CertVerifyProcBuiltin can fail with ERR_CERT_WEAK_SIGNATURE_ALGORITHM when better intermediate can be found by AIA |
|||
Issue descriptionExample weak chain that uses a SHA1 intermediate (D1BA58DEC4A4643BCD0A1111872474EC7928041BFAC7B53D24972BECFA2B871A): 9E0000A1BF0F495AFCA93C2DA4F1178CEE7F49A82A1E5D8674B1E991586084FF *.tpp.ir D1BA58DEC4A4643BCD0A1111872474EC7928041BFAC7B53D24972BECFA2B871A EAEko Herri Administrazioen CA - CA AAPP Vascas (2) 2530CC8E98321502BAD96F9B1FBA1B099E2D299E0F4548BB914F363BC0D4531F Izenpe.com Path building should find the better chain: 9E0000A1BF0F495AFCA93C2DA4F1178CEE7F49A82A1E5D8674B1E991586084FF *.tpp.ir CD6EB937EE17A9FCFF60A790F8BDE0CA9ABCA07B3EF46074DD1978F0BCA4D449 EAEko Herri Administrazioen CA - CA AAPP Vascas (2) 2530CC8E98321502BAD96F9B1FBA1B099E2D299E0F4548BB914F363BC0D4531F Izenpe.com
,
Jun 9 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/2e02b3539b855f8ac5d7a0247ee00c06fa2142b7 commit 2e02b3539b855f8ac5d7a0247ee00c06fa2142b7 Author: Eric Roman <eroman@chromium.org> Date: Sat Jun 09 01:46:56 2018 Remove an unecessary ThreadChecker from NSS's OCSPIOLoop. The DCHECK() interacts poorly with testing as the OCSPIOLoop is a singleton but tests might need to call SetURLRequestContextForNSSHttpIO() multiple times. The same check can instead be done using its |io_task_runner_|. Bug: 845652 Change-Id: I149076cd4b55a7c1111ae3578e0d87799d141db4 Reviewed-on: https://chromium-review.googlesource.com/1093313 Commit-Queue: Eric Roman <eroman@chromium.org> Reviewed-by: Matt Mueller <mattm@chromium.org> Cr-Commit-Position: refs/heads/master@{#565813} [modify] https://crrev.com/2e02b3539b855f8ac5d7a0247ee00c06fa2142b7/net/cert_net/nss_ocsp.cc
,
Jun 29 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/f4cf7865ec8001871e9ebbcadf7d81e2163d9b28 commit f4cf7865ec8001871e9ebbcadf7d81e2163d9b28 Author: Eric Roman <eroman@chromium.org> Date: Fri Jun 29 20:20:17 2018 Add testing support for AIA to cert_verify_proc_unittest.cc. The approach taken is to generate the certificate chain from C++, and have any URLs point at an instance of the EmbeddedTestServer. Using live URLs for the certificate has the advantage of working for platform verifiers, for which we can't directly mock network responses. Bug: 845652 Change-Id: Id38df93b81b4380256dbc11e9a46345c37c99c90 Reviewed-on: https://chromium-review.googlesource.com/1093736 Commit-Queue: Eric Roman <eroman@chromium.org> Reviewed-by: Matt Mueller <mattm@chromium.org> Cr-Commit-Position: refs/heads/master@{#571609} [modify] https://crrev.com/f4cf7865ec8001871e9ebbcadf7d81e2163d9b28/net/cert/cert_verify_proc_unittest.cc
,
Jul 2
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/8d395ba07308f7f46011f3ac42d91498e90b8c28 commit 8d395ba07308f7f46011f3ac42d91498e90b8c28 Author: Eric Roman <eroman@chromium.org> Date: Mon Jul 02 21:17:23 2018 Change the order of path building attempts in CertVerifyProcBuiltin to favor certificates with strong signature algorithms, even if that means needing to chase AIA. The initial attempts at path building for EV and DV now disallow SHA1, which forces path building to consider AIA. In the absence of a strong certificate chain, a weaker one will still be returned as before. Bug: 845652 Change-Id: Ibfb16fd266b3aa03708fd8d33d0716af31273612 Reviewed-on: https://chromium-review.googlesource.com/1091798 Commit-Queue: Eric Roman <eroman@chromium.org> Reviewed-by: Matt Mueller <mattm@chromium.org> Reviewed-by: Doug Steedman <dougsteed@chromium.org> Cr-Commit-Position: refs/heads/master@{#572001} [modify] https://crrev.com/8d395ba07308f7f46011f3ac42d91498e90b8c28/components/cast_certificate/cast_cert_validator.cc [modify] https://crrev.com/8d395ba07308f7f46011f3ac42d91498e90b8c28/components/cast_certificate/cast_crl.cc [modify] https://crrev.com/8d395ba07308f7f46011f3ac42d91498e90b8c28/net/cert/cert_verify_proc_builtin.cc [modify] https://crrev.com/8d395ba07308f7f46011f3ac42d91498e90b8c28/net/cert/cert_verify_proc_unittest.cc [modify] https://crrev.com/8d395ba07308f7f46011f3ac42d91498e90b8c28/net/cert/internal/path_builder.cc [modify] https://crrev.com/8d395ba07308f7f46011f3ac42d91498e90b8c28/net/cert/internal/path_builder.h [modify] https://crrev.com/8d395ba07308f7f46011f3ac42d91498e90b8c28/net/cert/internal/path_builder_pkits_unittest.cc [modify] https://crrev.com/8d395ba07308f7f46011f3ac42d91498e90b8c28/net/cert/internal/path_builder_unittest.cc [modify] https://crrev.com/8d395ba07308f7f46011f3ac42d91498e90b8c28/net/cert/internal/path_builder_verify_certificate_chain_unittest.cc [modify] https://crrev.com/8d395ba07308f7f46011f3ac42d91498e90b8c28/net/cert/internal/simple_path_builder_delegate.cc [modify] https://crrev.com/8d395ba07308f7f46011f3ac42d91498e90b8c28/net/cert/internal/simple_path_builder_delegate.h [modify] https://crrev.com/8d395ba07308f7f46011f3ac42d91498e90b8c28/net/cert/internal/simple_path_builder_delegate_unittest.cc [modify] https://crrev.com/8d395ba07308f7f46011f3ac42d91498e90b8c28/net/cert/internal/verify_certificate_chain_pkits_unittest.cc [modify] https://crrev.com/8d395ba07308f7f46011f3ac42d91498e90b8c28/net/cert/internal/verify_certificate_chain_unittest.cc [modify] https://crrev.com/8d395ba07308f7f46011f3ac42d91498e90b8c28/net/tools/cert_verify_tool/verify_using_path_builder.cc
,
Jul 2
,
Jul 2
|
|||
►
Sign in to add a comment |
|||
Comment 1 by eroman@chromium.org
, Jun 7 2018