commit 1b794d56b72853fe2eecbea2c719886c44578ed8
author Joachim Bauch <jbauch@webrtc.org> Tue May 12 03:32:11 2015 +0200
committer Joachim Bauch <jbauch@webrtc.org> Tue May 12 01:32:22 2015 +0000
tree f79a17341b3e95ad2b2bf14785651b20720251e1
parent cb3e8fe492eb6aa25aa31830b42f55956f65e3f1

Switch to use SHA-256 for certificates / fingerprints.

This CL changes identity generation to use SHA-256 for the self-signed
certificates and the fingerprints sent in the SDP.

BUG=4602
R=juberti@google.com

Review URL: https://webrtc-codereview.appspot.com/47149004

Cr-Commit-Position: refs/heads/master@{#9173}

webrtc/base/nssidentity.cc

diff --git a/webrtc/base/nssidentity.cc b/webrtc/base/nssidentity.cc
index b34ce1d..bbcc73e 100644
--- a/webrtc/base/nssidentity.cc
+++ b/webrtc/base/nssidentity.cc
@@ -406,7 +406,7 @@
   arena = certificate->arena;
 
   rv = SECOID_SetAlgorithmID(arena, &certificate->signature,
-                             SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION, NULL);
+                             SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION, NULL);
   if (rv != SECSuccess)
     goto fail;
 
@@ -420,7 +420,7 @@
 
   rv = SEC_DerSignData(arena, &signed_cert, inner_der.data, inner_der.len,
                        keypair->privkey(),
-                       SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION);
+                       SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION);
   if (rv != SECSuccess) {
     LOG(LS_ERROR) << "Couldn't sign certificate";
     goto fail;

webrtc/base/opensslidentity.cc

diff --git a/webrtc/base/opensslidentity.cc b/webrtc/base/opensslidentity.cc
index 7dc14fc..9daad9b 100644
--- a/webrtc/base/opensslidentity.cc
+++ b/webrtc/base/opensslidentity.cc
@@ -112,7 +112,7 @@
       !X509_gmtime_adj(X509_get_notAfter(x509), params.not_after))
     goto error;
 
-  if (!X509_sign(x509, pkey, EVP_sha1()))
+  if (!X509_sign(x509, pkey, EVP_sha256()))
     goto error;
 
   BN_free(serial_number);

webrtc/base/sslidentity_unittest.cc

diff --git a/webrtc/base/sslidentity_unittest.cc b/webrtc/base/sslidentity_unittest.cc
index 3f756ef..fd75411 100644
--- a/webrtc/base/sslidentity_unittest.cc
+++ b/webrtc/base/sslidentity_unittest.cc
@@ -60,13 +60,13 @@
   void TestGetSignatureDigestAlgorithm() {
     std::string digest_algorithm;
     // Both NSSIdentity::Generate and OpenSSLIdentity::Generate are
-    // hard-coded to generate RSA-SHA1 certificates.
+    // hard-coded to generate RSA-SHA256 certificates.
     ASSERT_TRUE(identity1_->certificate().GetSignatureDigestAlgorithm(
         &digest_algorithm));
-    ASSERT_EQ(rtc::DIGEST_SHA_1, digest_algorithm);
+    ASSERT_EQ(rtc::DIGEST_SHA_256, digest_algorithm);
     ASSERT_TRUE(identity2_->certificate().GetSignatureDigestAlgorithm(
         &digest_algorithm));
-    ASSERT_EQ(rtc::DIGEST_SHA_1, digest_algorithm);
+    ASSERT_EQ(rtc::DIGEST_SHA_256, digest_algorithm);
 
     // The test certificate has an MD5-based signature.
     ASSERT_TRUE(test_cert_->GetSignatureDigestAlgorithm(&digest_algorithm));

webrtc/p2p/base/dtlstransportchannel_unittest.cc

diff --git a/webrtc/p2p/base/dtlstransportchannel_unittest.cc b/webrtc/p2p/base/dtlstransportchannel_unittest.cc
index f3086bb..acb9d09 100644
--- a/webrtc/p2p/base/dtlstransportchannel_unittest.cc
+++ b/webrtc/p2p/base/dtlstransportchannel_unittest.cc
@@ -126,14 +126,24 @@
     rtc::scoped_ptr<rtc::SSLFingerprint> local_fingerprint;
     rtc::scoped_ptr<rtc::SSLFingerprint> remote_fingerprint;
     if (local_identity) {
+      std::string digest_algorithm;
+      ASSERT_TRUE(local_identity->certificate().GetSignatureDigestAlgorithm(
+          &digest_algorithm));
+      ASSERT_FALSE(digest_algorithm.empty());
       local_fingerprint.reset(rtc::SSLFingerprint::Create(
-          rtc::DIGEST_SHA_1, local_identity));
+          digest_algorithm, local_identity));
       ASSERT_TRUE(local_fingerprint.get() != NULL);
+      EXPECT_EQ(rtc::DIGEST_SHA_256, digest_algorithm);
     }
     if (remote_identity) {
+      std::string digest_algorithm;
+      ASSERT_TRUE(remote_identity->certificate().GetSignatureDigestAlgorithm(
+          &digest_algorithm));
+      ASSERT_FALSE(digest_algorithm.empty());
       remote_fingerprint.reset(rtc::SSLFingerprint::Create(
-          rtc::DIGEST_SHA_1, remote_identity));
+          digest_algorithm, remote_identity));
       ASSERT_TRUE(remote_fingerprint.get() != NULL);
+      EXPECT_EQ(rtc::DIGEST_SHA_256, digest_algorithm);
     }
 
     if (use_dtls_srtp_ && !(flags & NF_REOFFER)) {