Commit c34bc90f authored by Brad Fitzpatrick's avatar Brad Fitzpatrick

crypto/x509: convert ErrInsecureAlgorithm into a type

Change-Id: I411aeaf0cf75eb8b1c9005b622f664e9f25e4a68
Reviewed-on: https://go-review.googlesource.com/17400Reviewed-by: default avatarRuss Cox <rsc@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
parent a6869d1c
...@@ -19,6 +19,7 @@ import ( ...@@ -19,6 +19,7 @@ import (
"encoding/asn1" "encoding/asn1"
"encoding/pem" "encoding/pem"
"errors" "errors"
"fmt"
"io" "io"
"math/big" "math/big"
"net" "net"
...@@ -174,6 +175,28 @@ const ( ...@@ -174,6 +175,28 @@ const (
ECDSAWithSHA512 ECDSAWithSHA512
) )
var algoName = [...]string{
MD2WithRSA: "MD2-RSA",
MD5WithRSA: "MD5-RSA",
SHA1WithRSA: "SHA1-RSA",
SHA256WithRSA: "SHA256-RSA",
SHA384WithRSA: "SHA384-RSA",
SHA512WithRSA: "SHA512-RSA",
DSAWithSHA1: "DSA-SHA1",
DSAWithSHA256: "DSA-SHA256",
ECDSAWithSHA1: "ECDSA-SHA1",
ECDSAWithSHA256: "ECDSA-SHA256",
ECDSAWithSHA384: "ECDSA-SHA384",
ECDSAWithSHA512: "ECDSA-SHA512",
}
func (algo SignatureAlgorithm) String() string {
if 0 < algo && int(algo) < len(algoName) {
return algoName[algo]
}
return strconv.Itoa(int(algo))
}
type PublicKeyAlgorithm int type PublicKeyAlgorithm int
const ( const (
...@@ -541,9 +564,12 @@ type Certificate struct { ...@@ -541,9 +564,12 @@ type Certificate struct {
// involves algorithms that are not currently implemented. // involves algorithms that are not currently implemented.
var ErrUnsupportedAlgorithm = errors.New("x509: cannot verify signature: algorithm unimplemented") var ErrUnsupportedAlgorithm = errors.New("x509: cannot verify signature: algorithm unimplemented")
// ErrInsecureAlgorithm results from attempting to perform an operation that // An InsecureAlgorithmError
// involves algorithms that are deemed insecure, notably MD5. type InsecureAlgorithmError SignatureAlgorithm
var ErrInsecureAlgorithm = errors.New("x509: cannot verify signature: insecure algorithm")
func (e InsecureAlgorithmError) Error() string {
return fmt.Sprintf("x509: cannot verify signature: insecure algorithm %v", SignatureAlgorithm(e))
}
// ConstraintViolationError results when a requested usage is not permitted by // ConstraintViolationError results when a requested usage is not permitted by
// a certificate. For example: checking a signature when the public key isn't a // a certificate. For example: checking a signature when the public key isn't a
...@@ -656,7 +682,7 @@ func checkSignature(algo SignatureAlgorithm, signed, signature []byte, publicKey ...@@ -656,7 +682,7 @@ func checkSignature(algo SignatureAlgorithm, signed, signature []byte, publicKey
case SHA512WithRSA, ECDSAWithSHA512: case SHA512WithRSA, ECDSAWithSHA512:
hashType = crypto.SHA512 hashType = crypto.SHA512
case MD2WithRSA, MD5WithRSA: case MD2WithRSA, MD5WithRSA:
return ErrInsecureAlgorithm return InsecureAlgorithmError(algo)
default: default:
return ErrUnsupportedAlgorithm return ErrUnsupportedAlgorithm
} }
......
...@@ -18,6 +18,7 @@ import ( ...@@ -18,6 +18,7 @@ import (
"encoding/base64" "encoding/base64"
"encoding/hex" "encoding/hex"
"encoding/pem" "encoding/pem"
"fmt"
"internal/testenv" "internal/testenv"
"math/big" "math/big"
"net" "net"
...@@ -1089,8 +1090,8 @@ func TestCriticalFlagInCSRRequestedExtensions(t *testing.T) { ...@@ -1089,8 +1090,8 @@ func TestCriticalFlagInCSRRequestedExtensions(t *testing.T) {
t.Fatalf("failed to parse CSR: %s", err) t.Fatalf("failed to parse CSR: %s", err)
} }
expected := []struct{ expected := []struct {
Id asn1.ObjectIdentifier Id asn1.ObjectIdentifier
Value []byte Value []byte
}{ }{
{oidExtensionBasicConstraints, fromBase64("MAYBAf8CAQA=")}, {oidExtensionBasicConstraints, fromBase64("MAYBAf8CAQA=")},
...@@ -1203,6 +1204,23 @@ func TestVerifyEmptyCertificate(t *testing.T) { ...@@ -1203,6 +1204,23 @@ func TestVerifyEmptyCertificate(t *testing.T) {
} }
} }
func TestInsecureAlgorithmErrorString(t *testing.T) {
tests := []struct {
sa SignatureAlgorithm
want string
}{
{MD2WithRSA, "x509: cannot verify signature: insecure algorithm MD2-RSA"},
{-1, "x509: cannot verify signature: insecure algorithm -1"},
{0, "x509: cannot verify signature: insecure algorithm 0"},
{9999, "x509: cannot verify signature: insecure algorithm 9999"},
}
for i, tt := range tests {
if got := fmt.Sprint(InsecureAlgorithmError(tt.sa)); got != tt.want {
t.Errorf("%d. mismatch.\n got: %s\nwant: %s\n", i, got, tt.want)
}
}
}
// These CSR was generated with OpenSSL: // These CSR was generated with OpenSSL:
// openssl req -out CSR.csr -new -sha256 -nodes -keyout privateKey.key -config openssl.cnf // openssl req -out CSR.csr -new -sha256 -nodes -keyout privateKey.key -config openssl.cnf
// //
...@@ -1249,7 +1267,7 @@ func TestMD5(t *testing.T) { ...@@ -1249,7 +1267,7 @@ func TestMD5(t *testing.T) {
if err = cert.CheckSignatureFrom(cert); err == nil { if err = cert.CheckSignatureFrom(cert); err == nil {
t.Fatalf("certificate verification succeeded incorrectly") t.Fatalf("certificate verification succeeded incorrectly")
} }
if err != ErrInsecureAlgorithm { if _, ok := err.(InsecureAlgorithmError); !ok {
t.Fatalf("certificate verification returned %q, wanted %q", err, ErrInsecureAlgorithm) t.Fatalf("certificate verification returned %v (%T), wanted InsecureAlgorithmError", err, err)
} }
} }
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment