Add some policy controls for VerifySignedData().

net/cert/internal/signature_policy.cc

Index: net/cert/internal/signature_policy.cc
diff --git a/net/cert/internal/signature_policy.cc b/net/cert/internal/signature_policy.cc
new file mode 100644
index 0000000000000000000000000000000000000000..1c13e2e95e0a6757786c5eff21387a59ec50c43e
--- /dev/null
+++ b/net/cert/internal/signature_policy.cc
@@ -0,0 +1,45 @@
+// Copyright 2015 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/cert/internal/signature_policy.h"
+
+#include "base/logging.h"
+
+#if defined(USE_OPENSSL)
+#include <openssl/obj_mac.h>

[davidben, 2015/08/03 18:52:48]

Better to include obj.h I think. obj_mac.h is really weird and lacks an #include
guard.

(It's not clear there's a good reason for this and we can probably just make
that header standalone, but it currently isn't.)

[eroman, 2015/08/06 21:15:38]

Done.

+#endif
+
+namespace net {
+
+bool SignaturePolicy::IsAcceptableSignatureAlgorithm(
+    const SignatureAlgorithm& algorithm) const {
+  return true;
+}
+
+bool SignaturePolicy::IsAcceptableCurveForEcdsa(int curve_nid) const {
+#if defined(USE_OPENSSL)
+  switch (curve_nid) {
+    case NID_X9_62_prime256v1:
+    case NID_secp384r1:
+    case NID_secp521r1:
+      return true;
+  }
+#endif
+  return false;
+}
+
+bool SignaturePolicy::IsAcceptableModulusLengthForRsa(
+    size_t modulus_length_bits) const {
+  return modulus_length_bits >= 2048;
+}
+
+SimpleSignaturePolicy::SimpleSignaturePolicy(size_t min_rsa_modulus_length_bits)
+    : min_rsa_modulus_length_bits_(min_rsa_modulus_length_bits) {}
+
+bool SimpleSignaturePolicy::IsAcceptableModulusLengthForRsa(
+    size_t modulus_length_bits) const {
+  return modulus_length_bits >= min_rsa_modulus_length_bits_;
+}
+
+}  // namespace net