From 60f734b82cbf7c6f6690a0009d650483c620cebe Mon Sep 17 00:00:00 2001 From: Sun Yimin Date: Fri, 13 May 2022 08:22:35 +0800 Subject: [PATCH] disable signing with MD5WithRSA #56 --- smx509/x509.go | 17 +++++++---------- smx509/x509_test.go | 4 ++-- 2 files changed, 9 insertions(+), 12 deletions(-) diff --git a/smx509/x509.go b/smx509/x509.go index b002c79..a6f8cb3 100644 --- a/smx509/x509.go +++ b/smx509/x509.go @@ -1203,6 +1203,10 @@ func signingParamsForPublicKey(pub interface{}, requestedSigAlgo SignatureAlgori err = errors.New("x509: cannot sign with hash function requested") return } + if hashFunc == crypto.MD5 { + err = errors.New("x509: signing with MD5 is not supported") + return + } if isRSAPSS(requestedSigAlgo) { sigAlgo.Parameters = hashToPSSParameters[hashFunc] } @@ -1292,7 +1296,7 @@ func CreateCertificate(rand io.Reader, template, parent *x509.Certificate, pub, if template.SerialNumber.Sign() == -1 { return nil, errors.New("x509: serial number must be positive") } - + if template.BasicConstraintsValid && !template.IsCA && template.MaxPathLen != -1 && (template.MaxPathLen != 0 || template.MaxPathLenZero) { return nil, errors.New("x509: only CAs are allowed to specify MaxPathLen") } @@ -1400,15 +1404,8 @@ func CreateCertificate(rand io.Reader, template, parent *x509.Certificate, pub, } // Check the signature to ensure the crypto.Signer behaved correctly. - sigAlg := getSignatureAlgorithmFromAI(signatureAlgorithm) - switch sigAlg { - case MD5WithRSA: - // We skip the check if the signature algorithm is only supported for - // signing, not verification. - default: - if err := checkSignature(sigAlg, c.Raw, signature, key.Public(), true); err != nil { - return nil, fmt.Errorf("x509: signature over certificate returned by signer is invalid: %w", err) - } + if err := checkSignature(getSignatureAlgorithmFromAI(signatureAlgorithm), c.Raw, signature, key.Public(), true); err != nil { + return nil, fmt.Errorf("x509: signature over certificate returned by signer is invalid: %w", err) } return signedCert, nil diff --git a/smx509/x509_test.go b/smx509/x509_test.go index 497680c..cd1a3cc 100644 --- a/smx509/x509_test.go +++ b/smx509/x509_test.go @@ -2358,8 +2358,8 @@ func TestCreateCertificateLegacy(t *testing.T) { SignatureAlgorithm: sigAlg, } _, err := CreateCertificate(rand.Reader, template.asX509(), template.asX509(), testPrivateKey.Public(), &brokenSigner{testPrivateKey.Public()}) - if err != nil { - t.Fatalf("CreateCertificate failed when SignatureAlgorithm = %v: %s", sigAlg, err) + if err == nil { + t.Fatal("CreateCertificate didn't fail when SignatureAlgorithm = MD5WithRSA") } }