Bug 1042479 - Accept the OIW sha1WithRSASignature OID. r=keeler, a=sledru
authorBrian Smith <brian@briansmith.org>
Mon, 04 Aug 2014 16:34:47 -0700
changeset 217462 cd7100982c732c8d9f1ba138083491ccb4242754
parent 217461 5c3ac814a2873fd0b2218cc726820929781a06a2
child 217463 23226274b981ce16ab71875d05828da86307a76f
push id515
push userraliiev@mozilla.com
push dateMon, 06 Oct 2014 12:51:51 +0000
treeherdermozilla-release@267c7a481bef [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerskeeler, sledru
bugs1042479
milestone33.0a2
Bug 1042479 - Accept the OIW sha1WithRSASignature OID. r=keeler, a=sledru
security/pkix/lib/pkixder.cpp
security/pkix/test/gtest/pkixder_pki_types_tests.cpp
--- a/security/pkix/lib/pkixder.cpp
+++ b/security/pkix/lib/pkixder.cpp
@@ -177,16 +177,25 @@ SignatureAlgorithmOIDValue(Input& algori
   };
 
   // RFC 3279 Section 2.2.1
   // python DottedOIDToCode.py sha-1WithRSAEncryption 1.2.840.113549.1.1.5
   static const uint8_t sha_1WithRSAEncryption[] = {
     0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05
   };
 
+  // NIST Open Systems Environment (OSE) Implementor's Workshop (OIW)
+  // http://www.oiw.org/agreements/stable/12s-9412.txt (no longer works).
+  // http://www.imc.org/ietf-pkix/old-archive-97/msg01166.html
+  // We need to support this this non-PKIX OID for compatibility.
+  // python DottedOIDToCode.py sha1WithRSASignature 1.3.14.3.2.29
+  static const uint8_t sha1WithRSASignature[] = {
+    0x2b, 0x0e, 0x03, 0x02, 0x1d
+  };
+
   // RFC 3279 Section 2.2.2
   // python DottedOIDToCode.py id-dsa-with-sha1 1.2.840.10040.4.3
   static const uint8_t id_dsa_with_sha1[] = {
     0x2a, 0x86, 0x48, 0xce, 0x38, 0x04, 0x03
   };
 
   // RFC 3279 Section 2.2.3
   // python DottedOIDToCode.py ecdsa-with-SHA1 1.2.840.10045.4.1
@@ -220,16 +229,19 @@ SignatureAlgorithmOIDValue(Input& algori
   } else if (algorithmID.MatchRest(sha384WithRSAEncryption)) {
     algorithm = SignatureAlgorithm::rsa_pkcs1_with_sha384;
   } else if (algorithmID.MatchRest(sha512WithRSAEncryption)) {
     algorithm = SignatureAlgorithm::rsa_pkcs1_with_sha512;
   } else if (algorithmID.MatchRest(id_dsa_with_sha1)) {
     algorithm = SignatureAlgorithm::dsa_with_sha1;
   } else if (algorithmID.MatchRest(id_dsa_with_sha256)) {
     algorithm = SignatureAlgorithm::dsa_with_sha256;
+  } else if (algorithmID.MatchRest(sha1WithRSASignature)) {
+    // XXX(bug 1042479): recognize this old OID for compatibility.
+    algorithm = SignatureAlgorithm::rsa_pkcs1_with_sha1;
   } else {
     // Any MD5-based signature algorithm, or any unknown signature algorithm.
     return Fail(SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED);
   }
 
   return Success;
 }
 
--- a/security/pkix/test/gtest/pkixder_pki_types_tests.cpp
+++ b/security/pkix/test/gtest/pkixder_pki_types_tests.cpp
@@ -357,20 +357,27 @@ static const AlgorithmIdentifierTestInfo
     13,
   },
   { SignatureAlgorithm::rsa_pkcs1_with_sha256,
     { 0x30, 0x0b, 0x06, 0x09,
       0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b },
     13,
   },
   { SignatureAlgorithm::rsa_pkcs1_with_sha1,
+    // IETF Standard OID
     { 0x30, 0x0b, 0x06, 0x09,
       0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05 },
     13,
   },
+  { SignatureAlgorithm::rsa_pkcs1_with_sha1,
+    // Legacy OIW OID (bug 1042479)
+    { 0x30, 0x07, 0x06, 0x05,
+      0x2b, 0x0e, 0x03, 0x02, 0x1d },
+    9,
+  },
 
   // DSA
   { SignatureAlgorithm::dsa_with_sha256,
     { 0x30, 0x0b, 0x06, 0x09,
       0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x03, 0x02 },
     13,
   },
   { SignatureAlgorithm::dsa_with_sha1,