Disable MD5 certificate signatures if NSS is used to verify certificates.

This prepares us for NSS 3.14, which disables MD5 certificate signatures
by default.

Disable a unit test for NSS because all the test cases in that test are
invalid now.

R=rsleevi@chromium.org
BUG=151692
TEST=none

Review URL: https://chromiumcodereview.appspot.com/11365274

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@168757 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 8 insertions, 5 deletions

diff --git a/crypto/nss_util.cc b/crypto/nss_util.cc
index 3198101..e923b12 100644
--- a/crypto/nss_util.cc
+++ b/crypto/nss_util.cc
@@ -518,13 +518,16 @@ class NSSInitSingleton {
       }
 
       root_ = InitDefaultRootCerts();
-
-      // MD5 certificate signatures are disabled by default in NSS 3.14.
-      // Enable MD5 certificate signatures until we figure out how to deal
-      // with the weak certificate signature unit tests.
-      NSS_SetAlgorithmPolicy(SEC_OID_MD5, NSS_USE_ALG_IN_CERT_SIGNATURE, 0);
 #endif  // defined(USE_NSS)
     }
+
+#if defined(USE_NSS) || defined(OS_IOS)
+    // Disable MD5 certificate signatures. (They are disabled by default in
+    // NSS 3.14.)
+    NSS_SetAlgorithmPolicy(SEC_OID_MD5, 0, NSS_USE_ALG_IN_CERT_SIGNATURE);
+    NSS_SetAlgorithmPolicy(SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION,
+                           0, NSS_USE_ALG_IN_CERT_SIGNATURE);
+#endif  // defined(USE_NSS) || defined(OS_IOS)
   }
 
   // NOTE(willchan): We don't actually execute this code since we leak NSS to