OLD | NEW |
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/base/x509_certificate.h" | 5 #include "net/base/x509_certificate.h" |
6 | 6 |
7 #include <stdlib.h> | 7 #include <stdlib.h> |
8 | 8 |
9 #include <algorithm> | 9 #include <algorithm> |
10 #include <map> | 10 #include <map> |
(...skipping 579 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
590 | 590 |
591 int rv = VerifyInternal(hostname, flags, crl_set, verify_result); | 591 int rv = VerifyInternal(hostname, flags, crl_set, verify_result); |
592 | 592 |
593 // This check is done after VerifyInternal so that VerifyInternal can fill in | 593 // This check is done after VerifyInternal so that VerifyInternal can fill in |
594 // the list of public key hashes. | 594 // the list of public key hashes. |
595 if (IsPublicKeyBlacklisted(verify_result->public_key_hashes)) { | 595 if (IsPublicKeyBlacklisted(verify_result->public_key_hashes)) { |
596 verify_result->cert_status |= CERT_STATUS_REVOKED; | 596 verify_result->cert_status |= CERT_STATUS_REVOKED; |
597 rv = MapCertStatusToNetError(verify_result->cert_status); | 597 rv = MapCertStatusToNetError(verify_result->cert_status); |
598 } | 598 } |
599 | 599 |
| 600 // Treat certificates signed using broken signature algorithms as invalid. |
| 601 if (verify_result->has_md2 || verify_result->has_md4) { |
| 602 verify_result->cert_status |= CERT_STATUS_INVALID; |
| 603 rv = MapCertStatusToNetError(verify_result->cert_status); |
| 604 } |
| 605 |
| 606 // Flag certificates using weak signature algorithms. |
| 607 if (verify_result->has_md5) { |
| 608 verify_result->cert_status |= CERT_STATUS_WEAK_SIGNATURE_ALGORITHM; |
| 609 // Avoid replacing a more serious error, such as an OS/library failure, |
| 610 // by ensuring that if verification failed, it failed with a certificate |
| 611 // error. |
| 612 if (rv == OK || IsCertificateError(rv)) |
| 613 rv = MapCertStatusToNetError(verify_result->cert_status); |
| 614 } |
| 615 |
600 return rv; | 616 return rv; |
601 } | 617 } |
602 | 618 |
603 #if !defined(USE_NSS) | 619 #if !defined(USE_NSS) |
604 bool X509Certificate::VerifyNameMatch(const std::string& hostname) const { | 620 bool X509Certificate::VerifyNameMatch(const std::string& hostname) const { |
605 std::vector<std::string> dns_names, ip_addrs; | 621 std::vector<std::string> dns_names, ip_addrs; |
606 GetSubjectAltName(&dns_names, &ip_addrs); | 622 GetSubjectAltName(&dns_names, &ip_addrs); |
607 return VerifyHostname(hostname, subject_.common_name, dns_names, ip_addrs); | 623 return VerifyHostname(hostname, subject_.common_name, dns_names, ip_addrs); |
608 } | 624 } |
609 #endif | 625 #endif |
(...skipping 188 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
798 bool X509Certificate::IsSHA1HashInSortedArray(const SHA1Fingerprint& hash, | 814 bool X509Certificate::IsSHA1HashInSortedArray(const SHA1Fingerprint& hash, |
799 const uint8* array, | 815 const uint8* array, |
800 size_t array_byte_len) { | 816 size_t array_byte_len) { |
801 DCHECK_EQ(0u, array_byte_len % base::kSHA1Length); | 817 DCHECK_EQ(0u, array_byte_len % base::kSHA1Length); |
802 const size_t arraylen = array_byte_len / base::kSHA1Length; | 818 const size_t arraylen = array_byte_len / base::kSHA1Length; |
803 return NULL != bsearch(hash.data, array, arraylen, base::kSHA1Length, | 819 return NULL != bsearch(hash.data, array, arraylen, base::kSHA1Length, |
804 CompareSHA1Hashes); | 820 CompareSHA1Hashes); |
805 } | 821 } |
806 | 822 |
807 } // namespace net | 823 } // namespace net |
OLD | NEW |