From 8c36452a1422eea1631cff4d90a3b801ed05cd77 Mon Sep 17 00:00:00 2001
From: Benny Baumann <BenBE1987@gmx.net>
Date: Mon, 6 Mar 2017 09:05:26 +0100
Subject: [PATCH] chg: Make the signer actively reject MD5 and SHA1

Change-Id: Icb4ca0df56e284944c6840b2cb4b0852fe7999a6
---
 src/crypto/X509.cpp | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/crypto/X509.cpp b/src/crypto/X509.cpp
index 37bb900..f9dbc7a 100644
--- a/src/crypto/X509.cpp
+++ b/src/crypto/X509.cpp
@@ -237,9 +237,11 @@ std::shared_ptr<SignedCertificate> X509Cert::sign( std::shared_ptr<EVP_PKEY> caK
     } else if( signAlg == "sha256" ) {
         md = EVP_sha256();
     } else if( signAlg == "sha1" ) {
-        md = EVP_sha1();
+        throw std::runtime_error("Refusing to sign with weak signature algorithm (SHA-1).");
+    } else if( signAlg == "md5" ) {
+        throw std::runtime_error("Refusing to sign with weak signature algorithm (MD5).");
     } else {
-        throw std::runtime_error("Unknown md-type");
+        throw std::runtime_error("Unknown signature algorithm");
     }
 
     if( !X509_sign( target.get(), caKey.get(), md ) ) {
-- 
2.39.2