aboutsummaryrefslogtreecommitdiffstats
path: root/src/cert/x509/x509path.cpp
diff options
context:
space:
mode:
authorlloyd <[email protected]>2012-07-27 17:30:13 +0000
committerlloyd <[email protected]>2012-07-27 17:30:13 +0000
commit4d0008edca9d3c0a119518e7d9b49c81d7dbe33c (patch)
treec359b14f9f0a0a495fea6eb241cb082fd0dc0717 /src/cert/x509/x509path.cpp
parent16ccb3c130ad29aee2e640d498606314ac486f55 (diff)
Add Public_Key::estimated_strength which gives an approximation of how
hard that key is to break. Use it in cert path validation, rejecting keys with estimated strength less than 80 bits.
Diffstat (limited to 'src/cert/x509/x509path.cpp')
-rw-r--r--src/cert/x509/x509path.cpp26
1 files changed, 18 insertions, 8 deletions
diff --git a/src/cert/x509/x509path.cpp b/src/cert/x509/x509path.cpp
index 66ba142d0..7d6108ffa 100644
--- a/src/cert/x509/x509path.cpp
+++ b/src/cert/x509/x509path.cpp
@@ -72,8 +72,10 @@ std::vector<X509_CRL> find_crls_from(const X509_Certificate& cert,
}
-Path_Validation_Restrictions::Path_Validation_Restrictions(bool require_rev) :
- m_require_revocation_information(require_rev)
+Path_Validation_Restrictions::Path_Validation_Restrictions(bool require_rev,
+ size_t key_strength) :
+ m_require_revocation_information(require_rev),
+ m_minimum_key_strength(key_strength)
{
m_trusted_hashes.insert("SHA-160");
m_trusted_hashes.insert("SHA-224");
@@ -96,7 +98,7 @@ std::set<std::string> Path_Validation_Result::trusted_hashes() const
}
std::string Path_Validation_Result::result_string() const
- {
+ {
switch(m_result)
{
case VERIFIED:
@@ -109,6 +111,9 @@ std::string Path_Validation_Result::result_string() const
return "certificate chain too long";
case SIGNATURE_ERROR:
return "signature error";
+ case SIGNATURE_METHOD_TOO_WEAK:
+ return "signature method too weak";
+
case POLICY_ERROR:
return "policy error";
case INVALID_USAGE:
@@ -142,11 +147,11 @@ std::string Path_Validation_Result::result_string() const
return "CA certificate not allowed to issue certs";
case CA_CERT_NOT_FOR_CRL_ISSUER:
return "CA certificate not allowed to issue CRLs";
-
- default:
- return "Unknown code " + std::to_string(m_result);
}
- }
+
+ // default case
+ return "Unknown code " + std::to_string(m_result);
+ }
Path_Validation_Result x509_path_validate(
const X509_Certificate& end_cert,
@@ -244,8 +249,13 @@ Path_Validation_Result x509_path_validate(
if(issuer.path_limit() < i)
throw PKIX_Validation_Failure(Path_Validation_Result::CERT_CHAIN_TOO_LONG);
- if(subject.check_signature(issuer.subject_public_key()) == false)
+ std::unique_ptr<Public_Key> issuer_key(issuer.subject_public_key());
+
+ if(subject.check_signature(*issuer_key) == false)
throw PKIX_Validation_Failure(Path_Validation_Result::SIGNATURE_ERROR);
+
+ if(issuer_key->estimated_strength() < restrictions.minimum_key_strength())
+ throw PKIX_Validation_Failure(Path_Validation_Result::SIGNATURE_METHOD_TOO_WEAK);
}
for(size_t i = 1; i != cert_path.size(); ++i)