]> WPIA git - cassiopeia.git/blobdiff - src/crypto/X509.cpp
projects / cassiopeia.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
chg: Make the signer actively reject MD5 and SHA1
[cassiopeia.git] / src / crypto / X509.cpp
diff --git a/src/crypto/X509.cpp b/src/crypto/X509.cpp
index 37bb900ff6f281f293dc0489105fbb285eabe94b..f9dbc7a7ff65aef55e4fefd0edd4d01ba1ae8d4a 100644 (file)
--- a/src/crypto/X509.cpp
+++ b/src/crypto/X509.cpp
@@ -237,9 +237,11 @@ std::shared_ptr<SignedCertificate> X509Cert::sign( std::shared_ptr<EVP_PKEY> caK
     } else if( signAlg == "sha256" ) {
         md = EVP_sha256();
     } else if( signAlg == "sha1" ) {
-        md = EVP_sha1();
+        throw std::runtime_error("Refusing to sign with weak signature algorithm (SHA-1).");
+    } else if( signAlg == "md5" ) {
+        throw std::runtime_error("Refusing to sign with weak signature algorithm (MD5).");
     } else {
-        throw std::runtime_error("Unknown md-type");
+        throw std::runtime_error("Unknown signature algorithm");
     }
 
     if( !X509_sign( target.get(), caKey.get(), md ) ) {
WPIA Certificate Signing Software