Skip to content

Commit

Permalink
Expose all supported signature algorithms list
Browse files Browse the repository at this point in the history
Follow-up to briansmith#187.

I agree to license my contributions to each file under the terms
given at the top of each file I changed.
  • Loading branch information
stepancheg committed Feb 17, 2021
1 parent 07306a6 commit ad9057d
Show file tree
Hide file tree
Showing 3 changed files with 28 additions and 20 deletions.
4 changes: 2 additions & 2 deletions src/lib.rs
Original file line number Diff line number Diff line change
Expand Up @@ -51,8 +51,8 @@ pub use {
error::Error,
name::{DnsNameRef, InvalidDnsNameError},
signed_data::{
SignatureAlgorithm, ECDSA_P256_SHA256, ECDSA_P256_SHA384, ECDSA_P384_SHA256,
ECDSA_P384_SHA384, ED25519,
SignatureAlgorithm, ALL_SIGNATURE_ALGORITHMS, ECDSA_P256_SHA256, ECDSA_P256_SHA384,
ECDSA_P384_SHA256, ECDSA_P384_SHA384, ED25519,
},
time::Time,
trust_anchor::{TLSClientTrustAnchors, TLSServerTrustAnchors, TrustAnchor},
Expand Down
19 changes: 19 additions & 0 deletions src/signed_data.rs
Original file line number Diff line number Diff line change
Expand Up @@ -373,6 +373,25 @@ const ED_25519: AlgorithmIdentifier = AlgorithmIdentifier {
asn1_id_value: untrusted::Input::from(include_bytes!("data/alg-ed25519.der")),
};

/// All signature algorithms supported by the webpki crate.
///
/// Note the list depends on whether `alloc` feature is on or off.
pub static ALL_SIGNATURE_ALGORITHMS: &[&SignatureAlgorithm] = &[
&ECDSA_P256_SHA256,
&ECDSA_P256_SHA384,
&ECDSA_P384_SHA256,
&ECDSA_P384_SHA384,
&ED25519,
#[cfg(feature = "alloc")]
&RSA_PKCS1_2048_8192_SHA256,
#[cfg(feature = "alloc")]
&RSA_PKCS1_2048_8192_SHA384,
#[cfg(feature = "alloc")]
&RSA_PKCS1_2048_8192_SHA512,
#[cfg(feature = "alloc")]
&RSA_PKCS1_3072_8192_SHA384,
];

#[cfg(test)]
mod tests {
use crate::{der, signed_data, Error};
Expand Down
25 changes: 7 additions & 18 deletions tests/integration.rs
Original file line number Diff line number Diff line change
Expand Up @@ -15,22 +15,6 @@
use core::convert::TryFrom;
extern crate webpki;

static ALL_SIGALGS: &[&webpki::SignatureAlgorithm] = &[
&webpki::ECDSA_P256_SHA256,
&webpki::ECDSA_P256_SHA384,
&webpki::ECDSA_P384_SHA256,
&webpki::ECDSA_P384_SHA384,
&webpki::ED25519,
#[cfg(feature = "alloc")]
&webpki::RSA_PKCS1_2048_8192_SHA256,
#[cfg(feature = "alloc")]
&webpki::RSA_PKCS1_2048_8192_SHA384,
#[cfg(feature = "alloc")]
&webpki::RSA_PKCS1_2048_8192_SHA512,
#[cfg(feature = "alloc")]
&webpki::RSA_PKCS1_3072_8192_SHA384,
];

/* Checks we can verify netflix's cert chain. This is notable
* because they're rooted at a Verisign v1 root. */
#[cfg(feature = "alloc")]
Expand All @@ -49,7 +33,12 @@ pub fn netflix() {
let cert = webpki::EndEntityCert::try_from(ee).unwrap();
assert_eq!(
Ok(()),
cert.verify_is_valid_tls_server_cert(ALL_SIGALGS, &anchors, &[inter], time)
cert.verify_is_valid_tls_server_cert(
webpki::ALL_SIGNATURE_ALGORITHMS,
&anchors,
&[inter],
time
)
);
}

Expand All @@ -67,7 +56,7 @@ pub fn ed25519() {
let cert = webpki::EndEntityCert::try_from(ee).unwrap();
assert_eq!(
Ok(()),
cert.verify_is_valid_tls_server_cert(ALL_SIGALGS, &anchors, &[], time)
cert.verify_is_valid_tls_server_cert(webpki::ALL_SIGNATURE_ALGORITHMS, &anchors, &[], time)
);
}

Expand Down

0 comments on commit ad9057d

Please sign in to comment.