When encountering certificates signed with md2/md4, make it a fatal error.

When encountering certificates signed with md5, interstitial the page with an error about md5 being a weak signing algorithm. This excludes checking the signatures of root certificates (trust anchors), as their self-signed signatures are not relevant to the security of the chain. R=wtc@chromium.org BUG=101123 Review URL: http://codereview.chromium.org/8374020 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@114432 0039d316-1c4b-4281-b951-d872f2087c98
author: rsleevi@chromium.org <rsleevi@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2011-12-14 16:08:19 +0000
committer: rsleevi@chromium.org <rsleevi@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2011-12-14 16:08:19 +0000
commit: 49684c749a9b96c701ec7c8f7ec17915d9d411e3 (patch)
tree: fd1f9c9131d9b4627273289beae8b3e4d27e71eb /net/base/x509_certificate_win.cc
parent: 3f2eeaf29909e7a68f4055059b423ae16b1f7f94 (diff)
download: chromium_src-49684c749a9b96c701ec7c8f7ec17915d9d411e3.zip
chromium_src-49684c749a9b96c701ec7c8f7ec17915d9d411e3.tar.gz
chromium_src-49684c749a9b96c701ec7c8f7ec17915d9d411e3.tar.bz2
1 files changed, 2 insertions, 8 deletions
diff --git a/net/base/x509_certificate_win.cc b/net/base/x509_certificate_win.cc
index c04ff4d0..c672dfc 100644
--- a/net/base/x509_certificate_win.cc
+++ b/net/base/x509_certificate_win.cc
@@ -866,6 +866,7 @@ int X509Certificate::VerifyInternal(const std::string& hostname,
            chain_flags,
            NULL,  // reserved
            &chain_context)) {
+    verify_result->cert_status |= CERT_STATUS_INVALID;
     return MapSecurityError(GetLastError());
   }
 
@@ -884,6 +885,7 @@ int X509Certificate::VerifyInternal(const std::string& hostname,
              chain_flags,
              NULL,  // reserved
              &chain_context)) {
+      verify_result->cert_status |= CERT_STATUS_INVALID;
       return MapSecurityError(GetLastError());
     }
   }
@@ -894,14 +896,6 @@ int X509Certificate::VerifyInternal(const std::string& hostname,
   verify_result->cert_status |= MapCertChainErrorStatusToCertStatus(
       chain_context->TrustStatus.dwErrorStatus);
 
-  // Treat certificates signed using broken signature algorithms as invalid.
-  if (verify_result->has_md4)
-    verify_result->cert_status |= CERT_STATUS_INVALID;
-
-  // Flag certificates signed using weak signature algorithms.
-  if (verify_result->has_md2)
-    verify_result->cert_status |= CERT_STATUS_WEAK_SIGNATURE_ALGORITHM;
-
   // Flag certificates that have a Subject common name with a NULL character.
   if (CertSubjectCommonNameHasNull(cert_handle_))
     verify_result->cert_status |= CERT_STATUS_INVALID;
author	rsleevi@chromium.org <rsleevi@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2011-12-14 16:08:19 +0000
committer	rsleevi@chromium.org <rsleevi@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2011-12-14 16:08:19 +0000
commit	49684c749a9b96c701ec7c8f7ec17915d9d411e3 (patch)
tree	fd1f9c9131d9b4627273289beae8b3e4d27e71eb /net/base/x509_certificate_win.cc
parent	3f2eeaf29909e7a68f4055059b423ae16b1f7f94 (diff)
download	chromium_src-49684c749a9b96c701ec7c8f7ec17915d9d411e3.zip chromium_src-49684c749a9b96c701ec7c8f7ec17915d9d411e3.tar.gz chromium_src-49684c749a9b96c701ec7c8f7ec17915d9d411e3.tar.bz2