Make the intermediary-sha1 check work

* lisp/net/nsm.el (nsm-protocol-check--intermediary-sha1): Make
the "skip the root cert" logic work (suggested by Noam Postavsky).

diff --git a/lisp/net/nsm.el b/lisp/net/nsm.el
index 2c4f8bf5ed518a3a818fa206df3f80b1717c96c3..146d0d55254be75ec7326225635da8307d13e5bd 100644 (file)
--- a/lisp/net/nsm.el
+++ b/lisp/net/nsm.el
@@ -256,13 +256,14 @@ HOST PORT STATUS OPTIONAL-PARAMETER.")
          host port signature-algorithm))))
 
 (defun nsm-protocol-check--intermediary-sha1 (host port status _)
-  ;; We want to check all intermediary certificates, so we skip the
-  ;; first, reverse the list and then skip the first again, so we miss
-  ;; the first and final certificates in the chain.
-  (cl-loop for certificate in (cdr (reverse
-                                    (cdr (plist-get status :certificates))))
+  ;; Skip the first certificate, because that's the host certificate.
+  (cl-loop for certificate in (cdr (plist-get status :certificates))
            for algo = (plist-get certificate :signature-algorithm)
-           when (and (string-match "\\bSHA1\\b" algo)
+           ;; Don't check root certificates -- SHA1 isn't dangerous
+           ;; there.
+           when (and (not (equal (plist-get certificate :issuer)
+                                 (plist-get certificate :subject)))
+                     (string-match "\\bSHA1\\b" algo)
                      (not (nsm-query
                            host port status :signature-sha1
                            "An intermediary certificate used to verify the connection to %s:%s uses the SHA1 algorithm (%s), which is believed to be unsafe."