summaryrefslogtreecommitdiff
path: root/lib/mozpkix/lib/pkixnss.cpp
diff options
context:
space:
mode:
authorCykesiopka <cykesiopka.bmo@gmail.com>2015-01-21 17:20:16 -0800
committerCykesiopka <cykesiopka.bmo@gmail.com>2015-01-21 17:20:16 -0800
commited8375380651de9c1dc08753f2afd2dc9811f67c (patch)
tree6f57afbf49731fda1d8e40ec1a467be6ff3ee235 /lib/mozpkix/lib/pkixnss.cpp
parent614b15e0dfd60638a83006c7a9a4a4d0d9a30169 (diff)
downloadnss-hg-ed8375380651de9c1dc08753f2afd2dc9811f67c.tar.gz
Bug 1077790 - Make mozilla::pkix::CheckPublicKeySize() accept specific elliptic curves only. r=briansmith
Diffstat (limited to 'lib/mozpkix/lib/pkixnss.cpp')
-rw-r--r--lib/mozpkix/lib/pkixnss.cpp36
1 files changed, 35 insertions, 1 deletions
diff --git a/lib/mozpkix/lib/pkixnss.cpp b/lib/mozpkix/lib/pkixnss.cpp
index a3e355334..0e407ce4c 100644
--- a/lib/mozpkix/lib/pkixnss.cpp
+++ b/lib/mozpkix/lib/pkixnss.cpp
@@ -32,6 +32,7 @@
#include "pk11pub.h"
#include "pkix/pkix.h"
#include "pkix/ScopedPtr.h"
+#include "pkixder.h"
#include "secerr.h"
#include "sslerr.h"
@@ -57,8 +58,41 @@ CheckPublicKeySize(Input subjectPublicKeyInfo, unsigned int minimumNonECCBits,
switch (publicKey.get()->keyType) {
case ecKey:
- // TODO(bug 1077790): We should check which curve.
+ {
+ SECKEYECParams* encodedParams = &publicKey.get()->u.ec.DEREncodedParams;
+ if (!encodedParams) {
+ return Result::ERROR_UNSUPPORTED_ELLIPTIC_CURVE;
+ }
+
+ Input input;
+ Result rv = input.Init(encodedParams->data, encodedParams->len);
+ if (rv != Success) {
+ return rv;
+ }
+
+ Reader reader(input);
+ NamedCurve namedCurve;
+ rv = der::NamedCurveOID(reader, namedCurve);
+ if (rv != Success) {
+ return rv;
+ }
+
+ rv = der::End(reader);
+ if (rv != Success) {
+ return rv;
+ }
+
+ switch (namedCurve) {
+ case NamedCurve::secp256r1: // fall through
+ case NamedCurve::secp384r1: // fall through
+ case NamedCurve::secp521r1:
+ break;
+ default:
+ return Result::ERROR_UNSUPPORTED_ELLIPTIC_CURVE;
+ }
+
return Success;
+ }
case rsaKey:
if (SECKEY_PublicKeyStrengthInBits(publicKey.get()) < minimumNonECCBits) {
return Result::ERROR_INADEQUATE_KEY_SIZE;
View Lorry Controller Status