From f2f2f13811f802d6b08405b8c2dbbed17ab68bf5 Mon Sep 17 00:00:00 2001
From: Brian Smith <brian@briansmith.org>
Date: Wed, 23 Jan 2019 10:42:11 -1000
Subject: [PATCH] Revert "Revert "Remove support for SHA-1.""

This reverts commit db0c6cbd1e9404d1e325cb023b529b5542cf1b0e, i.e.
it removes SHA-1 support again.
---
 src/data/alg-rsa-pkcs1-sha1.der | Bin 13 -> 0 bytes
 src/signed_data.rs              |  25 +++----------------------
 src/webpki.rs                   |   1 -
 tests/integration.rs            |   1 -
 4 files changed, 3 insertions(+), 24 deletions(-)
 delete mode 100644 src/data/alg-rsa-pkcs1-sha1.der

diff --git a/src/data/alg-rsa-pkcs1-sha1.der b/src/data/alg-rsa-pkcs1-sha1.der
deleted file mode 100644
index 56eb06c635bb36ac49d71ebc38ac47d20cc6bc38..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 13
UcmZSM)N1o+`_9YA$jZt902R6do&W#<

diff --git a/src/signed_data.rs b/src/signed_data.rs
index de5093d..47617f8 100644
--- a/src/signed_data.rs
+++ b/src/signed_data.rs
@@ -204,14 +204,6 @@ pub static ECDSA_P384_SHA384: SignatureAlgorithm = SignatureAlgorithm {
     verification_alg: &signature::ECDSA_P384_SHA384_ASN1,
 };
 
-/// RSA PKCS#1 1.5 signatures using SHA-1 for keys of 2048-8192 bits.
-/// Deprecated.
-pub static RSA_PKCS1_2048_8192_SHA1: SignatureAlgorithm = SignatureAlgorithm {
-    public_key_alg_id: RSA_ENCRYPTION,
-    signature_alg_id: RSA_PKCS1_SHA1,
-    verification_alg: &signature::RSA_PKCS1_2048_8192_SHA1,
-};
-
 /// RSA PKCS#1 1.5 signatures using SHA-256 for keys of 2048-8192 bits.
 pub static RSA_PKCS1_2048_8192_SHA256: SignatureAlgorithm = SignatureAlgorithm {
     public_key_alg_id: RSA_ENCRYPTION,
@@ -307,10 +299,6 @@ const RSA_ENCRYPTION: AlgorithmIdentifier = AlgorithmIdentifier {
     asn1_id_value: include_bytes!("data/alg-rsa-encryption.der"),
 };
 
-const RSA_PKCS1_SHA1: AlgorithmIdentifier = AlgorithmIdentifier {
-    asn1_id_value: include_bytes!("data/alg-rsa-pkcs1-sha1.der"),
-};
-
 const RSA_PKCS1_SHA256: AlgorithmIdentifier = AlgorithmIdentifier {
     asn1_id_value: include_bytes!("data/alg-rsa-pkcs1-sha256.der"),
 };
@@ -490,20 +478,16 @@ mod tests {
                                Error::BadDER);
     test_verify_signed_data!(test_rsa_pkcs1_sha1_key_params_absent,
                              "rsa-pkcs1-sha1-key-params-absent.pem",
-                             Err(Error::UnsupportedSignatureAlgorithmForPublicKey));
+                             Err(Error::UnsupportedSignatureAlgorithm));
     test_verify_signed_data!(
         test_rsa_pkcs1_sha1_using_pss_key_no_params,
         "rsa-pkcs1-sha1-using-pss-key-no-params.pem",
-        Err(Error::UnsupportedSignatureAlgorithmForPublicKey));
+        Err(Error::UnsupportedSignatureAlgorithm));
     test_verify_signed_data!(test_rsa_pkcs1_sha1_wrong_algorithm,
                              "rsa-pkcs1-sha1-wrong-algorithm.pem",
                              Err(Error::InvalidSignatureForPublicKey));
-    // XXX: RSA PKCS#1 with SHA-1 is a supported algorithm, but we only accept
-    // 2048-8192 bit keys, and this test file is using a 1024 bit key. Thus,
-    // our results differ from Chromium's. TODO: this means we need a 2048+ bit
-    // version of this test.
     test_verify_signed_data!(test_rsa_pkcs1_sha1, "rsa-pkcs1-sha1.pem",
-                             Err(Error::InvalidSignatureForPublicKey));
+                             Err(Error::UnsupportedSignatureAlgorithm));
     // XXX: RSA PKCS#1 with SHA-1 is a supported algorithm, but we only accept
     // 2048-8192 bit keys, and this test file is using a 1024 bit key. Thus,
     // our results differ from Chromium's. TODO: this means we need a 2048+ bit
@@ -652,8 +636,5 @@ mod tests {
         // they are nonsensical combinations.
         &signed_data::ECDSA_P256_SHA384, // Truncates digest.
         &signed_data::ECDSA_P384_SHA256, // Digest is unnecessarily short.
-
-        // Algorithms deprecated because they are bad.
-        &signed_data::RSA_PKCS1_2048_8192_SHA1, // SHA-1
     ];
 }
diff --git a/src/webpki.rs b/src/webpki.rs
index 9095a23..00fa266 100644
--- a/src/webpki.rs
+++ b/src/webpki.rs
@@ -87,7 +87,6 @@ pub use signed_data::{
     ECDSA_P256_SHA384,
     ECDSA_P384_SHA256,
     ECDSA_P384_SHA384,
-    RSA_PKCS1_2048_8192_SHA1,
     RSA_PKCS1_2048_8192_SHA256,
     RSA_PKCS1_2048_8192_SHA384,
     RSA_PKCS1_2048_8192_SHA512,
diff --git a/tests/integration.rs b/tests/integration.rs
index 8dc919b..ea3837c 100644
--- a/tests/integration.rs
+++ b/tests/integration.rs
@@ -46,7 +46,6 @@ static ALL_SIGALGS: &'static [&'static webpki::SignatureAlgorithm] = &[
     &webpki::ECDSA_P256_SHA384,
     &webpki::ECDSA_P384_SHA256,
     &webpki::ECDSA_P384_SHA384,
-    &webpki::RSA_PKCS1_2048_8192_SHA1,
     &webpki::RSA_PKCS1_2048_8192_SHA256,
     &webpki::RSA_PKCS1_2048_8192_SHA384,
     &webpki::RSA_PKCS1_2048_8192_SHA512,