--- a/security/nss/lib/cryptohi/seckey.c
+++ b/security/nss/lib/cryptohi/seckey.c
@@ -320,21 +320,29 @@ seckey_UpdateCertPQGChain(CERTCertificat
if (count > CERT_MAX_CERT_CHAIN) {
return SECFailure;
}
oid = SECOID_FindOID(&subjectCert->subjectPublicKeyInfo.algorithm.algorithm);
if (oid != NULL) {
tag = oid->offset;
- /* Check if cert has a DSA public key. If not, return
- * success since no PQG params need to be updated. */
+ /* Check if cert has a DSA or EC public key. If not, return
+ * success since no PQG params need to be updated.
+ *
+ * Question: do we really need to do this for EC keys. They don't have
+ * PQG parameters, but they do have parameters. The question is does
+ * the child cert inherit thost parameters for EC from the parent, or
+ * do we always include those parameters in each cert.
+ */
if ( (tag != SEC_OID_ANSIX9_DSA_SIGNATURE) &&
(tag != SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST) &&
+ (tag != SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA224_DIGEST) &&
+ (tag != SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA256_DIGEST) &&
(tag != SEC_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST) &&
(tag != SEC_OID_SDN702_DSA_SIGNATURE) &&
(tag != SEC_OID_ANSIX962_EC_PUBLIC_KEY) ) {
return SECSuccess;
}
} else {
return SECFailure; /* return failure if oid is NULL */
@@ -367,16 +375,18 @@ seckey_UpdateCertPQGChain(CERTCertificat
if (oid != NULL) {
tag = oid->offset;
/* Check if issuer cert has a DSA public key. If not,
* return failure. */
if ( (tag != SEC_OID_ANSIX9_DSA_SIGNATURE) &&
(tag != SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST) &&
+ (tag != SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA224_DIGEST) &&
+ (tag != SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA256_DIGEST) &&
(tag != SEC_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST) &&
(tag != SEC_OID_SDN702_DSA_SIGNATURE) &&
(tag != SEC_OID_ANSIX962_EC_PUBLIC_KEY) ) {
rv = SECFailure;
goto loser;
}
} else {
rv = SECFailure; /* return failure if oid is NULL */
@@ -995,17 +1005,17 @@ SECKEY_SignatureLen(const SECKEYPublicKe
unsigned char b0;
unsigned size;
switch (pubk->keyType) {
case rsaKey:
b0 = pubk->u.rsa.modulus.data[0];
return b0 ? pubk->u.rsa.modulus.len : pubk->u.rsa.modulus.len - 1;
case dsaKey:
- return DSA_SIGNATURE_LEN;
+ return pubk->u.dsa.params.subPrime.len * 2;
case ecKey:
/* Get the base point order length in bits and adjust */
size = SECKEY_ECParamsToBasePointOrderLen(
&pubk->u.ec.DEREncodedParams);
return ((size + 7)/8) * 2;
default:
break;
}