diff --git a/webrtc/base/nssidentity.cc b/webrtc/base/nssidentity.cc index b34ce1dbbd..bbcc73e675 100644 --- a/webrtc/base/nssidentity.cc +++ b/webrtc/base/nssidentity.cc @@ -406,7 +406,7 @@ NSSIdentity* NSSIdentity::GenerateInternal(const SSLIdentityParams& params) { arena = certificate->arena; rv = SECOID_SetAlgorithmID(arena, &certificate->signature, - SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION, NULL); + SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION, NULL); if (rv != SECSuccess) goto fail; @@ -420,7 +420,7 @@ NSSIdentity* NSSIdentity::GenerateInternal(const SSLIdentityParams& params) { rv = SEC_DerSignData(arena, &signed_cert, inner_der.data, inner_der.len, keypair->privkey(), - SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION); + SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION); if (rv != SECSuccess) { LOG(LS_ERROR) << "Couldn't sign certificate"; goto fail; diff --git a/webrtc/base/opensslidentity.cc b/webrtc/base/opensslidentity.cc index 7dc14fc477..9daad9baa5 100644 --- a/webrtc/base/opensslidentity.cc +++ b/webrtc/base/opensslidentity.cc @@ -112,7 +112,7 @@ static X509* MakeCertificate(EVP_PKEY* pkey, const SSLIdentityParams& params) { !X509_gmtime_adj(X509_get_notAfter(x509), params.not_after)) goto error; - if (!X509_sign(x509, pkey, EVP_sha1())) + if (!X509_sign(x509, pkey, EVP_sha256())) goto error; BN_free(serial_number); diff --git a/webrtc/base/sslidentity_unittest.cc b/webrtc/base/sslidentity_unittest.cc index 3f756ef895..fd75411428 100644 --- a/webrtc/base/sslidentity_unittest.cc +++ b/webrtc/base/sslidentity_unittest.cc @@ -60,13 +60,13 @@ class SSLIdentityTest : public testing::Test { void TestGetSignatureDigestAlgorithm() { std::string digest_algorithm; // Both NSSIdentity::Generate and OpenSSLIdentity::Generate are - // hard-coded to generate RSA-SHA1 certificates. + // hard-coded to generate RSA-SHA256 certificates. ASSERT_TRUE(identity1_->certificate().GetSignatureDigestAlgorithm( &digest_algorithm)); - ASSERT_EQ(rtc::DIGEST_SHA_1, digest_algorithm); + ASSERT_EQ(rtc::DIGEST_SHA_256, digest_algorithm); ASSERT_TRUE(identity2_->certificate().GetSignatureDigestAlgorithm( &digest_algorithm)); - ASSERT_EQ(rtc::DIGEST_SHA_1, digest_algorithm); + ASSERT_EQ(rtc::DIGEST_SHA_256, digest_algorithm); // The test certificate has an MD5-based signature. ASSERT_TRUE(test_cert_->GetSignatureDigestAlgorithm(&digest_algorithm)); diff --git a/webrtc/p2p/base/dtlstransportchannel_unittest.cc b/webrtc/p2p/base/dtlstransportchannel_unittest.cc index f3086bb3a0..acb9d09a35 100644 --- a/webrtc/p2p/base/dtlstransportchannel_unittest.cc +++ b/webrtc/p2p/base/dtlstransportchannel_unittest.cc @@ -126,14 +126,24 @@ class DtlsTestClient : public sigslot::has_slots<> { rtc::scoped_ptr local_fingerprint; rtc::scoped_ptr remote_fingerprint; if (local_identity) { + std::string digest_algorithm; + ASSERT_TRUE(local_identity->certificate().GetSignatureDigestAlgorithm( + &digest_algorithm)); + ASSERT_FALSE(digest_algorithm.empty()); local_fingerprint.reset(rtc::SSLFingerprint::Create( - rtc::DIGEST_SHA_1, local_identity)); + digest_algorithm, local_identity)); ASSERT_TRUE(local_fingerprint.get() != NULL); + EXPECT_EQ(rtc::DIGEST_SHA_256, digest_algorithm); } if (remote_identity) { + std::string digest_algorithm; + ASSERT_TRUE(remote_identity->certificate().GetSignatureDigestAlgorithm( + &digest_algorithm)); + ASSERT_FALSE(digest_algorithm.empty()); remote_fingerprint.reset(rtc::SSLFingerprint::Create( - rtc::DIGEST_SHA_1, remote_identity)); + digest_algorithm, remote_identity)); ASSERT_TRUE(remote_fingerprint.get() != NULL); + EXPECT_EQ(rtc::DIGEST_SHA_256, digest_algorithm); } if (use_dtls_srtp_ && !(flags & NF_REOFFER)) {