Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(122)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/base/x509_certificate.cc

Issue 8374020: Make it a fatal SSL error when encountering certs signed with md[2,4], and interstitial md5 (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: wtc feedback Created 9 years ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « no previous file | net/base/x509_certificate_unittest.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/base/x509_certificate.h" 5 #include "net/base/x509_certificate.h"
6 6
7 #include <stdlib.h> 7 #include <stdlib.h>
8 8
9 #include <algorithm> 9 #include <algorithm>
10 #include <map> 10 #include <map>
(...skipping 579 matching lines...) Expand 10 before | Expand all | Expand 10 after
590 590
591 int rv = VerifyInternal(hostname, flags, crl_set, verify_result); 591 int rv = VerifyInternal(hostname, flags, crl_set, verify_result);
592 592
593 // This check is done after VerifyInternal so that VerifyInternal can fill in 593 // This check is done after VerifyInternal so that VerifyInternal can fill in
594 // the list of public key hashes. 594 // the list of public key hashes.
595 if (IsPublicKeyBlacklisted(verify_result->public_key_hashes)) { 595 if (IsPublicKeyBlacklisted(verify_result->public_key_hashes)) {
596 verify_result->cert_status |= CERT_STATUS_REVOKED; 596 verify_result->cert_status |= CERT_STATUS_REVOKED;
597 rv = MapCertStatusToNetError(verify_result->cert_status); 597 rv = MapCertStatusToNetError(verify_result->cert_status);
598 } 598 }
599 599
600 // Treat certificates signed using broken signature algorithms as invalid.
601 if (verify_result->has_md2 || verify_result->has_md4) {
602 verify_result->cert_status |= CERT_STATUS_INVALID;
603 rv = MapCertStatusToNetError(verify_result->cert_status);
604 }
605
606 // Flag certificates using weak signature algorithms.
607 if (verify_result->has_md5) {
608 verify_result->cert_status |= CERT_STATUS_WEAK_SIGNATURE_ALGORITHM;
609 // Avoid replacing a more serious error, such as an OS/library failure,
610 // by ensuring that if verification failed, it failed with a certificate
611 // error.
612 if (rv == OK || IsCertificateError(rv))
613 rv = MapCertStatusToNetError(verify_result->cert_status);
614 }
615
600 return rv; 616 return rv;
601 } 617 }
602 618
603 #if !defined(USE_NSS) 619 #if !defined(USE_NSS)
604 bool X509Certificate::VerifyNameMatch(const std::string& hostname) const { 620 bool X509Certificate::VerifyNameMatch(const std::string& hostname) const {
605 std::vector<std::string> dns_names, ip_addrs; 621 std::vector<std::string> dns_names, ip_addrs;
606 GetSubjectAltName(&dns_names, &ip_addrs); 622 GetSubjectAltName(&dns_names, &ip_addrs);
607 return VerifyHostname(hostname, subject_.common_name, dns_names, ip_addrs); 623 return VerifyHostname(hostname, subject_.common_name, dns_names, ip_addrs);
608 } 624 }
609 #endif 625 #endif
(...skipping 188 matching lines...) Expand 10 before | Expand all | Expand 10 after
798 bool X509Certificate::IsSHA1HashInSortedArray(const SHA1Fingerprint& hash, 814 bool X509Certificate::IsSHA1HashInSortedArray(const SHA1Fingerprint& hash,
799 const uint8* array, 815 const uint8* array,
800 size_t array_byte_len) { 816 size_t array_byte_len) {
801 DCHECK_EQ(0u, array_byte_len % base::kSHA1Length); 817 DCHECK_EQ(0u, array_byte_len % base::kSHA1Length);
802 const size_t arraylen = array_byte_len / base::kSHA1Length; 818 const size_t arraylen = array_byte_len / base::kSHA1Length;
803 return NULL != bsearch(hash.data, array, arraylen, base::kSHA1Length, 819 return NULL != bsearch(hash.data, array, arraylen, base::kSHA1Length,
804 CompareSHA1Hashes); 820 CompareSHA1Hashes);
805 } 821 }
806 822
807 } // namespace net 823 } // namespace net
OLDNEW
« no previous file with comments | « no previous file | net/base/x509_certificate_unittest.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698