Use EVP_parse_digest_algorithm and EVP_marshal_digest_algorithm.

Bug: Change-Id: Id86544d32aa805ee09e6846aadbb397048a961c0 Reviewed-on: https://chromium-review.googlesource.com/685555Reviewed-by: Eric Roman <eroman@chromium.org> Commit-Queue: Steven Valdez <svaldez@chromium.org> Cr-Commit-Position: refs/heads/master@{#504487}

Use EVP_parse_digest_algorithm and EVP_marshal_digest_algorithm.
Bug: Change-Id: Id86544d32aa805ee09e6846aadbb397048a961c0 Reviewed-on: https://chromium-review.googlesource.com/685555Reviewed-by: Eric Roman <eroman@chromium.org> Commit-Queue: Steven Valdez <svaldez@chromium.org> Cr-Commit-Position: refs/heads/master@{#504487}
db762592 · Steven Valdez · Commit Bot · eaf80825 · db762592 · db762592
Commit db762592 authored Sep 26, 2017 by Steven Valdez Committed by Commit Bot Sep 26, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 18 additions and 73 deletions

net/cert/internal/ocsp.cc net/cert/internal/ocsp.cc +4 -13

net/cert/internal/signature_algorithm.cc net/cert/internal/signature_algorithm.cc +14 -60

No files found.
--- a/net/cert/internal/ocsp.cc
+++ b/net/cert/internal/ocsp.cc
@@ -154,14 +154,6 @@ bool ParseCertStatus(const der::Input& raw_tlv, OCSPCertStatus* out) {
  return !parser.HasMore();
 }

-// DER bytes for a SHA1 AlgorithmIdentifier.
-//
-//     SEQUENCE (2 elem)
-//         OBJECT IDENTIFIER  1.3.14.3.2.26
-//         NULL
-const uint8_t kSha1HashAlgorithm[] = {0x30, 0x09, 0x06, 0x05, 0x2B, 0x0E,
-                                      0x03, 0x02, 0x1A, 0x05, 0x00};
-
 // Writes the hash of |value| as an OCTET STRING to |cbb|, using |hash_type| as
 // the algorithm. Returns true on success.
 bool AppendHashAsOctetString(const EVP_MD* hash_type,
@@ -902,17 +894,16 @@ bool CreateOCSPRequest(const ParsedCertificate* cert,
  //       serialNumber        CertificateSerialNumber }

  // TODO(eroman): Don't use SHA1.
-  if (!CBB_add_bytes(&req_cert, kSha1HashAlgorithm,
-                     arraysize(kSha1HashAlgorithm))) {
+  const EVP_MD* md = EVP_sha1();
+  if (!EVP_marshal_digest_algorithm(&req_cert, md))
    return false;
-  }

-  AppendHashAsOctetString(EVP_sha1(), &req_cert, issuer->tbs().issuer_tlv);
+  AppendHashAsOctetString(md, &req_cert, issuer->tbs().issuer_tlv);

  der::Input key_tlv;
  if (!GetSubjectPublicKeyBytes(issuer->tbs().spki_tlv, &key_tlv))
    return false;
-  AppendHashAsOctetString(EVP_sha1(), &req_cert, key_tlv);
+  AppendHashAsOctetString(md, &req_cert, key_tlv);

  CBB serial_number;
  if (!CBB_add_asn1(&req_cert, &serial_number, CBS_ASN1_INTEGER))

--- a/net/cert/internal/signature_algorithm.cc
+++ b/net/cert/internal/signature_algorithm.cc
@@ -14,6 +14,8 @@
 #include "net/der/input.h"
 #include "net/der/parse_values.h"
 #include "net/der/parser.h"
+#include "third_party/boringssl/src/include/openssl/bytestring.h"
+#include "third_party/boringssl/src/include/openssl/digest.h"

 namespace net {

@@ -152,45 +154,6 @@ const uint8_t kOidDsaWithSha1[] = {0x2a, 0x86, 0x48, 0xce, 0x38, 0x04, 0x03};
 const uint8_t kOidDsaWithSha256[] = {0x60, 0x86, 0x48, 0x01, 0x65,
                                     0x03, 0x04, 0x03, 0x02};

-// From RFC 5912:
-//
-//     id-sha1 OBJECT IDENTIFIER ::= {
-//      iso(1) identified-organization(3) oiw(14) secsig(3)
-//      algorithm(2) 26 }
-//
-// In dotted notation: 1.3.14.3.2.26
-const uint8_t kOidSha1[] = {0x2B, 0x0E, 0x03, 0x02, 0x1A};
-
-// From RFC 5912:
-//
-//     id-sha256  OBJECT IDENTIFIER  ::=
-//         { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101)
-//         csor(3) nistAlgorithms(4) hashalgs(2) 1 }
-//
-// In dotted notation: 2.16.840.1.101.3.4.2.1
-const uint8_t kOidSha256[] = {0x60, 0x86, 0x48, 0x01, 0x65,
-                              0x03, 0x04, 0x02, 0x01};
-
-// From RFC 5912:
-//
-//     id-sha384  OBJECT IDENTIFIER  ::=
-//         { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101)
-//         csor(3) nistAlgorithms(4) hashalgs(2) 2 }
-//
-// In dotted notation: 2.16.840.1.101.3.4.2.2
-const uint8_t kOidSha384[] = {0x60, 0x86, 0x48, 0x01, 0x65,
-                              0x03, 0x04, 0x02, 0x02};
-
-// From RFC 5912:
-//
-//     id-sha512  OBJECT IDENTIFIER  ::=
-//         { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101)
-//         csor(3) nistAlgorithms(4) hashalgs(2) 3 }
-//
-// In dotted notation: 2.16.840.1.101.3.4.2.3
-const uint8_t kOidSha512[] = {0x60, 0x86, 0x48, 0x01, 0x65,
-                              0x03, 0x04, 0x02, 0x03};
-
 // From RFC 5912:
 //
 //     id-mgf1  OBJECT IDENTIFIER  ::=  { pkcs-1 8 }
@@ -554,33 +517,24 @@ DEFINE_CERT_ERROR_ID(kUnknownAlgorithmIdentifierOid,

 WARN_UNUSED_RESULT bool ParseHashAlgorithm(const der::Input& input,
                                           DigestAlgorithm* out) {
-  der::Input oid;
-  der::Input params;
-  if (!ParseAlgorithmIdentifier(input, &oid, &params))
-    return false;
-
-  DigestAlgorithm hash;
-
-  if (oid == der::Input(kOidSha1)) {
-    hash = DigestAlgorithm::Sha1;
-  } else if (oid == der::Input(kOidSha256)) {
-    hash = DigestAlgorithm::Sha256;
-  } else if (oid == der::Input(kOidSha384)) {
-    hash = DigestAlgorithm::Sha384;
-  } else if (oid == der::Input(kOidSha512)) {
-    hash = DigestAlgorithm::Sha512;
+  CBS cbs;
+  CBS_init(&cbs, input.UnsafeData(), input.Length());
+  const EVP_MD* md = EVP_parse_digest_algorithm(&cbs);
+
+  if (md == EVP_sha1()) {
+    *out = DigestAlgorithm::Sha1;
+  } else if (md == EVP_sha256()) {
+    *out = DigestAlgorithm::Sha256;
+  } else if (md == EVP_sha384()) {
+    *out = DigestAlgorithm::Sha384;
+  } else if (md == EVP_sha512()) {
+    *out = DigestAlgorithm::Sha512;
  } else {
    // TODO(eroman): Support MD2, MD4, MD5 for completeness?
    // Unsupported digest algorithm.
    return false;
  }

-  // From RFC 5912: "PARAMS TYPE NULL ARE preferredPresent". Which is to say
-  // the can either be absent, or NULL.
-  if (!IsEmpty(params) && !IsNull(params))
-    return false;
-
-  *out = hash;
  return true;
 }