Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(131)

Unified Diff: net/cert/internal/certificate_policies.cc

Issue 2923903002: Reject certificates that contain unknown policy qualifiers if the (Closed)
Patch Set: update ios files Created 3 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « net/cert/internal/certificate_policies.h ('k') | net/cert/internal/certificate_policies_unittest.cc » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/cert/internal/certificate_policies.cc
diff --git a/net/cert/internal/certificate_policies.cc b/net/cert/internal/certificate_policies.cc
index 58f2dc99a1959cb472f4d7b0766cd848a141354e..4ef81e4f14f1f67e4c0f66a958bfcfebbe60fa79 100644
--- a/net/cert/internal/certificate_policies.cc
+++ b/net/cert/internal/certificate_policies.cc
@@ -39,7 +39,7 @@ const der::Input UserNoticeId() {
// Ignores the policyQualifiers, but does some minimal correctness checking.
// TODO(mattm): parse and return the policyQualifiers, since the cert viewer
// still needs to display them.
-bool ParsePolicyQualifiers(const der::Input& policy_oid,
+bool ParsePolicyQualifiers(bool restrict_to_known_qualifiers,
der::Parser* policy_qualifiers_sequence_parser) {
// If it is present, the policyQualifiers sequence should have at least 1
// element.
@@ -54,10 +54,7 @@ bool ParsePolicyQualifiers(const der::Input& policy_oid,
der::Input qualifier_oid;
if (!policy_information_parser.ReadTag(der::kOid, &qualifier_oid))
return false;
- // RFC 5280 section 4.2.1.4: When qualifiers are used with the special
- // policy anyPolicy, they MUST be limited to the qualifiers identified in
- // this section.
- if (policy_oid == AnyPolicy() && qualifier_oid != CpsPointerId() &&
+ if (restrict_to_known_qualifiers && qualifier_oid != CpsPointerId() &&
qualifier_oid != UserNoticeId()) {
return false;
}
@@ -143,6 +140,7 @@ der::Input PolicyMappingsOid() {
// bmpString BMPString (SIZE (1..200)),
// utf8String UTF8String (SIZE (1..200)) }
bool ParseCertificatePoliciesExtension(const der::Input& extension_value,
+ bool fail_parsing_unknown_qualifier_oids,
std::vector<der::Input>* policies) {
der::Parser extension_parser(extension_value);
der::Parser policies_sequence_parser;
@@ -188,8 +186,15 @@ bool ParseCertificatePoliciesExtension(const der::Input& extension_value,
// Should not have trailing data after policyQualifiers sequence.
if (policy_information_parser.HasMore())
return false;
- if (!ParsePolicyQualifiers(policy_oid, &policy_qualifiers_sequence_parser))
+
+ // RFC 5280 section 4.2.1.4: When qualifiers are used with the special
+ // policy anyPolicy, they MUST be limited to the qualifiers identified in
+ // this section.
+ if (!ParsePolicyQualifiers(
+ fail_parsing_unknown_qualifier_oids || policy_oid == AnyPolicy(),
+ &policy_qualifiers_sequence_parser)) {
return false;
+ }
}
return true;
« no previous file with comments | « net/cert/internal/certificate_policies.h ('k') | net/cert/internal/certificate_policies_unittest.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698