diff options
Diffstat (limited to 'lib/cryptohi/secvfy.c')
| -rw-r--r-- | lib/cryptohi/secvfy.c | 13 |
1 files changed, 12 insertions, 1 deletions
diff --git a/lib/cryptohi/secvfy.c b/lib/cryptohi/secvfy.c index f6f5d72b8..8c9dc2d87 100644 --- a/lib/cryptohi/secvfy.c +++ b/lib/cryptohi/secvfy.c @@ -16,6 +16,7 @@ #include "secdig.h" #include "secerr.h" #include "keyi.h" +#include "nss.h" /* ** Recover the DigestInfo from an RSA PKCS#1 signature. @@ -466,6 +467,7 @@ vfy_CreateContext(const SECKEYPublicKey *key, const SECItem *sig, unsigned int sigLen; KeyType type; PRUint32 policyFlags; + PRInt32 optFlags; /* make sure the encryption algorithm matches the key type */ /* RSA-PSS algorithm can be used with both rsaKey and rsaPssKey */ @@ -475,7 +477,16 @@ vfy_CreateContext(const SECKEYPublicKey *key, const SECItem *sig, PORT_SetError(SEC_ERROR_PKCS7_KEYALG_MISMATCH); return NULL; } - + if (NSS_OptionGet(NSS_KEY_SIZE_POLICY_FLAGS, &optFlags) != SECFailure) { + if (optFlags & NSS_KEY_SIZE_POLICY_VERIFY_FLAG) { + rv = seckey_EnforceKeySize(key->keyType, + SECKEY_PublicKeyStrengthInBits(key), + SEC_ERROR_SIGNATURE_ALGORITHM_DISABLED); + if (rv != SECSuccess) { + return NULL; + } + } + } /* check the policy on the encryption algorithm */ if ((NSS_GetAlgorithmPolicy(encAlg, &policyFlags) == SECFailure) || !(policyFlags & NSS_USE_ALG_IN_ANY_SIGNATURE)) { |