xref: /aosp_15_r20/external/cronet/net/ssl/ssl_private_key.cc (revision 6777b5387eb2ff775bb5750e3f5d96f37fb7352b)
1*6777b538SAndroid Build Coastguard Worker // Copyright 2017 The Chromium Authors
2*6777b538SAndroid Build Coastguard Worker // Use of this source code is governed by a BSD-style license that can be
3*6777b538SAndroid Build Coastguard Worker // found in the LICENSE file.
4*6777b538SAndroid Build Coastguard Worker 
5*6777b538SAndroid Build Coastguard Worker #include "net/ssl/ssl_private_key.h"
6*6777b538SAndroid Build Coastguard Worker 
7*6777b538SAndroid Build Coastguard Worker #include "base/notreached.h"
8*6777b538SAndroid Build Coastguard Worker #include "third_party/boringssl/src/include/openssl/evp.h"
9*6777b538SAndroid Build Coastguard Worker #include "third_party/boringssl/src/include/openssl/ssl.h"
10*6777b538SAndroid Build Coastguard Worker 
11*6777b538SAndroid Build Coastguard Worker namespace net {
12*6777b538SAndroid Build Coastguard Worker 
DefaultAlgorithmPreferences(int type,bool supports_pss)13*6777b538SAndroid Build Coastguard Worker std::vector<uint16_t> SSLPrivateKey::DefaultAlgorithmPreferences(
14*6777b538SAndroid Build Coastguard Worker     int type,
15*6777b538SAndroid Build Coastguard Worker     bool supports_pss) {
16*6777b538SAndroid Build Coastguard Worker   switch (type) {
17*6777b538SAndroid Build Coastguard Worker     case EVP_PKEY_RSA:
18*6777b538SAndroid Build Coastguard Worker       if (supports_pss) {
19*6777b538SAndroid Build Coastguard Worker         return {
20*6777b538SAndroid Build Coastguard Worker             // Only SHA-1 if the server supports no other hashes, but otherwise
21*6777b538SAndroid Build Coastguard Worker             // prefer smaller SHA-2 hashes. SHA-256 is considered fine and more
22*6777b538SAndroid Build Coastguard Worker             // likely to be supported by smartcards, etc.
23*6777b538SAndroid Build Coastguard Worker             SSL_SIGN_RSA_PKCS1_SHA256, SSL_SIGN_RSA_PKCS1_SHA384,
24*6777b538SAndroid Build Coastguard Worker             SSL_SIGN_RSA_PKCS1_SHA512, SSL_SIGN_RSA_PKCS1_SHA1,
25*6777b538SAndroid Build Coastguard Worker 
26*6777b538SAndroid Build Coastguard Worker             // Order PSS last so we preferentially use the more conservative
27*6777b538SAndroid Build Coastguard Worker             // option. While the platform APIs may support RSA-PSS, the key may
28*6777b538SAndroid Build Coastguard Worker             // not. Ideally the SSLPrivateKey would query this, but smartcards
29*6777b538SAndroid Build Coastguard Worker             // often do not support such queries well.
30*6777b538SAndroid Build Coastguard Worker             SSL_SIGN_RSA_PSS_SHA256, SSL_SIGN_RSA_PSS_SHA384,
31*6777b538SAndroid Build Coastguard Worker             SSL_SIGN_RSA_PSS_SHA512,
32*6777b538SAndroid Build Coastguard Worker         };
33*6777b538SAndroid Build Coastguard Worker       }
34*6777b538SAndroid Build Coastguard Worker       return {
35*6777b538SAndroid Build Coastguard Worker           SSL_SIGN_RSA_PKCS1_SHA256, SSL_SIGN_RSA_PKCS1_SHA384,
36*6777b538SAndroid Build Coastguard Worker           SSL_SIGN_RSA_PKCS1_SHA512, SSL_SIGN_RSA_PKCS1_SHA1,
37*6777b538SAndroid Build Coastguard Worker       };
38*6777b538SAndroid Build Coastguard Worker     case EVP_PKEY_EC:
39*6777b538SAndroid Build Coastguard Worker       return {
40*6777b538SAndroid Build Coastguard Worker           SSL_SIGN_ECDSA_SECP256R1_SHA256, SSL_SIGN_ECDSA_SECP384R1_SHA384,
41*6777b538SAndroid Build Coastguard Worker           SSL_SIGN_ECDSA_SECP521R1_SHA512, SSL_SIGN_ECDSA_SHA1,
42*6777b538SAndroid Build Coastguard Worker       };
43*6777b538SAndroid Build Coastguard Worker     default:
44*6777b538SAndroid Build Coastguard Worker       NOTIMPLEMENTED();
45*6777b538SAndroid Build Coastguard Worker       return {};
46*6777b538SAndroid Build Coastguard Worker   };
47*6777b538SAndroid Build Coastguard Worker }
48*6777b538SAndroid Build Coastguard Worker 
49*6777b538SAndroid Build Coastguard Worker }  // namespace net
50