Add s2n_signature_preferences_20240521 (#4565)

aws · Aug 14, 2024 · 2c8ae53 · 2c8ae53
1 parent 08cfd93
commit 2c8ae53
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 0 deletions.
diff --git a/tls/s2n_signature_scheme.c b/tls/s2n_signature_scheme.c
@@ -469,6 +469,41 @@ const struct s2n_signature_preferences s2n_certificate_signature_preferences_rfc
     .signature_schemes = s2n_cert_sig_scheme_pref_list_rfc9151
 };
 
+/*
+ * Legacy compatibility policy based on s2n_sig_scheme_pref_list_20201021 with ECDSA prioritized.
+ * This list also removes ECDSA+SHA224, which is not known to be relied on by any legitimate
+ * use cases.
+ */
+const struct s2n_signature_scheme* const s2n_sig_scheme_pref_list_20240521[] = {
+    /* ECDSA */
+    &s2n_ecdsa_sha256,
+    &s2n_ecdsa_sha384,
+    &s2n_ecdsa_sha512,
+
+    /* RSA PSS */
+    &s2n_rsa_pss_pss_sha256,
+    &s2n_rsa_pss_pss_sha384,
+    &s2n_rsa_pss_pss_sha512,
+    &s2n_rsa_pss_rsae_sha256,
+    &s2n_rsa_pss_rsae_sha384,
+    &s2n_rsa_pss_rsae_sha512,
+
+    /* RSA PKCS1 */
+    &s2n_rsa_pkcs1_sha256,
+    &s2n_rsa_pkcs1_sha384,
+    &s2n_rsa_pkcs1_sha512,
+    &s2n_rsa_pkcs1_sha224,
+
+    /* SHA-1 Legacy */
+    &s2n_ecdsa_sha1,
+    &s2n_rsa_pkcs1_sha1,
+};
+
+const struct s2n_signature_preferences s2n_signature_preferences_20240521 = {
+    .count = s2n_array_len(s2n_sig_scheme_pref_list_20240521),
+    .signature_schemes = s2n_sig_scheme_pref_list_20240521
+};
+
 const struct s2n_signature_scheme* const s2n_sig_scheme_pref_list_test_all_fips[] = {
     /* RSA PSS */
     &s2n_rsa_pss_pss_sha256,

diff --git a/tls/s2n_signature_scheme.h b/tls/s2n_signature_scheme.h
@@ -76,6 +76,7 @@ extern const struct s2n_signature_preferences s2n_signature_preferences_20140601
 extern const struct s2n_signature_preferences s2n_signature_preferences_20200207;
 extern const struct s2n_signature_preferences s2n_signature_preferences_20201021;
 extern const struct s2n_signature_preferences s2n_signature_preferences_20210816;
+extern const struct s2n_signature_preferences s2n_signature_preferences_20240521;
 extern const struct s2n_signature_preferences s2n_signature_preferences_rfc9151;
 extern const struct s2n_signature_preferences s2n_certificate_signature_preferences_rfc9151;
 extern const struct s2n_signature_preferences s2n_signature_preferences_default_fips;