diff options
-rw-r--r-- | net/base/x509_certificate.cc | 16 | ||||
-rw-r--r-- | net/base/x509_certificate_unittest.cc | 31 | ||||
-rw-r--r-- | net/base/x509_certificate_win.cc | 10 |
3 files changed, 48 insertions, 9 deletions
diff --git a/net/base/x509_certificate.cc b/net/base/x509_certificate.cc index efb19ee..06eb662 100644 --- a/net/base/x509_certificate.cc +++ b/net/base/x509_certificate.cc @@ -597,6 +597,22 @@ int X509Certificate::Verify(const std::string& hostname, rv = MapCertStatusToNetError(verify_result->cert_status); } + // Treat certificates signed using broken signature algorithms as invalid. + if (verify_result->has_md2 || verify_result->has_md4) { + verify_result->cert_status |= CERT_STATUS_INVALID; + rv = MapCertStatusToNetError(verify_result->cert_status); + } + + // Flag certificates using weak signature algorithms. + if (verify_result->has_md5) { + verify_result->cert_status |= CERT_STATUS_WEAK_SIGNATURE_ALGORITHM; + // Avoid replacing a more serious error, such as an OS/library failure, + // by ensuring that if verification failed, it failed with a certificate + // error. + if (rv == OK || IsCertificateError(rv)) + rv = MapCertStatusToNetError(verify_result->cert_status); + } + return rv; } diff --git a/net/base/x509_certificate_unittest.cc b/net/base/x509_certificate_unittest.cc index 686f20f..c6bca86 100644 --- a/net/base/x509_certificate_unittest.cc +++ b/net/base/x509_certificate_unittest.cc @@ -1613,12 +1613,41 @@ TEST_P(X509CertificateWeakDigestTest, Verify) { int flags = 0; CertVerifyResult verify_result; - ee_chain->Verify("127.0.0.1", flags, NULL, &verify_result); + int rv = ee_chain->Verify("127.0.0.1", flags, NULL, &verify_result); EXPECT_EQ(data.expected_has_md5, verify_result.has_md5); EXPECT_EQ(data.expected_has_md4, verify_result.has_md4); EXPECT_EQ(data.expected_has_md2, verify_result.has_md2); EXPECT_EQ(data.expected_has_md5_ca, verify_result.has_md5_ca); EXPECT_EQ(data.expected_has_md2_ca, verify_result.has_md2_ca); + + // Ensure that MD4 and MD2 are tagged as invalid. + if (data.expected_has_md4 || data.expected_has_md2) { + EXPECT_EQ(CERT_STATUS_INVALID, + verify_result.cert_status & CERT_STATUS_INVALID); + } + + // Ensure that MD5 is flagged as weak. + if (data.expected_has_md5) { + EXPECT_EQ( + CERT_STATUS_WEAK_SIGNATURE_ALGORITHM, + verify_result.cert_status & CERT_STATUS_WEAK_SIGNATURE_ALGORITHM); + } + + // If a root cert is present, then check that the chain was rejected if any + // weak algorithms are present. This is only checked when a root cert is + // present because the error reported for incomplete chains with weak + // algorithms depends on which implementation was used to validate (NSS, + // OpenSSL, CryptoAPI, Security.framework) and upon which weak algorithm + // present (MD2, MD4, MD5). + if (data.root_cert_filename) { + if (data.expected_has_md4 || data.expected_has_md2) { + EXPECT_EQ(ERR_CERT_INVALID, rv); + } else if (data.expected_has_md5) { + EXPECT_EQ(ERR_CERT_WEAK_SIGNATURE_ALGORITHM, rv); + } else { + EXPECT_EQ(OK, rv); + } + } } // Unlike TEST/TEST_F, which are macros that expand to further macros, diff --git a/net/base/x509_certificate_win.cc b/net/base/x509_certificate_win.cc index c04ff4d0..c672dfc 100644 --- a/net/base/x509_certificate_win.cc +++ b/net/base/x509_certificate_win.cc @@ -866,6 +866,7 @@ int X509Certificate::VerifyInternal(const std::string& hostname, chain_flags, NULL, // reserved &chain_context)) { + verify_result->cert_status |= CERT_STATUS_INVALID; return MapSecurityError(GetLastError()); } @@ -884,6 +885,7 @@ int X509Certificate::VerifyInternal(const std::string& hostname, chain_flags, NULL, // reserved &chain_context)) { + verify_result->cert_status |= CERT_STATUS_INVALID; return MapSecurityError(GetLastError()); } } @@ -894,14 +896,6 @@ int X509Certificate::VerifyInternal(const std::string& hostname, verify_result->cert_status |= MapCertChainErrorStatusToCertStatus( chain_context->TrustStatus.dwErrorStatus); - // Treat certificates signed using broken signature algorithms as invalid. - if (verify_result->has_md4) - verify_result->cert_status |= CERT_STATUS_INVALID; - - // Flag certificates signed using weak signature algorithms. - if (verify_result->has_md2) - verify_result->cert_status |= CERT_STATUS_WEAK_SIGNATURE_ALGORITHM; - // Flag certificates that have a Subject common name with a NULL character. if (CertSubjectCommonNameHasNull(cert_handle_)) verify_result->cert_status |= CERT_STATUS_INVALID; |