Add Public_Key::estimated_strength which gives an approximation of how

hard that key is to break. Use it in cert path validation, rejecting keys with estimated strength less than 80 bits.
author: lloyd <[email protected]> 2012-07-27 17:30:13 +0000
committer: lloyd <[email protected]> 2012-07-27 17:30:13 +0000
commit: 4d0008edca9d3c0a119518e7d9b49c81d7dbe33c (patch)
tree: c359b14f9f0a0a495fea6eb241cb082fd0dc0717 /src/cert/x509
parent: 16ccb3c130ad29aee2e640d498606314ac486f55 (diff)
2 files changed, 33 insertions, 13 deletions
diff --git a/src/cert/x509/x509path.cpp b/src/cert/x509/x509path.cpp
index 66ba142d0..7d6108ffa 100644
--- a/src/cert/x509/x509path.cpp
+++ b/src/cert/x509/x509path.cpp
@@ -72,8 +72,10 @@ std::vector<X509_CRL> find_crls_from(const X509_Certificate& cert,
 
 }
 
-Path_Validation_Restrictions::Path_Validation_Restrictions(bool require_rev) :
-   m_require_revocation_information(require_rev)
+Path_Validation_Restrictions::Path_Validation_Restrictions(bool require_rev,
+                                                           size_t key_strength) :
+   m_require_revocation_information(require_rev),
+   m_minimum_key_strength(key_strength)
    {
    m_trusted_hashes.insert("SHA-160");
    m_trusted_hashes.insert("SHA-224");
@@ -96,7 +98,7 @@ std::set<std::string> Path_Validation_Result::trusted_hashes() const
    }
 
 std::string Path_Validation_Result::result_string() const
-    {
+   {
    switch(m_result)
       {
       case VERIFIED:
@@ -109,6 +111,9 @@ std::string Path_Validation_Result::result_string() const
          return "certificate chain too long";
       case SIGNATURE_ERROR:
          return "signature error";
+      case SIGNATURE_METHOD_TOO_WEAK:
+         return "signature method too weak";
+
       case POLICY_ERROR:
          return "policy error";
       case INVALID_USAGE:
@@ -142,11 +147,11 @@ std::string Path_Validation_Result::result_string() const
          return "CA certificate not allowed to issue certs";
       case CA_CERT_NOT_FOR_CRL_ISSUER:
          return "CA certificate not allowed to issue CRLs";
-
-      default:
-         return "Unknown code " + std::to_string(m_result);
       }
-    }
+
+   // default case
+   return "Unknown code " + std::to_string(m_result);
+   }
 
 Path_Validation_Result x509_path_validate(
    const X509_Certificate& end_cert,
@@ -244,8 +249,13 @@ Path_Validation_Result x509_path_validate(
          if(issuer.path_limit() < i)
             throw PKIX_Validation_Failure(Path_Validation_Result::CERT_CHAIN_TOO_LONG);
 
-         if(subject.check_signature(issuer.subject_public_key()) == false)
+         std::unique_ptr<Public_Key> issuer_key(issuer.subject_public_key());
+
+         if(subject.check_signature(*issuer_key) == false)
             throw PKIX_Validation_Failure(Path_Validation_Result::SIGNATURE_ERROR);
+
+         if(issuer_key->estimated_strength() < restrictions.minimum_key_strength())
+            throw PKIX_Validation_Failure(Path_Validation_Result::SIGNATURE_METHOD_TOO_WEAK);
          }
 
       for(size_t i = 1; i != cert_path.size(); ++i)
diff --git a/src/cert/x509/x509path.h b/src/cert/x509/x509path.h
index 21b808073..ae28599b0 100644
--- a/src/cert/x509/x509path.h
+++ b/src/cert/x509/x509path.h
@@ -17,21 +17,29 @@ namespace Botan {
 class BOTAN_DLL Path_Validation_Restrictions
    {
    public:
-   Path_Validation_Restrictions(bool require_rev = false);
+      Path_Validation_Restrictions(bool require_rev = false,
+                                   size_t minimum_key_strength = 80);
 
-   Path_Validation_Restrictions(bool require_rev,
-                                const std::set<std::string>& trusted_hashes) :
-      m_require_revocation_information(require_rev),
-      m_trusted_hashes(trusted_hashes) {}
+      Path_Validation_Restrictions(bool require_rev,
+                                   size_t minimum_key_strength,
+                                   const std::set<std::string>& trusted_hashes) :
+         m_require_revocation_information(require_rev),
+         m_trusted_hashes(trusted_hashes),
+         m_minimum_key_strength(minimum_key_strength) {}
 
       bool require_revocation_information() const
          { return m_require_revocation_information; }
 
       const std::set<std::string>& trusted_hashes() const
          { return m_trusted_hashes; }
+
+      size_t minimum_key_strength() const
+         { return m_minimum_key_strength; }
+
    private:
       bool m_require_revocation_information;
       std::set<std::string> m_trusted_hashes;
+      size_t m_minimum_key_strength;
    };
 
 class BOTAN_DLL Path_Validation_Result
@@ -48,6 +56,8 @@ class BOTAN_DLL Path_Validation_Result
          SIGNATURE_ERROR,
          POLICY_ERROR,
          INVALID_USAGE,
+
+         SIGNATURE_METHOD_TOO_WEAK,
          UNTRUSTED_HASH,
 
          CERT_MULTIPLE_ISSUERS_FOUND,
author	lloyd <[email protected]>	2012-07-27 17:30:13 +0000
committer	lloyd <[email protected]>	2012-07-27 17:30:13 +0000
commit	4d0008edca9d3c0a119518e7d9b49c81d7dbe33c (patch)
tree	c359b14f9f0a0a495fea6eb241cb082fd0dc0717 /src/cert/x509
parent	16ccb3c130ad29aee2e640d498606314ac486f55 (diff)