Algorithm aliases of SHA-1 in DisabledAlgorithmConstraints

Weijun Wang at
Mon Mar 12 11:39:51 UTC 2018

I put "SHA-1" in a DisabledAlgorithmConstraints, it rejects SHA1 but allows sha1.

The reason is that does not see "sha1".

On the other hand, it rejects both "SHA-1" and "sha-1", because it's a direct case-insenstive match.

Also, it allows both "SHA" and "sha" because there is no special code for it. Isn't "SHA" also an alias of "SHA-1"?

Do you think all these names should be recognized? Shall we clarify it in the spec?


More information about the security-dev mailing list