Detect SHA-1 when it appears in certificate chains

net/cert/cert_verify_proc_openssl.cc

Index: net/cert/cert_verify_proc_openssl.cc
diff --git a/net/cert/cert_verify_proc_openssl.cc b/net/cert/cert_verify_proc_openssl.cc
index 7643240dbca73463bb235fae701df17bbc95b035..a74bbc35d0e78d93825ed2cda9dc0545de029d7e 100644
--- a/net/cert/cert_verify_proc_openssl.cc
+++ b/net/cert/cert_verify_proc_openssl.cc
@@ -117,8 +117,14 @@ void GetCertChainInfo(X509_STORE_CTX* store_ctx,
         verify_result->has_md2 = true;
       } else if (sig_alg == NID_md4WithRSAEncryption) {
         verify_result->has_md4 = true;
-      } else if (sig_alg == NID_md5WithRSAEncryption) {
+      } else if (sig_alg == NID_md5WithRSAEncryption ||
+                 sig_alg == NID_md5WithRSA) {
         verify_result->has_md5 = true;
+      } else if (sig_alg == NID_sha1WithRSAEncryption ||
+                 sig_alg == NID_dsaWithSHA || sig_alg == NID_dsaWithSHA1 ||
+                 sig_alg == NID_dsaWithSHA1_2 || sig_alg == NID_sha1WithRSA ||

[davidben, 2014/08/28 19:42:08]

Aside: BoringSSL actually can't verify DSA signatures at all right now, and the
DSA-based cipher suites have been removed. If we're using some external
certificate validator, I'm not sure whether or not it would fail the handshake
if the leaf were RSA, but something up the chain was DSA.

Strictly speaking, an SSL implementation shouldn't care in that case, but I
could believe that it would fail trying to parse into an X509* or something.

[Ryan Sleevi, 2014/09/26 20:18:43]

Right, I'm fairly certain it will be an error beforehand.

+                 sig_alg == NID_ecdsa_with_SHA1) {
+        verify_result->has_sha1 = true;
       }
     }
   }