diff options
author | Neal H. Walfield <neal@pep.foundation> | 2020-12-15 11:43:06 +0100 |
---|---|---|
committer | Neal H. Walfield <neal@pep.foundation> | 2020-12-15 12:01:22 +0100 |
commit | 2310819af54cf2849861675e6f5c8783c7d55608 (patch) | |
tree | 3f4de8c7dda5f5bf2a6f1e91746e5ff88e47cac7 /openpgp/src/cert.rs | |
parent | e6fb5aa0686830fdb6f57282fe489b81d6a856b9 (diff) |
openpgp: Extend StandardPolicy's hash policy API.
- A `Policy` now knows whether the use of a hash requires collision
resistance or only second pre-image resistance.
- Extend `StandardPolicy`'s hash policy API to allow a user to
express a more nuanced policy that takes this information into
account.
- See #595.
Diffstat (limited to 'openpgp/src/cert.rs')
-rw-r--r-- | openpgp/src/cert.rs | 13 |
1 files changed, 9 insertions, 4 deletions
diff --git a/openpgp/src/cert.rs b/openpgp/src/cert.rs index e7eb32c3..bc32f0b6 100644 --- a/openpgp/src/cert.rs +++ b/openpgp/src/cert.rs @@ -3482,6 +3482,7 @@ mod test { use crate::policy::StandardPolicy as P; use crate::types::Curve; use crate::packet::signature; + use crate::policy::HashAlgoSecurity; use super::*; use crate::{ @@ -5322,10 +5323,13 @@ Pu1xwz57O4zo1VYf6TqHJzVC3OMvMUM2hhdecMUe5x6GorNaj6g= #[test] fn canonicalize_with_v3_sig() -> Result<()> { // This test relies on being able to validate SHA-1 - // signatures. The standard policy reject SHA-1. So, use a + // signatures. The standard policy rejects SHA-1. So, use a // custom policy. let p = &P::new(); - let sha1 = p.hash_cutoff(HashAlgorithm::SHA1).unwrap(); + let sha1 = + p.hash_cutoff( + HashAlgorithm::SHA1, HashAlgoSecurity::CollisionResistance) + .unwrap(); let p = &P::at(sha1 - std::time::Duration::from_secs(1)); let cert = Cert::from_bytes( @@ -5657,8 +5661,9 @@ Pu1xwz57O4zo1VYf6TqHJzVC3OMvMUM2hhdecMUe5x6GorNaj6g= Cert::from_bytes(crate::tests::key("peter-sha1-backsig.pgp"))?; let p = &crate::policy::NullPolicy::new(); assert_eq!(cert.with_policy(p, None)?.keys().for_signing().count(), 1); - let p = &crate::policy::StandardPolicy::new(); - assert_eq!(cert.with_policy(p, None)?.keys().for_signing().count(), 0); + let mut p = crate::policy::StandardPolicy::new(); + p.reject_hash(HashAlgorithm::SHA1); + assert_eq!(cert.with_policy(&p, None)?.keys().for_signing().count(), 0); Ok(()) } |