1 files changed, 21 insertions, 0 deletions

diff --git a/security/nss/gtests/mozpkix_gtest/pkixocsp_VerifyEncodedOCSPResponse.cpp b/security/nss/gtests/mozpkix_gtest/pkixocsp_VerifyEncodedOCSPResponse.cpp
index 1d70a4d407..81bee33674 100644
--- a/security/nss/gtests/mozpkix_gtest/pkixocsp_VerifyEncodedOCSPResponse.cpp
+++ b/security/nss/gtests/mozpkix_gtest/pkixocsp_VerifyEncodedOCSPResponse.cpp
@@ -1,4 +1,5 @@
 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
 /* This code is made available to you under your choice of the following sets
  * of licensing terms:
  */
@@ -25,6 +26,8 @@
 
 #include "mozpkix/pkixder.h"
 
+#include "secoid.h"
+
 using namespace mozilla::pkix;
 using namespace mozilla::pkix::test;
 
@@ -337,6 +340,12 @@ TEST_F(pkixocsp_VerifyEncodedResponse_successful, unknown)
 TEST_F(pkixocsp_VerifyEncodedResponse_successful,
        good_unsupportedSignatureAlgorithm)
 {
+  PRUint32 policyMd5;
+  ASSERT_EQ(SECSuccess,NSS_GetAlgorithmPolicy(SEC_OID_MD5, &policyMd5));
+
+  /* our encode won't work if MD5 isn't allowed by policy */
+  ASSERT_EQ(SECSuccess,
+            NSS_SetAlgorithmPolicy(SEC_OID_MD5, NSS_USE_ALG_IN_SIGNATURE, 0));
   ByteString responseString(
                CreateEncodedOCSPSuccessfulResponse(
                          OCSPResponseContext::good, *endEntityCertID, byKey,
@@ -346,6 +355,9 @@ TEST_F(pkixocsp_VerifyEncodedResponse_successful,
   Input response;
   ASSERT_EQ(Success,
             response.Init(responseString.data(), responseString.length()));
+  /* now restore the existing policy */
+  ASSERT_EQ(SECSuccess,
+           NSS_SetAlgorithmPolicy(SEC_OID_MD5, policyMd5, NSS_USE_ALG_IN_SIGNATURE));
   bool expired;
   ASSERT_EQ(Result::ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED,
             VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID,
@@ -929,14 +941,23 @@ TEST_F(pkixocsp_VerifyEncodedResponse_DelegatedResponder,
   // Note that the algorithm ID (md5WithRSAEncryption) identifies the signature
   // algorithm that will be used to sign the certificate that issues the OCSP
   // responses, not the responses themselves.
+  PRUint32 policyMd5;
+  ASSERT_EQ(SECSuccess,NSS_GetAlgorithmPolicy(SEC_OID_MD5, &policyMd5));
+
+  /* our encode won't work if MD5 isn't allowed by policy */
+  ASSERT_EQ(SECSuccess,
+            NSS_SetAlgorithmPolicy(SEC_OID_MD5, NSS_USE_ALG_IN_SIGNATURE, 0));
   ByteString responseString(
                CreateEncodedIndirectOCSPSuccessfulResponse(
                          "good_indirect_unsupportedSignatureAlgorithm",
                          OCSPResponseContext::good, byKey,
                          md5WithRSAEncryption()));
   Input response;
+  /* now restore the existing policy */
   ASSERT_EQ(Success,
             response.Init(responseString.data(), responseString.length()));
+  ASSERT_EQ(SECSuccess,
+            NSS_SetAlgorithmPolicy(SEC_OID_MD5, policyMd5, NSS_USE_ALG_IN_SIGNATURE));
   bool expired;
   ASSERT_EQ(Result::ERROR_OCSP_INVALID_SIGNING_CERT,
             VerifyEncodedOCSPResponse(trustDomain, *endEntityCertID, Now(),