Security-57740.1.18.tar.gz

[apple/security.git] / libsecurity_smime / lib / cmssiginfo.c

diff --git a/libsecurity_smime/lib/cmssiginfo.c b/libsecurity_smime/lib/cmssiginfo.c
index 3ae7c0f319f0e26446f656c8b55706c27fb0590d..296c17ea45319b640cb2001fd3340d684ae460c2 100644 (file)
--- a/libsecurity_smime/lib/cmssiginfo.c
+++ b/libsecurity_smime/lib/cmssiginfo.c
@@ -329,6 +329,8 @@ SecCmsSignerInfoSign(SecCmsSignerInfoRef signerinfo, SecAsn1Item * digest, SecAs
 
     poolp = signerinfo->signedData->contentInfo.cmsg->poolp;
 
+    SecAsn1AlgId _algID;
+
     switch (signerinfo->signerIdentifier.identifierType) {
     case SecCmsSignerIDIssuerSN:
         privkey = signerinfo->signingKey;
@@ -340,7 +342,7 @@ SecCmsSignerInfoSign(SecCmsSignerInfoRef signerinfo, SecAsn1Item * digest, SecAs
            goto loser;
         }
 #else
-        SecAsn1AlgId _algID = SecCertificateGetPublicKeyAlgorithmID(cert);
+        _algID = SecCertificateGetPublicKeyAlgorithmID(cert);
         algID = &_algID;
 #endif
         break;
@@ -371,6 +373,13 @@ SecCmsSignerInfoSign(SecCmsSignerInfoRef signerinfo, SecAsn1Item * digest, SecAs
     }
     digestalgtag = SecCmsSignerInfoGetDigestAlgTag(signerinfo);
     pubkAlgTag = SECOID_GetAlgorithmTag(algID);
+
+    /* we no longer support signing with MD5 */
+    if (digestalgtag == SEC_OID_MD5) {
+        PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+        goto loser;
+    }
+
 #if USE_CDSA_CRYPTO
     if (signerinfo->signerIdentifier.identifierType == SecCmsSignerIDSubjectKeyID) {
       SECOID_DestroyAlgorithmID(&freeAlgID, PR_FALSE);