mirror/gmsm
1
0
Fork 0
mirror of https://github.com/emmansun/gmsm.git synced 2025-04-27 04:36:19 +08:00
Code Issues Packages Projects Releases Wiki Activity

disable signing with MD5WithRSA #56

Browse Source
This commit is contained in:
Sun Yimin 2022-05-13 08:22:35 +08:00 committed by GitHub
parent ff60ecbcc8
commit 60f734b82c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 9 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
smx509/x509.go
View File

@ -1203,6 +1203,10 @@ func signingParamsForPublicKey(pub interface{}, requestedSigAlgo SignatureAlgori
err = errors.New("x509: cannot sign with hash function requested")
return
}
if hashFunc == crypto.MD5 {
err = errors.New("x509: signing with MD5 is not supported")
return
}
if isRSAPSS(requestedSigAlgo) {
sigAlgo.Parameters = hashToPSSParameters[hashFunc]
}
@ -1292,7 +1296,7 @@ func CreateCertificate(rand io.Reader, template, parent *x509.Certificate, pub,
if template.SerialNumber.Sign() == -1 {
return nil, errors.New("x509: serial number must be positive")
}
if template.BasicConstraintsValid && !template.IsCA && template.MaxPathLen != -1 && (template.MaxPathLen != 0 || template.MaxPathLenZero) {
return nil, errors.New("x509: only CAs are allowed to specify MaxPathLen")
}
@ -1400,15 +1404,8 @@ func CreateCertificate(rand io.Reader, template, parent *x509.Certificate, pub,
}
// Check the signature to ensure the crypto.Signer behaved correctly.
sigAlg := getSignatureAlgorithmFromAI(signatureAlgorithm)
switch sigAlg {
case MD5WithRSA:
// We skip the check if the signature algorithm is only supported for
// signing, not verification.
default:
if err := checkSignature(sigAlg, c.Raw, signature, key.Public(), true); err != nil {
return nil, fmt.Errorf("x509: signature over certificate returned by signer is invalid: %w", err)
}
if err := checkSignature(getSignatureAlgorithmFromAI(signatureAlgorithm), c.Raw, signature, key.Public(), true); err != nil {
return nil, fmt.Errorf("x509: signature over certificate returned by signer is invalid: %w", err)
}
return signedCert, nil

4
smx509/x509_test.go
View File

@ -2358,8 +2358,8 @@ func TestCreateCertificateLegacy(t *testing.T) {
SignatureAlgorithm: sigAlg,
}
_, err := CreateCertificate(rand.Reader, template.asX509(), template.asX509(), testPrivateKey.Public(), &brokenSigner{testPrivateKey.Public()})
if err != nil {
t.Fatalf("CreateCertificate failed when SignatureAlgorithm = %v: %s", sigAlg, err)
if err == nil {
t.Fatal("CreateCertificate didn't fail when SignatureAlgorithm = MD5WithRSA")
}
}