diff options
| author | rsleevi@chromium.org <rsleevi@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-11-03 03:44:29 +0000 |
|---|---|---|
| committer | rsleevi@chromium.org <rsleevi@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-11-03 03:44:29 +0000 |
| commit | 226a88215117198f1b3216419fc8fac4f8538162 (patch) | |
| tree | b6d461e5a10992ce028e3127307978c171c77020 /net | |
| parent | 15d90ba0a25fae850e207773315ebf8cfcc58056 (diff) | |
| download | chromium_src-226a88215117198f1b3216419fc8fac4f8538162.zip chromium_src-226a88215117198f1b3216419fc8fac4f8538162.tar.gz chromium_src-226a88215117198f1b3216419fc8fac4f8538162.tar.bz2 | |
Record when certificates signed with md[2,4,5] are encountered when using OpenSSL
R=joth@chromium.org
BUG=101123
Review URL: http://codereview.chromium.org/8368015
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@108425 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net')
| -rw-r--r-- | net/base/x509_certificate_openssl.cc | 95 | ||||
| -rw-r--r-- | net/base/x509_certificate_unittest.cc | 5 |
2 files changed, 63 insertions, 37 deletions
diff --git a/net/base/x509_certificate_openssl.cc b/net/base/x509_certificate_openssl.cc index 8583e4d..5612d61 100644 --- a/net/base/x509_certificate_openssl.cc +++ b/net/base/x509_certificate_openssl.cc @@ -300,6 +300,66 @@ bool GetDERAndCacheIfNeeded(X509Certificate::OSCertHandle cert, return true; } +void GetCertChainInfo(X509_STORE_CTX* store_ctx, + CertVerifyResult* verify_result) { + STACK_OF(X509)* chain = X509_STORE_CTX_get_chain(store_ctx); + X509* verified_cert = NULL; + std::vector<X509*> verified_chain; + for (int i = 0; i < sk_X509_num(chain); ++i) { + X509* cert = sk_X509_value(chain, i); + if (i == 0) { + verified_cert = cert; + } else { + verified_chain.push_back(cert); + } + + // Only check the algorithm status for certificates that are not in the + // trust store. + if (i < store_ctx->last_untrusted) { + int sig_alg = OBJ_obj2nid(cert->sig_alg->algorithm); + if (sig_alg == NID_md2WithRSAEncryption) { + verify_result->has_md2 = true; + if (i != 0) + verify_result->has_md2_ca = true; + } else if (sig_alg == NID_md4WithRSAEncryption) { + verify_result->has_md4 = true; + } else if (sig_alg == NID_md5WithRSAEncryption) { + verify_result->has_md5 = true; + if (i != 0) + verify_result->has_md5_ca = true; + } + } + } + + if (verified_cert) { + verify_result->verified_cert = + X509Certificate::CreateFromHandle(verified_cert, verified_chain); + } +} + +void AppendPublicKeyHashes(X509_STORE_CTX* store_ctx, + std::vector<SHA1Fingerprint>* hashes) { + STACK_OF(X509)* chain = X509_STORE_CTX_get_chain(store_ctx); + for (int i = 0; i < sk_X509_num(chain); ++i) { + X509* cert = sk_X509_value(chain, i); + + DERCache der_cache; + if (!GetDERAndCacheIfNeeded(cert, &der_cache)) + continue; + + base::StringPiece der_bytes(reinterpret_cast<const char*>(der_cache.data), + der_cache.data_length); + base::StringPiece spki_bytes; + if (!asn1::ExtractSPKIFromDERCert(der_bytes, &spki_bytes)) + continue; + + SHA1Fingerprint hash; + base::SHA1HashBytes(reinterpret_cast<const uint8*>(spki_bytes.data()), + spki_bytes.size(), hash.data); + hashes->push_back(hash); + } +} + } // namespace // static @@ -489,41 +549,12 @@ int X509Certificate::VerifyInternal(const std::string& hostname, verify_result->cert_status |= cert_status; } + GetCertChainInfo(ctx.get(), verify_result); + if (IsCertStatusError(verify_result->cert_status)) return MapCertStatusToNetError(verify_result->cert_status); - STACK_OF(X509)* chain = X509_STORE_CTX_get_chain(ctx.get()); - X509* verified_cert = NULL; - std::vector<X509*> verified_chain; - for (int i = 0; i < sk_X509_num(chain); ++i) { - X509* cert = sk_X509_value(chain, i); - if (i == 0) { - verified_cert = cert; - } else { - verified_chain.push_back(cert); - } - - DERCache der_cache; - if (!GetDERAndCacheIfNeeded(cert, &der_cache)) - continue; - - base::StringPiece der_bytes(reinterpret_cast<const char*>(der_cache.data), - der_cache.data_length); - base::StringPiece spki_bytes; - if (!asn1::ExtractSPKIFromDERCert(der_bytes, &spki_bytes)) - continue; - - SHA1Fingerprint hash; - base::SHA1HashBytes(reinterpret_cast<const uint8*>(spki_bytes.data()), - spki_bytes.size(), hash.data); - verify_result->public_key_hashes.push_back(hash); - } - - if (verified_cert) { - verify_result->verified_cert = CreateFromHandle(verified_cert, - verified_chain); - } - + AppendPublicKeyHashes(ctx.get(), &verify_result->public_key_hashes); // Currently we only ues OpenSSL's default root CA paths, so treat all // correctly verified certs as being from a known root. TODO(joth): if the // motivations described in http://src.chromium.org/viewvc/chrome?view=rev&revision=80778 diff --git a/net/base/x509_certificate_unittest.cc b/net/base/x509_certificate_unittest.cc index 17bb919..010aba73 100644 --- a/net/base/x509_certificate_unittest.cc +++ b/net/base/x509_certificate_unittest.cc @@ -1490,9 +1490,6 @@ TEST_P(X509CertificateNameVerifyTest, VerifyHostname) { INSTANTIATE_TEST_CASE_P(, X509CertificateNameVerifyTest, testing::ValuesIn(kNameVerifyTestData)); -// Not implemented on OpenSSL - http://crbug.com/101123 -#if defined(USE_NSS) || defined(OS_WIN) || defined(OS_MACOSX) - struct WeakDigestTestData { const char* root_cert_filename; const char* intermediate_cert_filename; @@ -1697,6 +1694,4 @@ WRAPPED_INSTANTIATE_TEST_CASE_P( X509CertificateWeakDigestTest, testing::ValuesIn(kVerifyMixedTestData)); -#endif // defined(USE_NSS) || defined(OS_WIN) || defined(OS_MACOSX) - } // namespace net |