Index: net/cert/internal/signature_policy.cc |
diff --git a/net/cert/internal/signature_policy.cc b/net/cert/internal/signature_policy.cc |
index 0785cbf65321c719711e25f76109fe2d5cf0fd40..33a467bda6928280eea90abd8ec72156952ee72f 100644 |
--- a/net/cert/internal/signature_policy.cc |
+++ b/net/cert/internal/signature_policy.cc |
@@ -34,6 +34,42 @@ bool IsModulusSizeGreaterOrEqual(size_t modulus_length_bits, |
bool SignaturePolicy::IsAcceptableSignatureAlgorithm( |
const SignatureAlgorithm& algorithm, |
CertErrors* errors) const { |
+ // Don't allow MD2, MD4, or MD5. |
Ryan Sleevi
2017/03/07 20:26:34
Is this comment in the wrong place?
|
+ switch (algorithm.algorithm()) { |
+ case SignatureAlgorithmId::Ecdsa: |
+ case SignatureAlgorithmId::RsaPss: |
+ case SignatureAlgorithmId::RsaPkcs1: |
+ break; |
+ } |
Ryan Sleevi
2017/03/07 20:26:34
It's unclear the purpose of this switch (I suspect
eroman
2017/03/07 20:41:06
Thanks.
I have improved the organization and code
|
+ |
+ switch (algorithm.digest()) { |
+ case DigestAlgorithm::Md2: |
+ case DigestAlgorithm::Md4: |
+ case DigestAlgorithm::Md5: |
+ return false; |
+ |
+ case DigestAlgorithm::Sha1: |
+ case DigestAlgorithm::Sha256: |
+ case DigestAlgorithm::Sha384: |
+ case DigestAlgorithm::Sha512: |
+ break; |
+ } |
+ |
+ if (algorithm.ParamsForRsaPss()) { |
+ switch (algorithm.ParamsForRsaPss()->mgf1_hash()) { |
+ case DigestAlgorithm::Md2: |
+ case DigestAlgorithm::Md4: |
+ case DigestAlgorithm::Md5: |
+ return false; |
+ |
+ case DigestAlgorithm::Sha1: |
+ case DigestAlgorithm::Sha256: |
+ case DigestAlgorithm::Sha384: |
+ case DigestAlgorithm::Sha512: |
+ break; |
+ } |
+ } |
+ |
return true; |
} |