diff options
| author | rsleevi@chromium.org <rsleevi@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-06-13 22:43:37 +0000 |
|---|---|---|
| committer | rsleevi@chromium.org <rsleevi@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-06-13 22:43:37 +0000 |
| commit | c598dbec7db3bbdccc87a66a32c8a683afa976be (patch) | |
| tree | 9f74f6dc68be0b571660ee11fbb779e555227970 | |
| parent | 4e5703ba1b7d0e6557e724ac2432b24bad386643 (diff) | |
| download | chromium_src-c598dbec7db3bbdccc87a66a32c8a683afa976be.zip chromium_src-c598dbec7db3bbdccc87a66a32c8a683afa976be.tar.gz chromium_src-c598dbec7db3bbdccc87a66a32c8a683afa976be.tar.bz2 | |
Do not treat weak keys (<1024 bits || MD5) as fatal errors
A pending system update from Microsoft, detailed at
http://blogs.technet.com/b/pki/archive/2012/06/12/rsa-keys-under-1024-bits-are-blocked.aspx
will change the behaviour of CertGetCertificateChain such that it will
appropriately flag weak keys in the CERT_TRUST_STATUS.dwError field.
To avoid mapping this to CERT_STATUS_INVALID, handle the new error code and
map it to CERT_STATUS_WEAK_KEY.
BUG=none
TEST=net_unittests continue passing on Win when this change is released.
Review URL: https://chromiumcodereview.appspot.com/10537153
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@142008 0039d316-1c4b-4281-b951-d872f2087c98
| -rw-r--r-- | net/base/cert_verify_proc_win.cc | 22 |
1 files changed, 21 insertions, 1 deletions
diff --git a/net/base/cert_verify_proc_win.cc b/net/base/cert_verify_proc_win.cc index 7e1aa43..045ea16 100644 --- a/net/base/cert_verify_proc_win.cc +++ b/net/base/cert_verify_proc_win.cc @@ -23,6 +23,12 @@ #pragma comment(lib, "crypt32.lib") +#if !defined(CERT_TRUST_HAS_WEAK_SIGNATURE) +// This was introduced in Windows 8 / Windows Server 2012, but retroactively +// ported as far back as Windows XP via system update. +#define CERT_TRUST_HAS_WEAK_SIGNATURE 0x00100000 +#endif + namespace net { namespace { @@ -140,9 +146,23 @@ int MapCertChainErrorStatusToCertStatus(DWORD error_status) { cert_status |= CERT_STATUS_INVALID; } + if (error_status & CERT_TRUST_IS_NOT_SIGNATURE_VALID) { + // Check for a signature that does not meet the OS criteria for strong + // signatures. + // Note: These checks may be more restrictive than the current weak key + // criteria implemented within CertVerifier, such as excluding SHA-1 or + // excluding RSA keys < 2048 bits. However, if the user has configured + // these more stringent checks, respect that configuration and err on the + // more restrictive criteria. + if (error_status & CERT_TRUST_HAS_WEAK_SIGNATURE) { + cert_status |= CERT_STATUS_WEAK_KEY; + } else { + cert_status |= CERT_STATUS_INVALID; + } + } + // The rest of the errors. const DWORD kCertInvalidErrors = - CERT_TRUST_IS_NOT_SIGNATURE_VALID | CERT_TRUST_IS_CYCLIC | CERT_TRUST_INVALID_EXTENSION | CERT_TRUST_INVALID_POLICY_CONSTRAINTS | |