1 files changed, 18 insertions, 4 deletions

diff --git a/chromium/net/cert/x509_util_nss.cc b/chromium/net/cert/x509_util_nss.cc
index f8fbd6feda9..67ad467f5c5 100644
--- a/chromium/net/cert/x509_util_nss.cc
+++ b/chromium/net/cert/x509_util_nss.cc
@@ -134,6 +134,16 @@ CERTCertificate* CreateCertificate(
   return cert;
 }
 
+SECOidTag ToSECOid(x509_util::DigestAlgorithm alg) {
+  switch (alg) {
+    case x509_util::DIGEST_SHA1:
+      return SEC_OID_SHA1;
+    case x509_util::DIGEST_SHA256:
+      return SEC_OID_SHA256;
+  }
+  return SEC_OID_UNKNOWN;
+}
+
 // Signs a certificate object, with |key| generating a new X509Certificate
 // and destroying the passed certificate object (even when NULL is returned).
 // The logic of this method references SignCert() in NSS utility certutil:
@@ -142,11 +152,12 @@ CERTCertificate* CreateCertificate(
 // certificate signing process.
 bool SignCertificate(
     CERTCertificate* cert,
-    SECKEYPrivateKey* key) {
+    SECKEYPrivateKey* key,
+    SECOidTag hash_algorithm) {
   // |arena| is used to encode the cert.
   PLArenaPool* arena = cert->arena;
   SECOidTag algo_id = SEC_GetSignatureAlgorithmOidTag(key->keyType,
-                                                      SEC_OID_SHA1);
+                                                      hash_algorithm);
   if (algo_id == SEC_OID_UNKNOWN)
     return false;
 
@@ -240,12 +251,14 @@ CERTName* CreateCertNameFromEncoded(PLArenaPool* arena,
 namespace x509_util {
 
 bool CreateSelfSignedCert(crypto::RSAPrivateKey* key,
+                          DigestAlgorithm alg,
                           const std::string& subject,
                           uint32 serial_number,
                           base::Time not_valid_before,
                           base::Time not_valid_after,
                           std::string* der_cert) {
   DCHECK(key);
+  DCHECK(!strncmp(subject.c_str(), "CN=", 3U));
   CERTCertificate* cert = CreateCertificate(key->public_key(),
                                             subject,
                                             serial_number,
@@ -254,7 +267,7 @@ bool CreateSelfSignedCert(crypto::RSAPrivateKey* key,
   if (!cert)
     return false;
 
-  if (!SignCertificate(cert, key->key())) {
+  if (!SignCertificate(cert, key->key(), ToSECOid(alg))) {
     CERT_DestroyCertificate(cert);
     return false;
   }
@@ -279,6 +292,7 @@ bool IsSupportedValidityRange(base::Time not_valid_before,
 }
 
 bool CreateDomainBoundCertEC(crypto::ECPrivateKey* key,
+                             DigestAlgorithm alg,
                              const std::string& domain,
                              uint32 serial_number,
                              base::Time not_valid_before,
@@ -340,7 +354,7 @@ bool CreateDomainBoundCertEC(crypto::ECPrivateKey* key,
     return false;
   }
 
-  if (!SignCertificate(cert, key->key())) {
+  if (!SignCertificate(cert, key->key(), ToSECOid(alg))) {
     CERT_DestroyCertificate(cert);
     return false;
   }