wine/gecko
0
0
Fork 0
mirror of https://gitlab.winehq.org/wine/wine-gecko.git synced 2024-09-13 09:24:08 -07:00
Code Issues Packages Projects Releases Wiki Activity

Bug 1139177 - RSA public key size checking cleanups. r=keeler

Browse Source
This commit is contained in:
Cykesiopka 2015-03-05 16:41:00 +01:00
parent 52f2b50487
commit fa772c674c
8 changed files with 24 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
config/external/nss/nss.def vendored
View File

@ -525,7 +525,6 @@ SECKEY_ExtractPublicKey
SECKEY_GetPublicKeyType
SECKEY_ImportDERPublicKey
SECKEY_PublicKeyStrength
SECKEY_PublicKeyStrengthInBits
SECKEY_RSAPSSParamsTemplate DATA
SECKEY_SignatureLen
SECMIME_DecryptionAllowed

8
security/apps/AppTrustDomain.cpp
View File

@ -30,14 +30,14 @@ using namespace mozilla::pkix;
extern PRLogModuleInfo* gPIPNSSLog;
#endif
static const unsigned int DEFAULT_MINIMUM_NON_ECC_BITS = 2048;
static const unsigned int DEFAULT_MIN_RSA_BITS = 2048;
namespace mozilla { namespace psm {
AppTrustDomain::AppTrustDomain(ScopedCERTCertList& certChain, void* pinArg)
: mCertChain(certChain)
, mPinArg(pinArg)
, mMinimumNonECCBits(DEFAULT_MINIMUM_NON_ECC_BITS)
, mMinRSABits(DEFAULT_MIN_RSA_BITS)
{
}
@ -75,7 +75,7 @@ AppTrustDomain::SetTrustedRoot(AppTrustedRoot trustedRoot)
trustedDER.data = const_cast<uint8_t*>(marketplaceStageRoot);
trustedDER.len = mozilla::ArrayLength(marketplaceStageRoot);
// The staging root was generated with a 1024-bit key.
mMinimumNonECCBits = 1024u;
mMinRSABits = 1024u;
break;
case nsIX509CertDB::AppXPCShellRoot:
@ -254,7 +254,7 @@ Result
AppTrustDomain::CheckRSAPublicKeyModulusSizeInBits(
EndEntityOrCA /*endEntityOrCA*/, unsigned int modulusSizeInBits)
{
if (modulusSizeInBits < mMinimumNonECCBits) {
if (modulusSizeInBits < mMinRSABits) {
return Result::ERROR_INADEQUATE_KEY_SIZE;
}
return Success;

2
security/apps/AppTrustDomain.h
View File

@ -61,7 +61,7 @@ private:
/*out*/ ScopedCERTCertList& mCertChain;
void* mPinArg; // non-owning!
ScopedCERTCertificate mTrustedRoot;
unsigned int mMinimumNonECCBits;
unsigned int mMinRSABits;
};
} } // namespace mozilla::psm

34
security/certverifier/CertVerifier.cpp
View File

@ -156,8 +156,8 @@ BuildCertChainForOneKeyUsage(NSSCertDBTrustDomain& trustDomain, Input certDER,
return rv;
}
static const unsigned int MINIMUM_NON_ECC_BITS = 2048;
static const unsigned int MINIMUM_NON_ECC_BITS_WEAK = 1024;
static const unsigned int MIN_RSA_BITS = 2048;
static const unsigned int MIN_RSA_BITS_WEAK = 1024;
SECStatus
CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage,
@ -240,8 +240,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage,
// just use trustEmail as it is the closest alternative.
NSSCertDBTrustDomain trustDomain(trustEmail, ocspFetching, mOCSPCache,
pinArg, ocspGETConfig, pinningDisabled,
MINIMUM_NON_ECC_BITS_WEAK, nullptr,
builtChain);
MIN_RSA_BITS_WEAK, nullptr, builtChain);
rv = BuildCertChain(trustDomain, certDER, time,
EndEntityOrCA::MustBeEndEntity,
KeyUsage::digitalSignature,
@ -267,7 +266,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage,
? NSSCertDBTrustDomain::LocalOnlyOCSPForEV
: NSSCertDBTrustDomain::FetchOCSPForEV,
mOCSPCache, pinArg, ocspGETConfig, mPinningMode,
MINIMUM_NON_ECC_BITS, hostname, builtChain);
MIN_RSA_BITS, hostname, builtChain);
rv = BuildCertChainForOneKeyUsage(trustDomain, certDER, time,
KeyUsage::digitalSignature,// (EC)DHE
KeyUsage::keyEncipherment, // RSA
@ -292,8 +291,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage,
// Now try non-EV.
NSSCertDBTrustDomain trustDomain(trustSSL, ocspFetching, mOCSPCache,
pinArg, ocspGETConfig, mPinningMode,
MINIMUM_NON_ECC_BITS, hostname,
builtChain);
MIN_RSA_BITS, hostname, builtChain);
rv = BuildCertChainForOneKeyUsage(trustDomain, certDER, time,
KeyUsage::digitalSignature, // (EC)DHE
KeyUsage::keyEncipherment, // RSA
@ -312,7 +310,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage,
// If that failed, try again with a smaller minimum key size.
NSSCertDBTrustDomain trustDomainWeak(trustSSL, ocspFetching, mOCSPCache,
pinArg, ocspGETConfig, mPinningMode,
MINIMUM_NON_ECC_BITS_WEAK, hostname,
MIN_RSA_BITS_WEAK, hostname,
builtChain);
rv = BuildCertChainForOneKeyUsage(trustDomainWeak, certDER, time,
KeyUsage::digitalSignature, // (EC)DHE
@ -336,8 +334,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage,
case certificateUsageSSLCA: {
NSSCertDBTrustDomain trustDomain(trustSSL, ocspFetching, mOCSPCache,
pinArg, ocspGETConfig, pinningDisabled,
MINIMUM_NON_ECC_BITS_WEAK, nullptr,
builtChain);
MIN_RSA_BITS_WEAK, nullptr, builtChain);
rv = BuildCertChain(trustDomain, certDER, time,
EndEntityOrCA::MustBeCA, KeyUsage::keyCertSign,
KeyPurposeId::id_kp_serverAuth,
@ -348,8 +345,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage,
case certificateUsageEmailSigner: {
NSSCertDBTrustDomain trustDomain(trustEmail, ocspFetching, mOCSPCache,
pinArg, ocspGETConfig, pinningDisabled,
MINIMUM_NON_ECC_BITS_WEAK, nullptr,
builtChain);
MIN_RSA_BITS_WEAK, nullptr, builtChain);
rv = BuildCertChain(trustDomain, certDER, time,
EndEntityOrCA::MustBeEndEntity,
KeyUsage::digitalSignature,
@ -371,8 +367,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage,
// based on the result of the verification(s).
NSSCertDBTrustDomain trustDomain(trustEmail, ocspFetching, mOCSPCache,
pinArg, ocspGETConfig, pinningDisabled,
MINIMUM_NON_ECC_BITS_WEAK, nullptr,
builtChain);
MIN_RSA_BITS_WEAK, nullptr, builtChain);
rv = BuildCertChain(trustDomain, certDER, time,
EndEntityOrCA::MustBeEndEntity,
KeyUsage::keyEncipherment, // RSA
@ -392,8 +387,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage,
NSSCertDBTrustDomain trustDomain(trustObjectSigning, ocspFetching,
mOCSPCache, pinArg, ocspGETConfig,
pinningDisabled,
MINIMUM_NON_ECC_BITS_WEAK, nullptr,
builtChain);
MIN_RSA_BITS_WEAK, nullptr, builtChain);
rv = BuildCertChain(trustDomain, certDER, time,
EndEntityOrCA::MustBeEndEntity,
KeyUsage::digitalSignature,
@ -422,16 +416,14 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage,
NSSCertDBTrustDomain sslTrust(trustSSL, ocspFetching, mOCSPCache, pinArg,
ocspGETConfig, pinningDisabled,
MINIMUM_NON_ECC_BITS_WEAK, nullptr,
builtChain);
MIN_RSA_BITS_WEAK, nullptr, builtChain);
rv = BuildCertChain(sslTrust, certDER, time, endEntityOrCA,
keyUsage, eku, CertPolicyId::anyPolicy,
stapledOCSPResponse);
if (rv == Result::ERROR_UNKNOWN_ISSUER) {
NSSCertDBTrustDomain emailTrust(trustEmail, ocspFetching, mOCSPCache,
pinArg, ocspGETConfig, pinningDisabled,
MINIMUM_NON_ECC_BITS_WEAK, nullptr,
builtChain);
MIN_RSA_BITS_WEAK, nullptr, builtChain);
rv = BuildCertChain(emailTrust, certDER, time, endEntityOrCA,
keyUsage, eku, CertPolicyId::anyPolicy,
stapledOCSPResponse);
@ -440,7 +432,7 @@ CertVerifier::VerifyCert(CERTCertificate* cert, SECCertificateUsage usage,
ocspFetching, mOCSPCache,
pinArg, ocspGETConfig,
pinningDisabled,
MINIMUM_NON_ECC_BITS_WEAK,
MIN_RSA_BITS_WEAK,
nullptr, builtChain);
rv = BuildCertChain(objectSigningTrust, certDER, time,
endEntityOrCA, keyUsage, eku,

6
security/certverifier/NSSCertDBTrustDomain.cpp
View File

@ -53,7 +53,7 @@ NSSCertDBTrustDomain::NSSCertDBTrustDomain(SECTrustType certDBTrustType,
/*optional but shouldn't be*/ void* pinArg,
CertVerifier::OcspGetConfig ocspGETConfig,
CertVerifier::PinningMode pinningMode,
unsigned int minimumNonECCKeyBits,
unsigned int minRSABits,
/*optional*/ const char* hostname,
/*optional*/ ScopedCERTCertList* builtChain)
: mCertDBTrustType(certDBTrustType)
@ -62,7 +62,7 @@ NSSCertDBTrustDomain::NSSCertDBTrustDomain(SECTrustType certDBTrustType,
, mPinArg(pinArg)
, mOCSPGetConfig(ocspGETConfig)
, mPinningMode(pinningMode)
, mMinimumNonECCBits(minimumNonECCKeyBits)
, mMinRSABits(minRSABits)
, mHostname(hostname)
, mBuiltChain(builtChain)
, mCertBlocklist(do_GetService(NS_CERTBLOCKLIST_CONTRACTID))
@ -720,7 +720,7 @@ Result
NSSCertDBTrustDomain::CheckRSAPublicKeyModulusSizeInBits(
EndEntityOrCA /*endEntityOrCA*/, unsigned int modulusSizeInBits)
{
if (modulusSizeInBits < mMinimumNonECCBits) {
if (modulusSizeInBits < mMinRSABits) {
return Result::ERROR_INADEQUATE_KEY_SIZE;
}
return Success;

4
security/certverifier/NSSCertDBTrustDomain.h
View File

@ -56,7 +56,7 @@ public:
OCSPCache& ocspCache, void* pinArg,
CertVerifier::OcspGetConfig ocspGETConfig,
CertVerifier::PinningMode pinningMode,
unsigned int minimumNonECCKeyBits,
unsigned int minRSABits,
/*optional*/ const char* hostname = nullptr,
/*optional out*/ ScopedCERTCertList* builtChain = nullptr);
@ -130,7 +130,7 @@ private:
void* mPinArg; // non-owning!
const CertVerifier::OcspGetConfig mOCSPGetConfig;
CertVerifier::PinningMode mPinningMode;
const unsigned int mMinimumNonECCBits;
const unsigned int mMinRSABits;
const char* mHostname; // non-owning - only used for pinning checks
ScopedCERTCertList* mBuiltChain; // non-owning
nsCOMPtr<nsICertBlocklist> mCertBlocklist;

3
security/manager/ssl/tests/unit/test_keysize/generate.py Normal file → Executable file
View File

@ -245,9 +245,6 @@ def generate_combination_chains():
# Create a NSS DB for use by the OCSP responder.
CertUtils.init_nss_db(srcdir)
# TODO(bug 636807): SECKEY_PublicKeyStrengthInBits() rounds up the number of
# bits to the next multiple of 8 - therefore the highest key size less than 1024
# that can be tested is 1016, less than 2048 is 2040 and so on.
generate_rsa_chains('1016', '1024', False)
generate_rsa_chains('2040', '2048', True)
generate_ecc_chains()

2
security/manager/ssl/tests/unit/test_keysize_ev.js
View File

@ -85,7 +85,7 @@ function addKeySizeTestForEV(expectedNamesForOCSP,
* none of the chains validate as EV.
*
* Note: This function assumes that the key size requirements for EV are greater
* than or equal to the requirements for DV.
* than the requirements for DV.
*
* @param {Number} inadequateKeySize
* The inadequate key size of the generated certs.