1*6777b538SAndroid Build Coastguard Worker // Copyright 2017 The Chromium Authors
2*6777b538SAndroid Build Coastguard Worker // Use of this source code is governed by a BSD-style license that can be
3*6777b538SAndroid Build Coastguard Worker // found in the LICENSE file.
4*6777b538SAndroid Build Coastguard Worker
5*6777b538SAndroid Build Coastguard Worker #include "net/ssl/ssl_private_key.h"
6*6777b538SAndroid Build Coastguard Worker
7*6777b538SAndroid Build Coastguard Worker #include "base/notreached.h"
8*6777b538SAndroid Build Coastguard Worker #include "third_party/boringssl/src/include/openssl/evp.h"
9*6777b538SAndroid Build Coastguard Worker #include "third_party/boringssl/src/include/openssl/ssl.h"
10*6777b538SAndroid Build Coastguard Worker
11*6777b538SAndroid Build Coastguard Worker namespace net {
12*6777b538SAndroid Build Coastguard Worker
DefaultAlgorithmPreferences(int type,bool supports_pss)13*6777b538SAndroid Build Coastguard Worker std::vector<uint16_t> SSLPrivateKey::DefaultAlgorithmPreferences(
14*6777b538SAndroid Build Coastguard Worker int type,
15*6777b538SAndroid Build Coastguard Worker bool supports_pss) {
16*6777b538SAndroid Build Coastguard Worker switch (type) {
17*6777b538SAndroid Build Coastguard Worker case EVP_PKEY_RSA:
18*6777b538SAndroid Build Coastguard Worker if (supports_pss) {
19*6777b538SAndroid Build Coastguard Worker return {
20*6777b538SAndroid Build Coastguard Worker // Only SHA-1 if the server supports no other hashes, but otherwise
21*6777b538SAndroid Build Coastguard Worker // prefer smaller SHA-2 hashes. SHA-256 is considered fine and more
22*6777b538SAndroid Build Coastguard Worker // likely to be supported by smartcards, etc.
23*6777b538SAndroid Build Coastguard Worker SSL_SIGN_RSA_PKCS1_SHA256, SSL_SIGN_RSA_PKCS1_SHA384,
24*6777b538SAndroid Build Coastguard Worker SSL_SIGN_RSA_PKCS1_SHA512, SSL_SIGN_RSA_PKCS1_SHA1,
25*6777b538SAndroid Build Coastguard Worker
26*6777b538SAndroid Build Coastguard Worker // Order PSS last so we preferentially use the more conservative
27*6777b538SAndroid Build Coastguard Worker // option. While the platform APIs may support RSA-PSS, the key may
28*6777b538SAndroid Build Coastguard Worker // not. Ideally the SSLPrivateKey would query this, but smartcards
29*6777b538SAndroid Build Coastguard Worker // often do not support such queries well.
30*6777b538SAndroid Build Coastguard Worker SSL_SIGN_RSA_PSS_SHA256, SSL_SIGN_RSA_PSS_SHA384,
31*6777b538SAndroid Build Coastguard Worker SSL_SIGN_RSA_PSS_SHA512,
32*6777b538SAndroid Build Coastguard Worker };
33*6777b538SAndroid Build Coastguard Worker }
34*6777b538SAndroid Build Coastguard Worker return {
35*6777b538SAndroid Build Coastguard Worker SSL_SIGN_RSA_PKCS1_SHA256, SSL_SIGN_RSA_PKCS1_SHA384,
36*6777b538SAndroid Build Coastguard Worker SSL_SIGN_RSA_PKCS1_SHA512, SSL_SIGN_RSA_PKCS1_SHA1,
37*6777b538SAndroid Build Coastguard Worker };
38*6777b538SAndroid Build Coastguard Worker case EVP_PKEY_EC:
39*6777b538SAndroid Build Coastguard Worker return {
40*6777b538SAndroid Build Coastguard Worker SSL_SIGN_ECDSA_SECP256R1_SHA256, SSL_SIGN_ECDSA_SECP384R1_SHA384,
41*6777b538SAndroid Build Coastguard Worker SSL_SIGN_ECDSA_SECP521R1_SHA512, SSL_SIGN_ECDSA_SHA1,
42*6777b538SAndroid Build Coastguard Worker };
43*6777b538SAndroid Build Coastguard Worker default:
44*6777b538SAndroid Build Coastguard Worker NOTIMPLEMENTED();
45*6777b538SAndroid Build Coastguard Worker return {};
46*6777b538SAndroid Build Coastguard Worker };
47*6777b538SAndroid Build Coastguard Worker }
48*6777b538SAndroid Build Coastguard Worker
49*6777b538SAndroid Build Coastguard Worker } // namespace net
50