Reject certificate chains containing small RSA and DSA keys.

"Small" means less than 1024 bits.

BUG=102949
TEST=net_unittests, X509CertificateTest.*

Review URL: http://codereview.chromium.org/8568040

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@114709 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 4 insertions, 0 deletions

diff --git a/net/base/cert_status_flags.cc b/net/base/cert_status_flags.cc
index d897df5..153327f 100644
--- a/net/base/cert_status_flags.cc
+++ b/net/base/cert_status_flags.cc
@@ -41,6 +41,8 @@ CertStatus MapNetErrorToCertStatus(int error) {
       return CERT_STATUS_INVALID;
     case ERR_CERT_WEAK_SIGNATURE_ALGORITHM:
       return CERT_STATUS_WEAK_SIGNATURE_ALGORITHM;
+    case ERR_CERT_WEAK_KEY:
+      return CERT_STATUS_WEAK_KEY;
     case ERR_CERT_NOT_IN_DNS:
       return CERT_STATUS_NOT_IN_DNS;
     default:
@@ -65,6 +67,8 @@ int MapCertStatusToNetError(CertStatus cert_status) {
     return ERR_CERT_COMMON_NAME_INVALID;
   if (cert_status & CERT_STATUS_WEAK_SIGNATURE_ALGORITHM)
     return ERR_CERT_WEAK_SIGNATURE_ALGORITHM;
+  if (cert_status & CERT_STATUS_WEAK_KEY)
+    return ERR_CERT_WEAK_KEY;
   if (cert_status & CERT_STATUS_DATE_INVALID)
     return ERR_CERT_DATE_INVALID;