net/cert/internal/verify_certificate_chain.cc - Issue 2731603002: Check TBSCertificate.algorithm and Certificate.signatureAlgorithm for

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: net/cert/internal/verify_certificate_chain.cc

Issue 2731603002: Check TBSCertificate.algorithm and Certificate.signatureAlgorithm for (Closed)

Patch Set: fix Created 3 years, 10 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

Index: net/cert/internal/verify_certificate_chain.cc

diff --git a/net/cert/internal/verify_certificate_chain.cc b/net/cert/internal/verify_certificate_chain.cc

index 33f831e6e364c650cc281fe4e449c8f6fe17c0a2..4e15109a5667b9e00d96c527ee35e05fb1897f3a 100644

--- a/net/cert/internal/verify_certificate_chain.cc

+++ b/net/cert/internal/verify_certificate_chain.cc

@@ -135,18 +135,6 @@ WARN_UNUSED_RESULT bool VerifyTimeValidity(const ParsedCertificate& cert,

return true;

}

-// Returns true if |signature_algorithm_tlv| is a valid algorithm encoding for

-// RSA with SHA1.

-WARN_UNUSED_RESULT bool IsRsaWithSha1SignatureAlgorithm(

- const der::Input& signature_algorithm_tlv) {

- std::unique_ptr<SignatureAlgorithm> algorithm =

- SignatureAlgorithm::Create(signature_algorithm_tlv, nullptr);

- return algorithm &&

- algorithm->algorithm() == SignatureAlgorithmId::RsaPkcs1 &&

- algorithm->digest() == DigestAlgorithm::Sha1;

// Returns true if |cert| has internally consistent signature algorithms.

// X.509 certificates contain two different signature algorithms:

@@ -177,9 +165,9 @@ WARN_UNUSED_RESULT bool VerifySignatureAlgorithmsMatch(

if (alg1_tlv == alg2_tlv)

return true;

- // But make a compatibility concession for RSA with SHA1.

- if (IsRsaWithSha1SignatureAlgorithm(alg1_tlv) &&

- IsRsaWithSha1SignatureAlgorithm(alg2_tlv)) {

+ // But make a compatibility concession if alternate encodings are used

+ // TODO(eroman): Turn this warning into an error.

+ if (!SignatureAlgorithm::IsEquivalent(alg1_tlv, alg2_tlv)) {

mattm 2017/03/04 02:34:27 is the ! here correct? Seems like that's backwards

eroman 2017/03/07 23:43:00 Thanks for spotting that bug! Ugh. I will follow-u

errors->AddWarning(

kSignatureAlgorithmsDifferentEncoding,

CreateCertErrorParams2Der("Certificate.algorithm", alg1_tlv,