net/cert/cert_verify_proc_android.cc - Issue 509273002: Detect SHA-1 when it appears in certificate chains

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: net/cert/cert_verify_proc_android.cc

Issue 509273002: Detect SHA-1 when it appears in certificate chains (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@cert_status_extended

Patch Set: Created 6 years, 4 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: net/cert/cert_verify_proc_android.cc

diff --git a/net/cert/cert_verify_proc_android.cc b/net/cert/cert_verify_proc_android.cc

index bd747267a2e0c293465020e2ff35497d806f8c74..8bd7e54f2f417cd12c9cb69f7bbdca20fb6c109f 100644

--- a/net/cert/cert_verify_proc_android.cc

+++ b/net/cert/cert_verify_proc_android.cc

@@ -4,6 +4,8 @@

#include "net/cert/cert_verify_proc_android.h"

+#include <openssl/x509v3.h>

#include <string>

#include <vector>

@@ -71,6 +73,38 @@ bool VerifyFromAndroidTrustManager(const std::vector<std::string>& cert_bytes,

verify_result->verified_cert = verified_cert;

}

+ // Extract the algorithm information from the certs

+ X509Certificate::OSCertHandles chain;

+ const X509Certificate::OSCertHandles& intermediates =

+ verify_result->verified_cert->GetIntermediateCertificates();

+ chain.push_back(verify_result->verified_cert->os_cert_handle());

+ chain.insert(chain.end(), intermediates.begin(), intermediates.end());

+ // If a root certificate is present, ignore its signature algorithm. If it

+ // is unclear whether or not a root is present, assume the chain is a full,

+ // but unverified, chain.

davidben 2014/08/28 19:42:08 Is this comment accurate? If we were unable to bui

+ size_t correction_for_root =

+ (verify_result->cert_status &

+ (CERT_STATUS_AUTHORITY_INVALID | CERT_STATUS_INVALID))

+ ? 0

+ : 1;

+ for (size_t i = 0; i < chain.size() - correction_for_root; ++i) {

+ int sig_alg = OBJ_obj2nid(chain[i]->sig_alg->algorithm);

+ if (sig_alg == NID_md2WithRSAEncryption) {

+ verify_result->has_md2 = true;

+ } else if (sig_alg == NID_md4WithRSAEncryption) {

+ verify_result->has_md4 = true;

+ } else if (sig_alg == NID_md5WithRSAEncryption ||

+ sig_alg == NID_md5WithRSA) {

+ verify_result->has_md5 = true;

+ } else if (sig_alg == NID_sha1WithRSAEncryption ||

+ sig_alg == NID_dsaWithSHA || sig_alg == NID_dsaWithSHA1 ||

+ sig_alg == NID_dsaWithSHA1_2 || sig_alg == NID_sha1WithRSA ||

+ sig_alg == NID_ecdsa_with_SHA1) {

+ verify_result->has_sha1 = true;

+ }

// Extract the public key hashes.

for (size_t i = 0; i < verified_chain.size(); i++) {

base::StringPiece spki_bytes;

« no previous file with comments | « no previous file | net/cert/cert_verify_proc_mac.cc » ('j') | net/cert/cert_verify_proc_nss.cc » ('J')