diff options
Diffstat (limited to 'lib/cryptohi/secsign.c')
-rw-r--r-- | lib/cryptohi/secsign.c | 25 |
1 files changed, 21 insertions, 4 deletions
diff --git a/lib/cryptohi/secsign.c b/lib/cryptohi/secsign.c index 693e79c65..dc10f2fa6 100644 --- a/lib/cryptohi/secsign.c +++ b/lib/cryptohi/secsign.c @@ -610,6 +610,7 @@ sec_CreateRSAPSSParameters(PLArenaPool *arena, SECKEYRSAPSSParams pssParams; int modBytes, hashLength; unsigned long saltLength; + PRBool defaultSHA1 = PR_FALSE; SECStatus rv; if (key->keyType != rsaKey && key->keyType != rsaPssKey) { @@ -631,6 +632,7 @@ sec_CreateRSAPSSParameters(PLArenaPool *arena, if (rv != SECSuccess) { return NULL; } + defaultSHA1 = PR_TRUE; } if (pssParams.trailerField.data) { @@ -652,15 +654,23 @@ sec_CreateRSAPSSParameters(PLArenaPool *arena, /* Determine the hash algorithm to use, based on hashAlgTag and * pssParams.hashAlg; there are four cases */ if (hashAlgTag != SEC_OID_UNKNOWN) { + SECOidTag tag = SEC_OID_UNKNOWN; + if (pssParams.hashAlg) { - if (SECOID_GetAlgorithmTag(pssParams.hashAlg) != hashAlgTag) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return NULL; - } + tag = SECOID_GetAlgorithmTag(pssParams.hashAlg); + } else if (defaultSHA1) { + tag = SEC_OID_SHA1; + } + + if (tag != SEC_OID_UNKNOWN && tag != hashAlgTag) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return NULL; } } else if (hashAlgTag == SEC_OID_UNKNOWN) { if (pssParams.hashAlg) { hashAlgTag = SECOID_GetAlgorithmTag(pssParams.hashAlg); + } else if (defaultSHA1) { + hashAlgTag = SEC_OID_SHA1; } else { /* Find a suitable hash algorithm based on the NIST recommendation */ if (modBytes <= 384) { /* 128, in NIST 800-57, Part 1 */ @@ -709,6 +719,11 @@ sec_CreateRSAPSSParameters(PLArenaPool *arena, PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); return NULL; } + } else if (defaultSHA1) { + if (hashAlgTag != SEC_OID_SHA1) { + PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); + return NULL; + } } hashLength = HASH_ResultLenByOidTag(hashAlgTag); @@ -725,6 +740,8 @@ sec_CreateRSAPSSParameters(PLArenaPool *arena, PORT_SetError(SEC_ERROR_INVALID_ARGS); return NULL; } + } else if (defaultSHA1) { + saltLength = 20; } /* Fill in the parameters */ |