mirror/gmsm
1
0
Fork 0
mirror of https://github.com/emmansun/gmsm.git synced 2025-04-27 04:36:19 +08:00
Code Issues Packages Projects Releases Wiki Activity

rollback first #93

Browse Source
This commit is contained in:
Sun Yimin 2022-11-02 17:11:18 +08:00 committed by GitHub
parent fd940fcd06
commit 1ce7714cc9
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 12 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
smx509/verify_test.go
View File

@ -539,7 +539,8 @@ func testVerify(t *testing.T, test verifyTest, useSystemRoots bool) {
func TestGoVerify(t *testing.T) {
// Temporarily enable SHA-1 verification since a number of test chains
// require it. TODO(filippo): regenerate test chains.
t.Setenv("GODEBUG", "x509sha1=1")
defer func(old bool) { debugAllowSHA1 = old }(debugAllowSHA1)
debugAllowSHA1 = true
for _, test := range verifyTests {
t.Run(test.name, func(t *testing.T) {

9
smx509/x509.go
View File

@ -248,7 +248,7 @@ var (
// 附录A规范性附录商用密码领域中的相关OID定义
//
// http://gmssl.org/docs/oid.html
oidSignatureSM2WithSM3 = asn1.ObjectIdentifier{1, 2, 156, 10197, 1, 501}
oidSignatureSM2WithSM3 = asn1.ObjectIdentifier{1, 2, 156, 10197, 1, 501}
//oidSignatureSM2WithSHA1 = asn1.ObjectIdentifier{1, 2, 156, 10197, 1, 502}
//oidSignatureSM2WithSHA256 = asn1.ObjectIdentifier{1, 2, 156, 10197, 1, 503}
)
@ -548,6 +548,9 @@ func oidFromExtKeyUsage(eku ExtKeyUsage) (oid asn1.ObjectIdentifier, ok bool) {
return
}
// debugAllowSHA1 allows SHA-1 signatures. See issue 41682.
var debugAllowSHA1 = godebug.Get("x509sha1") == "1"
// A Certificate represents an X.509 certificate.
type Certificate x509.Certificate
@ -593,7 +596,7 @@ func (c *Certificate) CheckSignatureFrom(parent *Certificate) error {
// TODO(agl): don't ignore the path length constraint.
return checkSignature(c.SignatureAlgorithm, c.RawTBSCertificate, c.Signature, parent.PublicKey, false)
return checkSignature(c.SignatureAlgorithm, c.RawTBSCertificate, c.Signature, parent.PublicKey, debugAllowSHA1)
}
// CheckSignature verifies that signature is a valid signature over signed from
@ -641,7 +644,7 @@ func checkSignature(algo SignatureAlgorithm, signed, signature []byte, publicKey
case crypto.MD5:
return x509.InsecureAlgorithmError(algo)
case crypto.SHA1:
if !allowSHA1 && godebug.Get("x509sha1") != "1" {
if !allowSHA1 {
return x509.InsecureAlgorithmError(algo)
}
fallthrough

6
smx509/x509_test.go
View File

@ -1688,7 +1688,8 @@ func TestSHA1(t *testing.T) {
t.Fatalf("certificate verification returned %v (%T), wanted InsecureAlgorithmError", err, err)
}
t.Setenv("GODEBUG", "x509sha1=1")
defer func(old bool) { debugAllowSHA1 = old }(debugAllowSHA1)
debugAllowSHA1 = true
if err = cert.CheckSignatureFrom(cert); err != nil {
t.Fatalf("SHA-1 certificate did not verify with GODEBUG=x509sha1=1: %v", err)
}
@ -3034,7 +3035,8 @@ func TestParseUniqueID(t *testing.T) {
}
func TestDisableSHA1ForCertOnly(t *testing.T) {
t.Setenv("GODEBUG", "")
defer func(old bool) { debugAllowSHA1 = old }(debugAllowSHA1)
debugAllowSHA1 = false
tmpl := &Certificate{
SerialNumber: big.NewInt(1),