Chromium Code Reviews Chromium Code Reviews
Issue 509273002:
Detect SHA-1 when it appears in certificate chains (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@cert_status_extended| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/cert/cert_verify_proc_openssl.h" | 5 #include "net/cert/cert_verify_proc_openssl.h" |
| 6 | 6 |
| 7 #include <openssl/x509v3.h> | 7 #include <openssl/x509v3.h> |
| 8 | 8 |
| 9 #include <string> | 9 #include <string> |
| 10 #include <vector> | 10 #include <vector> |
| (...skipping 99 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 110 } | 110 } |
| 111 | 111 |
| 112 // Only check the algorithm status for certificates that are not in the | 112 // Only check the algorithm status for certificates that are not in the |
| 113 // trust store. | 113 // trust store. |
| 114 if (i < static_cast<size_t>(store_ctx->last_untrusted)) { | 114 if (i < static_cast<size_t>(store_ctx->last_untrusted)) { |
| 115 int sig_alg = OBJ_obj2nid(cert->sig_alg->algorithm); | 115 int sig_alg = OBJ_obj2nid(cert->sig_alg->algorithm); |
| 116 if (sig_alg == NID_md2WithRSAEncryption) { | 116 if (sig_alg == NID_md2WithRSAEncryption) { |
| 117 verify_result->has_md2 = true; | 117 verify_result->has_md2 = true; |
| 118 } else if (sig_alg == NID_md4WithRSAEncryption) { | 118 } else if (sig_alg == NID_md4WithRSAEncryption) { |
| 119 verify_result->has_md4 = true; | 119 verify_result->has_md4 = true; |
| 120 } else if (sig_alg == NID_md5WithRSAEncryption) { | 120 } else if (sig_alg == NID_md5WithRSAEncryption || |
| 121 sig_alg == NID_md5WithRSA) { | |
| 121 verify_result->has_md5 = true; | 122 verify_result->has_md5 = true; |
| 123 } else if (sig_alg == NID_sha1WithRSAEncryption || | |
| 124 sig_alg == NID_dsaWithSHA || sig_alg == NID_dsaWithSHA1 || | |
| 125 sig_alg == NID_dsaWithSHA1_2 || sig_alg == NID_sha1WithRSA || | |
|
davidben
2014/08/28 19:42:08
Aside: BoringSSL actually can't verify DSA signatu
Ryan Sleevi
2014/09/26 20:18:43
Right, I'm fairly certain it will be an error befo
| |
| 126 sig_alg == NID_ecdsa_with_SHA1) { | |
| 127 verify_result->has_sha1 = true; | |
| 122 } | 128 } |
| 123 } | 129 } |
| 124 } | 130 } |
| 125 | 131 |
| 126 // Set verify_result->verified_cert and | 132 // Set verify_result->verified_cert and |
| 127 // verify_result->is_issued_by_known_root. | 133 // verify_result->is_issued_by_known_root. |
| 128 if (verified_cert) { | 134 if (verified_cert) { |
| 129 verify_result->verified_cert = | 135 verify_result->verified_cert = |
| 130 X509Certificate::CreateFromHandle(verified_cert, verified_chain); | 136 X509Certificate::CreateFromHandle(verified_cert, verified_chain); |
| 131 | 137 |
| (...skipping 100 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 232 | 238 |
| 233 GetCertChainInfo(ctx.get(), verify_result); | 239 GetCertChainInfo(ctx.get(), verify_result); |
| 234 AppendPublicKeyHashes(ctx.get(), &verify_result->public_key_hashes); | 240 AppendPublicKeyHashes(ctx.get(), &verify_result->public_key_hashes); |
| 235 if (IsCertStatusError(verify_result->cert_status)) | 241 if (IsCertStatusError(verify_result->cert_status)) |
| 236 return MapCertStatusToNetError(verify_result->cert_status); | 242 return MapCertStatusToNetError(verify_result->cert_status); |
| 237 | 243 |
| 238 return OK; | 244 return OK; |
| 239 } | 245 } |
| 240 | 246 |
| 241 } // namespace net | 247 } // namespace net |
| OLD | NEW |
