diff options
author | Jack Lloyd <[email protected]> | 2016-08-13 11:13:49 -0400 |
---|---|---|
committer | Jack Lloyd <[email protected]> | 2016-08-13 11:13:49 -0400 |
commit | e29024608fca1b811aa72a7aafd930a42740b968 (patch) | |
tree | 729cadf57f8418af74c4abf9ec653f05c27d0774 /src/lib/tls/msg_cert_verify.cpp | |
parent | 7dd73a96bbea879a6d7107bf4b23a44ba527a134 (diff) |
Address some issues with PR 492
Adds copyright notices for Juraj Somorovsky and Christian Mainka of Hackmanit
for the changes in 7c7fcecbe6a and 6d327f879c
Add Policy::check_peer_key_acceptable which lets the app set an arbitrary
callback for examining keys - both the end entity signature keys from
certificates and the peer PFS public keys. Default impl checks that the
algorithm size matches the min keylength. This centralizes this logic
and lets the application do interesting things.
Adds a policy for ECDSA group size checks.
Increases default policy minimums to 2048 RSA and 256 ECC.
(Maybe I'm an optimist after all.)
Diffstat (limited to 'src/lib/tls/msg_cert_verify.cpp')
-rw-r--r-- | src/lib/tls/msg_cert_verify.cpp | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/src/lib/tls/msg_cert_verify.cpp b/src/lib/tls/msg_cert_verify.cpp index 2598255eb..6b59e703f 100644 --- a/src/lib/tls/msg_cert_verify.cpp +++ b/src/lib/tls/msg_cert_verify.cpp @@ -82,6 +82,8 @@ bool Certificate_Verify::verify(const X509_Certificate& cert, { std::unique_ptr<Public_Key> key(cert.subject_public_key()); + policy.check_peer_key_acceptable(*key); + std::pair<std::string, Signature_Format> format = state.parse_sig_format(*key.get(), m_hash_algo, m_sig_algo, true, policy); |