Add support for MD2, MD4, and MD5 to SignatureAlgorithm.

net/cert/internal/signature_policy.cc

Index: net/cert/internal/signature_policy.cc
diff --git a/net/cert/internal/signature_policy.cc b/net/cert/internal/signature_policy.cc
index 0785cbf65321c719711e25f76109fe2d5cf0fd40..33a467bda6928280eea90abd8ec72156952ee72f 100644
--- a/net/cert/internal/signature_policy.cc
+++ b/net/cert/internal/signature_policy.cc
@@ -34,6 +34,42 @@ bool IsModulusSizeGreaterOrEqual(size_t modulus_length_bits,
 bool SignaturePolicy::IsAcceptableSignatureAlgorithm(
     const SignatureAlgorithm& algorithm,
     CertErrors* errors) const {
+  // Don't allow MD2, MD4, or MD5.

[Ryan Sleevi, 2017/03/07 20:26:34]

Is this comment in the wrong place?

+  switch (algorithm.algorithm()) {
+    case SignatureAlgorithmId::Ecdsa:
+    case SignatureAlgorithmId::RsaPss:
+    case SignatureAlgorithmId::RsaPkcs1:
+      break;
+  }

[Ryan Sleevi, 2017/03/07 20:26:34]

It's unclear the purpose of this switch (I suspect to get explicit compiler
errors for new algorithms; if so, spell that out?)

[eroman, 2017/03/07 20:41:06]

Thanks.

I have improved the organization and code duplication.

+
+  switch (algorithm.digest()) {
+    case DigestAlgorithm::Md2:
+    case DigestAlgorithm::Md4:
+    case DigestAlgorithm::Md5:
+      return false;
+
+    case DigestAlgorithm::Sha1:
+    case DigestAlgorithm::Sha256:
+    case DigestAlgorithm::Sha384:
+    case DigestAlgorithm::Sha512:
+      break;
+  }
+
+  if (algorithm.ParamsForRsaPss()) {
+    switch (algorithm.ParamsForRsaPss()->mgf1_hash()) {
+      case DigestAlgorithm::Md2:
+      case DigestAlgorithm::Md4:
+      case DigestAlgorithm::Md5:
+        return false;
+
+      case DigestAlgorithm::Sha1:
+      case DigestAlgorithm::Sha256:
+      case DigestAlgorithm::Sha384:
+      case DigestAlgorithm::Sha512:
+        break;
+    }
+  }
+
   return true;
 }