Update NSS to 3.21 RTM and NSPR to 4.11 RTM

nss/lib/certhigh/certvfy.c

Index: nss/lib/certhigh/certvfy.c
diff --git a/nss/lib/certhigh/certvfy.c b/nss/lib/certhigh/certvfy.c
index c9d26f0d9467fc0040f0a6b0c92866e1488bf2d3..855a62d25c11c99837b9bbcc868e548ba22e2d63 100644
--- a/nss/lib/certhigh/certvfy.c
+++ b/nss/lib/certhigh/certvfy.c
@@ -6,7 +6,6 @@
 #include "secport.h"
 #include "seccomon.h"
 #include "secoid.h"
-#include "sslerr.h"
 #include "genname.h"
 #include "keyhi.h"
 #include "cert.h"
@@ -25,6 +24,7 @@
 #include "pkim.h"
 #include "pki3hack.h"
 #include "base.h"
+#include "keyhi.h"
 
 #ifdef NSS_DISABLE_LIBPKIX
 SECStatus
@@ -77,6 +77,94 @@ CERT_CertTimesValid(CERTCertificate *c)
     return (valid == secCertTimeValid) ? SECSuccess : SECFailure;
 }
 
+SECStatus checkKeyParams(const SECAlgorithmID *sigAlgorithm, const SECKEYPublicKey *key)
+{
+    SECStatus        rv;
+    SECOidTag sigAlg;
+    SECOidTag curve;
+    PRUint32 policyFlags = 0;
+    PRInt32 minLen, len;
+
+    sigAlg = SECOID_GetAlgorithmTag(sigAlgorithm);
+
+    switch(sigAlg) {
+        case SEC_OID_ANSIX962_ECDSA_SHA1_SIGNATURE:
+	case SEC_OID_ANSIX962_ECDSA_SHA224_SIGNATURE:
+	case SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE:
+	case SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE:
+	case SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE:
+	    if (key->keyType != ecKey) {
+		PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+		return SECFailure;
+	    }
+
+            curve = SECKEY_GetECCOid(&key->u.ec.DEREncodedParams);
+	    if (curve != 0) {
+	        if (NSS_GetAlgorithmPolicy(curve, &policyFlags) == SECFailure ||
+	            !(policyFlags & NSS_USE_ALG_IN_CERT_SIGNATURE)) {
+	            PORT_SetError(SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED);
+		    return SECFailure;
+		} else {
+		    return SECSuccess;
+                }
+            } else {
+		PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
+		return SECFailure;
+	    }
+            return SECSuccess;
+	case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION:
+	case SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION:
+	case SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION:
+	case SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION:
+	case SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION:
+	case SEC_OID_PKCS1_RSA_PSS_SIGNATURE:
+	case SEC_OID_ISO_SHA_WITH_RSA_SIGNATURE:
+	case SEC_OID_ISO_SHA1_WITH_RSA_SIGNATURE:
+	    if (key->keyType != rsaKey && key->keyType != rsaPssKey) {
+		PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+		return SECFailure;
+	    }
+
+            len = 8 * key->u.rsa.modulus.len;
+
+            rv = NSS_OptionGet(NSS_RSA_MIN_KEY_SIZE, &minLen);
+            if (rv != SECSuccess) {
+                return SECFailure;
+	    }
+
+            if (len < minLen) {
+                return SECFailure;
+	    }
+
+            return SECSuccess;
+	case SEC_OID_ANSIX9_DSA_SIGNATURE:
+	case SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST:
+	case SEC_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST:
+	case SEC_OID_SDN702_DSA_SIGNATURE:
+	case SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA224_DIGEST:
+	case SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA256_DIGEST:
+	    if (key->keyType != dsaKey) {
+		PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+		return SECFailure;
+	    }
+
+            len = 8 * key->u.dsa.params.prime.len;
+
+            rv = NSS_OptionGet(NSS_DSA_MIN_KEY_SIZE, &minLen);
+            if (rv != SECSuccess) {
+                return SECFailure;
+	    }
+
+            if (len < minLen) {
+                return SECFailure;
+	    }
+
+            return SECSuccess;
+	default:
+	    return SECSuccess;
+    }
+}
+
 /*
  * verify the signature of a signed data object with the given DER publickey
  */
@@ -93,7 +181,6 @@ CERT_VerifySignedDataWithPublicKey(const CERTSignedData *sd,
 	PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
 	return SECFailure;
     }
-
     /* check the signature */
     sig = sd->signature;
     /* convert sig->len from bit counts to byte count. */
@@ -104,11 +191,17 @@ CERT_VerifySignedDataWithPublicKey(const CERTSignedData *sd,
     if (rv == SECSuccess) {
         /* Are we honoring signatures for this algorithm?  */
 	PRUint32 policyFlags = 0;
+	rv = checkKeyParams(&sd->signatureAlgorithm, pubKey);
+	if (rv != SECSuccess) {
+	    PORT_SetError(SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED);
+	    return SECFailure;
+	}
+
 	rv = NSS_GetAlgorithmPolicy(hashAlg, &policyFlags);
 	if (rv == SECSuccess && 
 	    !(policyFlags & NSS_USE_ALG_IN_CERT_SIGNATURE)) {
 	    PORT_SetError(SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED);
-	    rv = SECFailure;
+	    return SECFailure;
 	}
     }
     return rv;