Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(174)

Unified Diff: net/cert/internal/verify_certificate_chain.cc

Issue 2731603002: Check TBSCertificate.algorithm and Certificate.signatureAlgorithm for (Closed)
Patch Set: Use rsleevi's background comment Created 3 years, 9 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « net/cert/internal/signature_algorithm.cc ('k') | net/cert/x509_certificate.h » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/cert/internal/verify_certificate_chain.cc
diff --git a/net/cert/internal/verify_certificate_chain.cc b/net/cert/internal/verify_certificate_chain.cc
index 33f831e6e364c650cc281fe4e449c8f6fe17c0a2..041a6fc7842ac05a50db891396273ace78567ce4 100644
--- a/net/cert/internal/verify_certificate_chain.cc
+++ b/net/cert/internal/verify_certificate_chain.cc
@@ -135,18 +135,6 @@ WARN_UNUSED_RESULT bool VerifyTimeValidity(const ParsedCertificate& cert,
return true;
}
-// Returns true if |signature_algorithm_tlv| is a valid algorithm encoding for
-// RSA with SHA1.
-WARN_UNUSED_RESULT bool IsRsaWithSha1SignatureAlgorithm(
- const der::Input& signature_algorithm_tlv) {
- std::unique_ptr<SignatureAlgorithm> algorithm =
- SignatureAlgorithm::Create(signature_algorithm_tlv, nullptr);
-
- return algorithm &&
- algorithm->algorithm() == SignatureAlgorithmId::RsaPkcs1 &&
- algorithm->digest() == DigestAlgorithm::Sha1;
-}
-
// Returns true if |cert| has internally consistent signature algorithms.
//
// X.509 certificates contain two different signature algorithms:
@@ -177,9 +165,10 @@ WARN_UNUSED_RESULT bool VerifySignatureAlgorithmsMatch(
if (alg1_tlv == alg2_tlv)
return true;
- // But make a compatibility concession for RSA with SHA1.
- if (IsRsaWithSha1SignatureAlgorithm(alg1_tlv) &&
- IsRsaWithSha1SignatureAlgorithm(alg2_tlv)) {
+ // But make a compatibility concession if alternate encodings are used
+ // TODO(eroman): Turn this warning into an error.
+ // TODO(eroman): Add a unit-test that exercises this case.
+ if (SignatureAlgorithm::IsEquivalent(alg1_tlv, alg2_tlv)) {
errors->AddWarning(
kSignatureAlgorithmsDifferentEncoding,
CreateCertErrorParams2Der("Certificate.algorithm", alg1_tlv,
« no previous file with comments | « net/cert/internal/signature_algorithm.cc ('k') | net/cert/x509_certificate.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698