Enable MD5 certificate signatures at the right place in the

Disable MD5 certificate signatures if NSS is used to verify certificates.

This prepares us for NSS 3.14, which disables MD5 certificate signatures
by default.

Disable a unit test for NSS because all the test cases in that test are
invalid now.

[email protected]
BUG=151692
TEST=none

Committed: http://src.chromium.org/viewvc/chrome?view=rev&revision=168757

[wtc, 2012-11-14 23:54:44]

rsleevi: if you already have a CL for this problem, I'll
close this one. Thanks.

https://codereview.chromium.org/11365274/diff/1/crypto/nss_util.cc
File crypto/nss_util.cc (right):

https://codereview.chromium.org/11365274/diff/1/crypto/nss_util.cc#newcode513
crypto/nss_util.cc:513: NSS_SetAlgorithmPolicy(SEC_OID_MD5,
NSS_USE_ALG_IN_CERT_SIGNATURE, 0);

This code could be put inside
#if defined(USE_NSS) || defined(OS_IOS). I omitted that ifdef
for brevity.

Alternatively, we can move this code to the InitDefaultRootCerts()
function.

[Ryan Sleevi, 2012-11-15 01:55:00]

Do we really want to enable this?

Wouldn't it just be better to leave it disabled? The only reason for enabling it
seems to be for unit tests to test that it's disabled - and we could instead
just update those unit tests?

[wtc, 2012-11-20 00:02:50]

Please review patch set 3.

I wrote patch set 1 because I had to read that code to debug
the NSS_NoDB_Init failure and noticed that neither you nor I
had fixed the problem. I made the simple change that could
be tested quickly.

Patch set 3 is the proper fix. There are several ways to
deal with the "VerifyIntermediate, CertVerifyProcWeakDigestTest"
test for NSS. Please let me know if this is what you have in
mind. Thanks.

https://codereview.chromium.org/11365274/diff/11002/crypto/nss_util.cc
File crypto/nss_util.cc (right):

https://codereview.chromium.org/11365274/diff/11002/crypto/nss_util.cc#newcod...
crypto/nss_util.cc:514: 0, NSS_USE_ALG_IN_CERT_SIGNATURE);

See http://mxr.mozilla.org/mozilla-central/ident?i=NSS_SetAlgorithmPolicy
for examples of NSS_SetAlgorithmPolicy.

https://codereview.chromium.org/11365274/diff/11002/net/base/cert_verify_proc...
File net/base/cert_verify_proc_unittest.cc (right):

https://codereview.chromium.org/11365274/diff/11002/net/base/cert_verify_proc...
net/base/cert_verify_proc_unittest.cc:921: // in Chromium.

We now have a new reason to disable this unit test on NSS.
I didn't update the comment.

[Ryan Sleevi, 2012-11-20 00:17:51]

lgtm as a short-term

It's my fault for making (heavy) use of the #ifdefs. I think eventually we'll
need to refactor this test into something like

enum Type { Leaf, CA };
bool IsMD2Supported(Type type);
bool IsMD4Supported(Type type);
bool IsMD5Supported(Type type);

[or something like that - lots of ways to skin that cat]

For now, those would be #ifdef, but as we move CertVerifier away from being
compile-time to run-time, those methods could be updated to use the run-time
logic appropriate for the CertVerifier being tested.

But yeah, for now, LGTM.

[commit-bot: I haz the power, 2012-11-20 03:54:20]

CQ is trying da patch. Follow status at
https://chromium-status.appspot.com/cq/[email protected]/11365274/11002

[commit-bot: I haz the power, 2012-11-20 04:24:15]

Sorry for I got bad news for ya.
Compile failed with a clobber build on win.
http://build.chromium.org/p/tryserver.chromium/buildstatus?builder=win&number...
Your code is likely broken or HEAD is junk. Please ensure your
code is not broken then alert the build sheriffs.
Look at the try server FAQ for more details.

[commit-bot: I haz the power, 2012-11-20 06:10:38]

CQ is trying da patch. Follow status at
https://chromium-status.appspot.com/cq/[email protected]/11365274/13006

[wtc, 2012-11-20 06:10:45]

http://codereview.chromium.org/11365274/diff/13006/crypto/nss_util.cc
File crypto/nss_util.cc (right):

http://codereview.chromium.org/11365274/diff/13006/crypto/nss_util.cc#newcode510
crypto/nss_util.cc:510: #if defined(USE_NSS) || defined(OS_IOS)

NSS_SetAlgorithmPolicy is not yet exported from crnss.dll
on Windows, so we get unresolved external symbol
_NSS_SetAlgorithmPolicy.

I put the NSS_SetAlgorithmPolicy calls inside an ifdef to
solve this problem.

[commit-bot: I haz the power, 2012-11-20 07:58:45]

Change committed as 168757