Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(190)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: net/cert/cert_verify_proc_android.cc

Issue 614353006: Detect SHA-1 when it appears in certificate chains (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@2171
Patch Set: Created 6 years, 3 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « no previous file | net/cert/cert_verify_proc_mac.cc » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/cert/cert_verify_proc_android.cc
diff --git a/net/cert/cert_verify_proc_android.cc b/net/cert/cert_verify_proc_android.cc
index bd747267a2e0c293465020e2ff35497d806f8c74..9c99444d8e381a866a5f43aa1968f54ede006516 100644
--- a/net/cert/cert_verify_proc_android.cc
+++ b/net/cert/cert_verify_proc_android.cc
@@ -4,6 +4,8 @@
#include "net/cert/cert_verify_proc_android.h"
+#include <openssl/x509v3.h>
+
#include <string>
#include <vector>
@@ -71,6 +73,36 @@ bool VerifyFromAndroidTrustManager(const std::vector<std::string>& cert_bytes,
verify_result->verified_cert = verified_cert;
}
+ // Extract the algorithm information from the certs
+ X509Certificate::OSCertHandles chain;
+ const X509Certificate::OSCertHandles& intermediates =
+ verify_result->verified_cert->GetIntermediateCertificates();
+ chain.push_back(verify_result->verified_cert->os_cert_handle());
+ chain.insert(chain.end(), intermediates.begin(), intermediates.end());
+
+ // If the chain successfully verified, ignore the trust anchor (the last
+ // certificate). Otherwise, assume the chain is partial. This is not entirely
+ // correct, as a full chain may have been constructed and then failed to
+ // validate. However, if that is the case, the more serious error will
+ // override any SHA-1 considerations.
+ size_t correction_for_root = (status == android::VERIFY_OK) ? 1 : 0;
+ for (size_t i = 0; i < chain.size() - correction_for_root; ++i) {
+ int sig_alg = OBJ_obj2nid(chain[i]->sig_alg->algorithm);
+ if (sig_alg == NID_md2WithRSAEncryption) {
+ verify_result->has_md2 = true;
+ } else if (sig_alg == NID_md4WithRSAEncryption) {
+ verify_result->has_md4 = true;
+ } else if (sig_alg == NID_md5WithRSAEncryption ||
+ sig_alg == NID_md5WithRSA) {
+ verify_result->has_md5 = true;
+ } else if (sig_alg == NID_sha1WithRSAEncryption ||
+ sig_alg == NID_dsaWithSHA || sig_alg == NID_dsaWithSHA1 ||
+ sig_alg == NID_dsaWithSHA1_2 || sig_alg == NID_sha1WithRSA ||
+ sig_alg == NID_ecdsa_with_SHA1) {
+ verify_result->has_sha1 = true;
+ }
+ }
+
// Extract the public key hashes.
for (size_t i = 0; i < verified_chain.size(); i++) {
base::StringPiece spki_bytes;
« no previous file with comments | « no previous file | net/cert/cert_verify_proc_mac.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698