[Emacs-diffs] master 3e7692f: Make the intermediary-sha1 check work

[Lars Ingebrigtsen]

branch: master
commit 3e7692f07d9e90f495ff4104cf1320954398c9fa
Author: Lars Ingebrigtsen <address@hidden>
Commit: Lars Ingebrigtsen <address@hidden>

    Make the intermediary-sha1 check work
    
    * lisp/net/nsm.el (nsm-protocol-check--intermediary-sha1): Make
    the "skip the root cert" logic work (suggested by Noam Postavsky).
---
 lisp/net/nsm.el | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/lisp/net/nsm.el b/lisp/net/nsm.el
index 2c4f8bf..146d0d5 100644
--- a/lisp/net/nsm.el
+++ b/lisp/net/nsm.el
@@ -256,13 +256,14 @@ HOST PORT STATUS OPTIONAL-PARAMETER.")
          host port signature-algorithm))))
 
 (defun nsm-protocol-check--intermediary-sha1 (host port status _)
-  ;; We want to check all intermediary certificates, so we skip the
-  ;; first, reverse the list and then skip the first again, so we miss
-  ;; the first and final certificates in the chain.
-  (cl-loop for certificate in (cdr (reverse
-                                    (cdr (plist-get status :certificates))))
+  ;; Skip the first certificate, because that's the host certificate.
+  (cl-loop for certificate in (cdr (plist-get status :certificates))
            for algo = (plist-get certificate :signature-algorithm)
-           when (and (string-match "\\bSHA1\\b" algo)
+           ;; Don't check root certificates -- SHA1 isn't dangerous
+           ;; there.
+           when (and (not (equal (plist-get certificate :issuer)
+                                 (plist-get certificate :subject)))
+                     (string-match "\\bSHA1\\b" algo)
                      (not (nsm-query
                            host port status :signature-sha1
                            "An intermediary certificate used to verify the 
connection to %s:%s uses the SHA1 algorithm (%s), which is believed to be 
unsafe."