Skip to content
This repository was archived by the owner on Apr 15, 2019. It is now read-only.

Commit

Permalink
Reject sha1 hash algo
Browse files Browse the repository at this point in the history
  • Loading branch information
@emersion
emersion committed Mar 11, 2019
1 parent 1eaa896 commit 1f1b0f7
Showing 1 changed file with 4 additions and 1 deletion.
5 changes: 4 additions & 1 deletion verify.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ import (
"crypto"
"crypto/subtle"
"encoding/base64"
"fmt"
"io"
"io/ioutil"
"regexp"
Expand Down Expand Up @@ -243,7 +244,9 @@ func verify(h header, r io.Reader, sigField, sigValue string) (*Verification, er
var hash crypto.Hash
switch hashAlgo {
case "sha1":
hash = crypto.SHA1
// RFC 8301 section 3.1: rsa-sha1 MUST NOT be used for signing or
// verifying.
return verif, permFailError(fmt.Sprintf("hash algorithm too weak: %v", hashAlgo))
case "sha256":
hash = crypto.SHA256
default:
Expand Down

0 comments on commit 1f1b0f7

Please sign in to comment.