mirror/gmsm
1
0
Fork 0
mirror of https://github.com/emmansun/gmsm.git synced 2025-04-26 04:06:18 +08:00
Code Issues Packages Projects Releases Wiki Activity

disable signing with MD5WithRSA #56

Browse Source
This commit is contained in:
Sun Yimin 2022-05-13 08:22:35 +08:00 committed by GitHub
parent ff60ecbcc8
commit 60f734b82c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 9 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
smx509/x509.go
View File

@ -1203,6 +1203,10 @@ func signingParamsForPublicKey(pub interface{}, requestedSigAlgo SignatureAlgori
err = errors.New("x509: cannot sign with hash function requested") err = errors.New("x509: cannot sign with hash function requested")
return return
} }
if hashFunc == crypto.MD5 {
err = errors.New("x509: signing with MD5 is not supported")
return
}
if isRSAPSS(requestedSigAlgo) { if isRSAPSS(requestedSigAlgo) {
sigAlgo.Parameters = hashToPSSParameters[hashFunc] sigAlgo.Parameters = hashToPSSParameters[hashFunc]
} }
@ -1292,7 +1296,7 @@ func CreateCertificate(rand io.Reader, template, parent *x509.Certificate, pub,
if template.SerialNumber.Sign() == -1 { if template.SerialNumber.Sign() == -1 {
return nil, errors.New("x509: serial number must be positive") return nil, errors.New("x509: serial number must be positive")
} }
if template.BasicConstraintsValid && !template.IsCA && template.MaxPathLen != -1 && (template.MaxPathLen != 0 || template.MaxPathLenZero) { if template.BasicConstraintsValid && !template.IsCA && template.MaxPathLen != -1 && (template.MaxPathLen != 0 || template.MaxPathLenZero) {
return nil, errors.New("x509: only CAs are allowed to specify MaxPathLen") return nil, errors.New("x509: only CAs are allowed to specify MaxPathLen")
} }
@ -1400,15 +1404,8 @@ func CreateCertificate(rand io.Reader, template, parent *x509.Certificate, pub,
} }
// Check the signature to ensure the crypto.Signer behaved correctly. // Check the signature to ensure the crypto.Signer behaved correctly.
sigAlg := getSignatureAlgorithmFromAI(signatureAlgorithm) if err := checkSignature(getSignatureAlgorithmFromAI(signatureAlgorithm), c.Raw, signature, key.Public(), true); err != nil {
switch sigAlg { return nil, fmt.Errorf("x509: signature over certificate returned by signer is invalid: %w", err)
case MD5WithRSA:
// We skip the check if the signature algorithm is only supported for
// signing, not verification.
default:
if err := checkSignature(sigAlg, c.Raw, signature, key.Public(), true); err != nil {
return nil, fmt.Errorf("x509: signature over certificate returned by signer is invalid: %w", err)
}
} }
return signedCert, nil return signedCert, nil

4
smx509/x509_test.go
View File

@ -2358,8 +2358,8 @@ func TestCreateCertificateLegacy(t *testing.T) {
SignatureAlgorithm: sigAlg, SignatureAlgorithm: sigAlg,
} }
_, err := CreateCertificate(rand.Reader, template.asX509(), template.asX509(), testPrivateKey.Public(), &brokenSigner{testPrivateKey.Public()}) _, err := CreateCertificate(rand.Reader, template.asX509(), template.asX509(), testPrivateKey.Public(), &brokenSigner{testPrivateKey.Public()})
if err != nil { if err == nil {
t.Fatalf("CreateCertificate failed when SignatureAlgorithm = %v: %s", sigAlg, err) t.Fatal("CreateCertificate didn't fail when SignatureAlgorithm = MD5WithRSA")
} }
} }