summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--net/base/x509_certificate.cc16
-rw-r--r--net/base/x509_certificate_unittest.cc31
-rw-r--r--net/base/x509_certificate_win.cc10
3 files changed, 48 insertions, 9 deletions
diff --git a/net/base/x509_certificate.cc b/net/base/x509_certificate.cc
index efb19ee..06eb662 100644
--- a/net/base/x509_certificate.cc
+++ b/net/base/x509_certificate.cc
@@ -597,6 +597,22 @@ int X509Certificate::Verify(const std::string& hostname,
rv = MapCertStatusToNetError(verify_result->cert_status);
}
+ // Treat certificates signed using broken signature algorithms as invalid.
+ if (verify_result->has_md2 || verify_result->has_md4) {
+ verify_result->cert_status |= CERT_STATUS_INVALID;
+ rv = MapCertStatusToNetError(verify_result->cert_status);
+ }
+
+ // Flag certificates using weak signature algorithms.
+ if (verify_result->has_md5) {
+ verify_result->cert_status |= CERT_STATUS_WEAK_SIGNATURE_ALGORITHM;
+ // Avoid replacing a more serious error, such as an OS/library failure,
+ // by ensuring that if verification failed, it failed with a certificate
+ // error.
+ if (rv == OK || IsCertificateError(rv))
+ rv = MapCertStatusToNetError(verify_result->cert_status);
+ }
+
return rv;
}
diff --git a/net/base/x509_certificate_unittest.cc b/net/base/x509_certificate_unittest.cc
index 686f20f..c6bca86 100644
--- a/net/base/x509_certificate_unittest.cc
+++ b/net/base/x509_certificate_unittest.cc
@@ -1613,12 +1613,41 @@ TEST_P(X509CertificateWeakDigestTest, Verify) {
int flags = 0;
CertVerifyResult verify_result;
- ee_chain->Verify("127.0.0.1", flags, NULL, &verify_result);
+ int rv = ee_chain->Verify("127.0.0.1", flags, NULL, &verify_result);
EXPECT_EQ(data.expected_has_md5, verify_result.has_md5);
EXPECT_EQ(data.expected_has_md4, verify_result.has_md4);
EXPECT_EQ(data.expected_has_md2, verify_result.has_md2);
EXPECT_EQ(data.expected_has_md5_ca, verify_result.has_md5_ca);
EXPECT_EQ(data.expected_has_md2_ca, verify_result.has_md2_ca);
+
+ // Ensure that MD4 and MD2 are tagged as invalid.
+ if (data.expected_has_md4 || data.expected_has_md2) {
+ EXPECT_EQ(CERT_STATUS_INVALID,
+ verify_result.cert_status & CERT_STATUS_INVALID);
+ }
+
+ // Ensure that MD5 is flagged as weak.
+ if (data.expected_has_md5) {
+ EXPECT_EQ(
+ CERT_STATUS_WEAK_SIGNATURE_ALGORITHM,
+ verify_result.cert_status & CERT_STATUS_WEAK_SIGNATURE_ALGORITHM);
+ }
+
+ // If a root cert is present, then check that the chain was rejected if any
+ // weak algorithms are present. This is only checked when a root cert is
+ // present because the error reported for incomplete chains with weak
+ // algorithms depends on which implementation was used to validate (NSS,
+ // OpenSSL, CryptoAPI, Security.framework) and upon which weak algorithm
+ // present (MD2, MD4, MD5).
+ if (data.root_cert_filename) {
+ if (data.expected_has_md4 || data.expected_has_md2) {
+ EXPECT_EQ(ERR_CERT_INVALID, rv);
+ } else if (data.expected_has_md5) {
+ EXPECT_EQ(ERR_CERT_WEAK_SIGNATURE_ALGORITHM, rv);
+ } else {
+ EXPECT_EQ(OK, rv);
+ }
+ }
}
// Unlike TEST/TEST_F, which are macros that expand to further macros,
diff --git a/net/base/x509_certificate_win.cc b/net/base/x509_certificate_win.cc
index c04ff4d0..c672dfc 100644
--- a/net/base/x509_certificate_win.cc
+++ b/net/base/x509_certificate_win.cc
@@ -866,6 +866,7 @@ int X509Certificate::VerifyInternal(const std::string& hostname,
chain_flags,
NULL, // reserved
&chain_context)) {
+ verify_result->cert_status |= CERT_STATUS_INVALID;
return MapSecurityError(GetLastError());
}
@@ -884,6 +885,7 @@ int X509Certificate::VerifyInternal(const std::string& hostname,
chain_flags,
NULL, // reserved
&chain_context)) {
+ verify_result->cert_status |= CERT_STATUS_INVALID;
return MapSecurityError(GetLastError());
}
}
@@ -894,14 +896,6 @@ int X509Certificate::VerifyInternal(const std::string& hostname,
verify_result->cert_status |= MapCertChainErrorStatusToCertStatus(
chain_context->TrustStatus.dwErrorStatus);
- // Treat certificates signed using broken signature algorithms as invalid.
- if (verify_result->has_md4)
- verify_result->cert_status |= CERT_STATUS_INVALID;
-
- // Flag certificates signed using weak signature algorithms.
- if (verify_result->has_md2)
- verify_result->cert_status |= CERT_STATUS_WEAK_SIGNATURE_ALGORITHM;
-
// Flag certificates that have a Subject common name with a NULL character.
if (CertSubjectCommonNameHasNull(cert_handle_))
verify_result->cert_status |= CERT_STATUS_INVALID;