chg: Make the signer actively reject MD5 and SHA1

author Benny Baumann <BenBE1987@gmx.net>

Mon, 6 Mar 2017 08:05:26 +0000 (09:05 +0100)

committer Benny Baumann <BenBE1987@gmx.net>

Wed, 8 Mar 2017 22:33:10 +0000 (23:33 +0100)
author Benny Baumann <BenBE1987@gmx.net>
Mon, 6 Mar 2017 08:05:26 +0000 (09:05 +0100)
committer Benny Baumann <BenBE1987@gmx.net>
Wed, 8 Mar 2017 22:33:10 +0000 (23:33 +0100)
diff --git a/src/crypto/X509.cpp b/src/crypto/X509.cpp

index 37bb900ff6f281f293dc0489105fbb285eabe94b..f9dbc7a7ff65aef55e4fefd0edd4d01ba1ae8d4a 100644 (file)
--- a/src/crypto/X509.cpp
+++ b/src/crypto/X509.cpp
@@ -237,9 +237,11 @@ std::shared_ptr<SignedCertificate> X509Cert::sign( std::shared_ptr<EVP_PKEY> caK
      } else if( signAlg == "sha256" ) {
          md = EVP_sha256();
      } else if( signAlg == "sha1" ) {
-        md = EVP_sha1();
+        throw std::runtime_error("Refusing to sign with weak signature algorithm (SHA-1).");
+    } else if( signAlg == "md5" ) {
+        throw std::runtime_error("Refusing to sign with weak signature algorithm (MD5).");
      } else {
-        throw std::runtime_error("Unknown md-type");
+        throw std::runtime_error("Unknown signature algorithm");
      }
  
      if( !X509_sign( target.get(), caKey.get(), md ) ) {
author	Benny Baumann <BenBE1987@gmx.net>
	Mon, 6 Mar 2017 08:05:26 +0000 (09:05 +0100)
committer	Benny Baumann <BenBE1987@gmx.net>
	Wed, 8 Mar 2017 22:33:10 +0000 (23:33 +0100)