Switch to use SHA-256 for certificates / fingerprints.

This CL changes identity generation to use SHA-256 for the self-signed certificates and the fingerprints sent in the SDP. BUG=4602 R=juberti@google.com Review URL: https://webrtc-codereview.appspot.com/47149004 Cr-Commit-Position: refs/heads/master@{#9173}
2015-05-12 03:32:11 +02:00 · 2015-05-12 03:32:11 +02:00 · 1b794d56b7
commit 1b794d56b7
parent cb3e8fe492
4 changed files with 18 additions and 8 deletions
--- a/webrtc/base/nssidentity.cc
+++ b/webrtc/base/nssidentity.cc
@ -406,7 +406,7 @@ NSSIdentity* NSSIdentity::GenerateInternal(const SSLIdentityParams& params) {
  arena = certificate->arena;

  rv = SECOID_SetAlgorithmID(arena, &certificate->signature,
-                             SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION, NULL);
+                             SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION, NULL);
  if (rv != SECSuccess)
    goto fail;

@ -420,7 +420,7 @@ NSSIdentity* NSSIdentity::GenerateInternal(const SSLIdentityParams& params) {

  rv = SEC_DerSignData(arena, &signed_cert, inner_der.data, inner_der.len,
                       keypair->privkey(),
-                       SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION);
+                       SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION);
  if (rv != SECSuccess) {
    LOG(LS_ERROR) << "Couldn't sign certificate";
    goto fail;
--- a/webrtc/base/opensslidentity.cc
+++ b/webrtc/base/opensslidentity.cc
@ -112,7 +112,7 @@ static X509* MakeCertificate(EVP_PKEY* pkey, const SSLIdentityParams& params) {
      !X509_gmtime_adj(X509_get_notAfter(x509), params.not_after))
    goto error;

-  if (!X509_sign(x509, pkey, EVP_sha1()))
+  if (!X509_sign(x509, pkey, EVP_sha256()))
    goto error;

  BN_free(serial_number);
--- a/webrtc/base/sslidentity_unittest.cc
+++ b/webrtc/base/sslidentity_unittest.cc
@ -60,13 +60,13 @@ class SSLIdentityTest : public testing::Test {
  void TestGetSignatureDigestAlgorithm() {
    std::string digest_algorithm;
    // Both NSSIdentity::Generate and OpenSSLIdentity::Generate are
-    // hard-coded to generate RSA-SHA1 certificates.
+    // hard-coded to generate RSA-SHA256 certificates.
    ASSERT_TRUE(identity1_->certificate().GetSignatureDigestAlgorithm(
        &digest_algorithm));
-    ASSERT_EQ(rtc::DIGEST_SHA_1, digest_algorithm);
+    ASSERT_EQ(rtc::DIGEST_SHA_256, digest_algorithm);
    ASSERT_TRUE(identity2_->certificate().GetSignatureDigestAlgorithm(
        &digest_algorithm));
-    ASSERT_EQ(rtc::DIGEST_SHA_1, digest_algorithm);
+    ASSERT_EQ(rtc::DIGEST_SHA_256, digest_algorithm);

    // The test certificate has an MD5-based signature.
    ASSERT_TRUE(test_cert_->GetSignatureDigestAlgorithm(&digest_algorithm));
--- a/webrtc/p2p/base/dtlstransportchannel_unittest.cc
+++ b/webrtc/p2p/base/dtlstransportchannel_unittest.cc
@ -126,14 +126,24 @@ class DtlsTestClient : public sigslot::has_slots<> {
    rtc::scoped_ptr<rtc::SSLFingerprint> local_fingerprint;
    rtc::scoped_ptr<rtc::SSLFingerprint> remote_fingerprint;
    if (local_identity) {
+      std::string digest_algorithm;
+      ASSERT_TRUE(local_identity->certificate().GetSignatureDigestAlgorithm(
+          &digest_algorithm));
+      ASSERT_FALSE(digest_algorithm.empty());
      local_fingerprint.reset(rtc::SSLFingerprint::Create(
-          rtc::DIGEST_SHA_1, local_identity));
+          digest_algorithm, local_identity));
      ASSERT_TRUE(local_fingerprint.get() != NULL);
+      EXPECT_EQ(rtc::DIGEST_SHA_256, digest_algorithm);
    }
    if (remote_identity) {
+      std::string digest_algorithm;
+      ASSERT_TRUE(remote_identity->certificate().GetSignatureDigestAlgorithm(
+          &digest_algorithm));
+      ASSERT_FALSE(digest_algorithm.empty());
      remote_fingerprint.reset(rtc::SSLFingerprint::Create(
-          rtc::DIGEST_SHA_1, remote_identity));
+          digest_algorithm, remote_identity));
      ASSERT_TRUE(remote_fingerprint.get() != NULL);
+      EXPECT_EQ(rtc::DIGEST_SHA_256, digest_algorithm);
    }

    if (use_dtls_srtp_ && !(flags & NF_REOFFER)) {