1 // Copyright 2017 The Chromium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "net/ssl/ssl_private_key.h"
6
7 #include "base/notreached.h"
8 #include "third_party/boringssl/src/include/openssl/evp.h"
9 #include "third_party/boringssl/src/include/openssl/ssl.h"
10
11 namespace net {
12
DefaultAlgorithmPreferences(int type,bool supports_pss)13 std::vector<uint16_t> SSLPrivateKey::DefaultAlgorithmPreferences(
14 int type,
15 bool supports_pss) {
16 switch (type) {
17 case EVP_PKEY_RSA:
18 if (supports_pss) {
19 return {
20 // Only SHA-1 if the server supports no other hashes, but otherwise
21 // prefer smaller SHA-2 hashes. SHA-256 is considered fine and more
22 // likely to be supported by smartcards, etc.
23 SSL_SIGN_RSA_PKCS1_SHA256, SSL_SIGN_RSA_PKCS1_SHA384,
24 SSL_SIGN_RSA_PKCS1_SHA512, SSL_SIGN_RSA_PKCS1_SHA1,
25
26 // Order PSS last so we preferentially use the more conservative
27 // option. While the platform APIs may support RSA-PSS, the key may
28 // not. Ideally the SSLPrivateKey would query this, but smartcards
29 // often do not support such queries well.
30 SSL_SIGN_RSA_PSS_SHA256, SSL_SIGN_RSA_PSS_SHA384,
31 SSL_SIGN_RSA_PSS_SHA512,
32 };
33 }
34 return {
35 SSL_SIGN_RSA_PKCS1_SHA256, SSL_SIGN_RSA_PKCS1_SHA384,
36 SSL_SIGN_RSA_PKCS1_SHA512, SSL_SIGN_RSA_PKCS1_SHA1,
37 };
38 case EVP_PKEY_EC:
39 return {
40 SSL_SIGN_ECDSA_SECP256R1_SHA256, SSL_SIGN_ECDSA_SECP384R1_SHA384,
41 SSL_SIGN_ECDSA_SECP521R1_SHA512, SSL_SIGN_ECDSA_SHA1,
42 };
43 default:
44 NOTIMPLEMENTED();
45 return {};
46 };
47 }
48
49 } // namespace net
50