Add helper to create signature digest.

davidlehn · davidlehn · commit 2fb9995d7836 · 2022-01-07T13:26:48.000-05:00
- Reduce duplicate code.
- Fix style nit.
- Update changelog.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,16 @@ Forge ChangeLog
 - [x509] 'Expected' and 'Actual' issuers were backwards in verification failure
   message.
 
+### Added
+- [oid,x509]: Added OID `1.3.14.3.2.29 / sha1WithRSASignature` for sha1 with
+  RSA. Considered a deprecated equivalent to `1.2.840.113549.1.1.5 /
+  sha1WithRSAEncryption`. See [discussion and
+  links](https://github.com/digitalbazaar/forge/issues/825).
+
+### Changed
+- [x509]: Reduce duplicate code with a helper function to create a signature
+  digest given an signature algorithm OID.
+
 ## 1.1.0 - 2022-01-06
 
 ### Fixed
diff --git a/lib/x509.js b/lib/x509.js
@@ -689,6 +689,44 @@ var _readSignatureParameters = function(oid, obj, fillDefaults) {
   return params;
 };
 
+/**
+ * Create signature digest for OID.
+ *
+ * @param options
+ *   signatureOid: the OID specifying the signature algorithm.
+ *   type: a human readable type for error messages
+ * @return a created md instance. throws if unknown oid.
+ */
+var _createSignatureDigest = function(options) {
+  switch(oids[options.signatureOid]) {
+    case 'sha1WithRSAEncryption':
+    case 'sha1WithRSASignature':
+      return forge.md.sha1.create();
+      break;
+    case 'md5WithRSAEncryption':
+      return forge.md.md5.create();
+      break;
+    case 'sha256WithRSAEncryption':
+      return forge.md.sha256.create();
+      break;
+    case 'sha384WithRSAEncryption':
+      return forge.md.sha384.create();
+      break;
+    case 'sha512WithRSAEncryption':
+      return forge.md.sha512.create();
+      break;
+    case 'RSASSA-PSS':
+      return forge.md.sha256.create();
+      break;
+    default:
+      var error = new Error(
+        'Could not compute ' + options.type + ' digest. ' +
+        'Unknown signature OID.');
+      error.signatureOid = options.signatureOid;
+      throw error;
+  }
+};
+
 /**
  * Converts an X.509 certificate from PEM format.
  *
@@ -1076,37 +1114,11 @@ pki.createCertificate = function() {
 
     var md = child.md;
     if(md === null) {
-      // check signature OID for supported signature types
-      if(child.signatureOid in oids) {
-        var oid = oids[child.signatureOid];
-        switch(oid) {
-          case 'sha1WithRSAEncryption':
-          case 'sha1WithRSASignature':
-              md = forge.md.sha1.create();
-              break;
-          case 'md5WithRSAEncryption':
-            md = forge.md.md5.create();
-            break;
-          case 'sha256WithRSAEncryption':
-            md = forge.md.sha256.create();
-            break;
-          case 'sha384WithRSAEncryption':
-            md = forge.md.sha384.create();
-            break;
-          case 'sha512WithRSAEncryption':
-            md = forge.md.sha512.create();
-            break;
-          case 'RSASSA-PSS':
-            md = forge.md.sha256.create();
-            break;
-        }
-      }
-      if(md === null) {
-        var error = new Error('Could not compute certificate digest. ' +
-          'Unknown signature OID.');
-        error.signatureOid = child.signatureOid;
-        throw error;
-      }
+      // create digest for OID signature types
+      md = _createSignatureDigest({
+        signatureOid: child.signatureOid,
+        type: 'certificate'
+      });
 
       // produce DER formatted TBSCertificate and digest it
       var tbsCertificate = child.tbsCertificate || pki.getTBSCertificate(child);
@@ -1120,8 +1132,8 @@ pki.createCertificate = function() {
       switch(child.signatureOid) {
         case oids.sha1WithRSAEncryption:
         case oids.sha1WithRSASignature:
-            scheme = undefined; /* use PKCS#1 v1.5 padding scheme */
-            break;
+          scheme = undefined; /* use PKCS#1 v1.5 padding scheme */
+          break;
         case oids['RSASSA-PSS']:
           var hash, mgf;
 
@@ -1335,38 +1347,11 @@ pki.certificateFromAsn1 = function(obj, computeHash) {
   cert.tbsCertificate = capture.tbsCertificate;
 
   if(computeHash) {
-    // check signature OID for supported signature types
-    cert.md = null;
-    if(cert.signatureOid in oids) {
-      var oid = oids[cert.signatureOid];
-      switch(oid) {
-        case 'sha1WithRSAEncryption':
-        case 'sha1WithRSASignature':
-            cert.md = forge.md.sha1.create();
-            break;
-        case 'md5WithRSAEncryption':
-          cert.md = forge.md.md5.create();
-          break;
-        case 'sha256WithRSAEncryption':
-          cert.md = forge.md.sha256.create();
-          break;
-        case 'sha384WithRSAEncryption':
-          cert.md = forge.md.sha384.create();
-          break;
-        case 'sha512WithRSAEncryption':
-          cert.md = forge.md.sha512.create();
-          break;
-        case 'RSASSA-PSS':
-          cert.md = forge.md.sha256.create();
-          break;
-      }
-    }
-    if(cert.md === null) {
-      var error = new Error('Could not compute certificate digest. ' +
-        'Unknown signature OID.');
-      error.signatureOid = cert.signatureOid;
-      throw error;
-    }
+    // create digest for OID signature type
+    cert.md = _createSignatureDigest({
+      signatureOid: cert.signatureOid,
+      type: 'certificate'
+    });
 
     // produce DER formatted TBSCertificate and digest it
     var bytes = asn1.toDer(cert.tbsCertificate);
@@ -1684,38 +1669,11 @@ pki.certificationRequestFromAsn1 = function(obj, computeHash) {
   csr.certificationRequestInfo = capture.certificationRequestInfo;
 
   if(computeHash) {
-    // check signature OID for supported signature types
-    csr.md = null;
-    if(csr.signatureOid in oids) {
-      var oid = oids[csr.signatureOid];
-      switch(oid) {
-        case 'sha1WithRSAEncryption':
-        case 'sha1WithRSASignature':
-          csr.md = forge.md.sha1.create();
-          break;
-        case 'md5WithRSAEncryption':
-          csr.md = forge.md.md5.create();
-          break;
-        case 'sha256WithRSAEncryption':
-          csr.md = forge.md.sha256.create();
-          break;
-        case 'sha384WithRSAEncryption':
-          csr.md = forge.md.sha384.create();
-          break;
-        case 'sha512WithRSAEncryption':
-          csr.md = forge.md.sha512.create();
-          break;
-        case 'RSASSA-PSS':
-          csr.md = forge.md.sha256.create();
-          break;
-      }
-    }
-    if(csr.md === null) {
-      var error = new Error('Could not compute certification request digest. ' +
-        'Unknown signature OID.');
-      error.signatureOid = csr.signatureOid;
-      throw error;
-    }
+    // create digest for OID signature type
+    csr.md = _createSignatureDigest({
+      signatureOid: csr.signatureOid,
+      type: 'certification request'
+    });
 
     // produce DER formatted CertificationRequestInfo and digest it
     var bytes = asn1.toDer(csr.certificationRequestInfo);
@@ -1855,39 +1813,10 @@ pki.createCertificationRequest = function() {
 
     var md = csr.md;
     if(md === null) {
-      // check signature OID for supported signature types
-      if(csr.signatureOid in oids) {
-        // TODO: create DRY `OID to md` function
-        var oid = oids[csr.signatureOid];
-        switch(oid) {
-          case 'sha1WithRSAEncryption':
-          case 'sha1WithRSASignature':
-            md = forge.md.sha1.create();
-            break;
-          case 'md5WithRSAEncryption':
-            md = forge.md.md5.create();
-            break;
-          case 'sha256WithRSAEncryption':
-            md = forge.md.sha256.create();
-            break;
-          case 'sha384WithRSAEncryption':
-            md = forge.md.sha384.create();
-            break;
-          case 'sha512WithRSAEncryption':
-            md = forge.md.sha512.create();
-            break;
-          case 'RSASSA-PSS':
-            md = forge.md.sha256.create();
-            break;
-        }
-      }
-      if(md === null) {
-        var error = new Error(
-          'Could not compute certification request digest. ' +
-          'Unknown signature OID.');
-        error.signatureOid = csr.signatureOid;
-        throw error;
-      }
+      md = _createSignatureDigest({
+        signatureOid: csr.signatureOid,
+        type: 'certification request'
+      });
 
       // produce DER formatted CertificationRequestInfo and digest it
       var cri = csr.certificationRequestInfo ||
