diff options
| author | wtc@chromium.org <wtc@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-11-20 07:58:44 +0000 |
|---|---|---|
| committer | wtc@chromium.org <wtc@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-11-20 07:58:44 +0000 |
| commit | fa2d3dca03141bd815f2bbdab5733ba72d9fd28c (patch) | |
| tree | 9e7f3976d782db8cea64d9ec3d00acab8ccb0422 | |
| parent | 944b6984bf84233ba9fbbaf781bb0455611ce90b (diff) | |
| download | chromium_src-fa2d3dca03141bd815f2bbdab5733ba72d9fd28c.zip chromium_src-fa2d3dca03141bd815f2bbdab5733ba72d9fd28c.tar.gz chromium_src-fa2d3dca03141bd815f2bbdab5733ba72d9fd28c.tar.bz2 | |
Disable MD5 certificate signatures if NSS is used to verify certificates.
This prepares us for NSS 3.14, which disables MD5 certificate signatures
by default.
Disable a unit test for NSS because all the test cases in that test are
invalid now.
R=rsleevi@chromium.org
BUG=151692
TEST=none
Review URL: https://chromiumcodereview.appspot.com/11365274
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@168757 0039d316-1c4b-4281-b951-d872f2087c98
| -rw-r--r-- | crypto/nss_util.cc | 13 | ||||
| -rw-r--r-- | net/base/cert_verify_proc_unittest.cc | 16 |
2 files changed, 18 insertions, 11 deletions
diff --git a/crypto/nss_util.cc b/crypto/nss_util.cc index 3198101..e923b12 100644 --- a/crypto/nss_util.cc +++ b/crypto/nss_util.cc @@ -518,13 +518,16 @@ class NSSInitSingleton { } root_ = InitDefaultRootCerts(); - - // MD5 certificate signatures are disabled by default in NSS 3.14. - // Enable MD5 certificate signatures until we figure out how to deal - // with the weak certificate signature unit tests. - NSS_SetAlgorithmPolicy(SEC_OID_MD5, NSS_USE_ALG_IN_CERT_SIGNATURE, 0); #endif // defined(USE_NSS) } + +#if defined(USE_NSS) || defined(OS_IOS) + // Disable MD5 certificate signatures. (They are disabled by default in + // NSS 3.14.) + NSS_SetAlgorithmPolicy(SEC_OID_MD5, 0, NSS_USE_ALG_IN_CERT_SIGNATURE); + NSS_SetAlgorithmPolicy(SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION, + 0, NSS_USE_ALG_IN_CERT_SIGNATURE); +#endif // defined(USE_NSS) || defined(OS_IOS) } // NOTE(willchan): We don't actually execute this code since we leak NSS to diff --git a/net/base/cert_verify_proc_unittest.cc b/net/base/cert_verify_proc_unittest.cc index 1a33182..9a03123f 100644 --- a/net/base/cert_verify_proc_unittest.cc +++ b/net/base/cert_verify_proc_unittest.cc @@ -890,13 +890,19 @@ const WeakDigestTestData kVerifyIntermediateCATestData[] = { { "weak_digest_sha1_root.pem", "weak_digest_md4_intermediate.pem", "weak_digest_sha1_ee.pem", false, true, false, false, false }, #endif -#if !defined(USE_NSS) && !defined(OS_IOS) // MD2 is disabled by default. { "weak_digest_sha1_root.pem", "weak_digest_md2_intermediate.pem", "weak_digest_sha1_ee.pem", false, false, true, false, true }, -#endif }; -INSTANTIATE_TEST_CASE_P(VerifyIntermediate, CertVerifyProcWeakDigestTest, - testing::ValuesIn(kVerifyIntermediateCATestData)); +// Disabled on NSS - MD4 is not supported, and MD2 and MD5 are disabled. +#if defined(USE_NSS) || defined(OS_IOS) +#define MAYBE_VerifyIntermediate DISABLED_VerifyIntermediate +#else +#define MAYBE_VerifyIntermediate VerifyIntermediate +#endif +WRAPPED_INSTANTIATE_TEST_CASE_P( + MAYBE_VerifyIntermediate, + CertVerifyProcWeakDigestTest, + testing::ValuesIn(kVerifyIntermediateCATestData)); // The signature algorithm of end-entity should be properly detected. const WeakDigestTestData kVerifyEndEntityTestData[] = { @@ -907,10 +913,8 @@ const WeakDigestTestData kVerifyEndEntityTestData[] = { { "weak_digest_sha1_root.pem", "weak_digest_sha1_intermediate.pem", "weak_digest_md4_ee.pem", false, true, false, false, false }, #endif -#if !defined(USE_NSS) && !defined(OS_IOS) // MD2 is disabled by default. { "weak_digest_sha1_root.pem", "weak_digest_sha1_intermediate.pem", "weak_digest_md2_ee.pem", false, false, true, false, false }, -#endif }; // Disabled on NSS - NSS caches chains/signatures in such a way that cannot // be cleared until NSS is cleanly shutdown, which is not presently supported |