Initialize certificate: default to SHA-1 when necessary

SparkiDev · SparkiDev · commit 61120b7a0c6f · 2026-04-10T07:53:24.000+10:00
Make SHA-1 with RSA signature type the last option.
SHA-1 signatures are deprecated as weak.
diff --git a/tests/api/test_ossl_x509_crypto.c b/tests/api/test_ossl_x509_crypto.c
@@ -698,6 +698,12 @@ int test_wolfSSL_make_cert(void)
     cert.isCA     = 1;
 #ifndef NO_SHA256
     cert.sigType = CTC_SHA256wRSA;
+#elif defined(WOLFSSL_SHA384)
+    cert.sigType = CTC_SHA384wRSA;
+#elif defined(WOLFSSL_SHA512)
+    cert.sigType = CTC_SHA512wRSA;
+#elif defined(WOLFSSL_SHA224)
+    cert.sigType = CTC_SHA224wRSA;
 #else
     cert.sigType = CTC_SHAwRSA;
 #endif
diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
@@ -24985,10 +24985,16 @@ int wc_InitCert_ex(Cert* cert, void* heap, int devId)
     XMEMSET(cert, 0, sizeof(Cert));
 
     cert->version    = 2;   /* version 3 is hex 2 */
-#ifndef NO_SHA
-    cert->sigType    = CTC_SHAwRSA;
-#elif !defined(NO_SHA256)
+#if !defined(NO_SHA256)
     cert->sigType    = CTC_SHA256wRSA;
+#elif defined(WOLFSSL_SHA384)
+    cert->sigType    = CTC_SHA384wRSA;
+#elif defined(WOLFSSL_SHA512)
+    cert->sigType    = CTC_SHA512wRSA;
+#elif defined(WOLFSSL_SHA224)
+    cert->sigType    = CTC_SHA224wRSA;
+#elif !defined(NO_SHA)
+    cert->sigType    = CTC_SHAwRSA;
 #else
     cert->sigType    = 0;
 #endif
diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c
@@ -24505,6 +24505,12 @@ static wc_test_ret_t rsa_certgen_test(RsaKey* key, RsaKey* keypub, WC_RNG* rng,
     myCert->isCA    = 1;
 #ifndef NO_SHA256
     myCert->sigType = CTC_SHA256wRSA;
+#elif defined(WOLFSSL_SHA384)
+    myCert->sigType = CTC_SHA384wRSA;
+#elif defined(WOLFSSL_SHA512)
+    myCert->sigType = CTC_SHA512wRSA;
+#elif defined(WOLFSSL_SHA224)
+    myCert->sigType = CTC_SHA224wRSA;
 #else
     myCert->sigType = CTC_SHAwRSA;
 #endif
@@ -24652,6 +24658,12 @@ static wc_test_ret_t rsa_certgen_test(RsaKey* key, RsaKey* keypub, WC_RNG* rng,
 
 #ifndef NO_SHA256
     myCert->sigType = CTC_SHA256wRSA;
+#elif defined(WOLFSSL_SHA384)
+    myCert->sigType = CTC_SHA384wRSA;
+#elif defined(WOLFSSL_SHA512)
+    myCert->sigType = CTC_SHA512wRSA;
+#elif defined(WOLFSSL_SHA224)
+    myCert->sigType = CTC_SHA224wRSA;
 #else
     myCert->sigType = CTC_SHAwRSA;
 #endif
@@ -24878,6 +24890,12 @@ static wc_test_ret_t rsa_ecc_certgen_test(WC_RNG* rng, byte* tmp)
 
 #ifndef NO_SHA256
     myCert->sigType = CTC_SHA256wRSA;
+#elif defined(WOLFSSL_SHA384)
+    myCert->sigType = CTC_SHA384wRSA;
+#elif defined(WOLFSSL_SHA512)
+    myCert->sigType = CTC_SHA512wRSA;
+#elif defined(WOLFSSL_SHA224)
+    myCert->sigType = CTC_SHA224wRSA;
 #else
     myCert->sigType = CTC_SHAwRSA;
 #endif
@@ -25981,6 +25999,12 @@ WOLFSSL_TEST_SUBROUTINE wc_test_ret_t rsa_test(void)
 
     #ifndef NO_SHA256
         req->sigType = CTC_SHA256wRSA;
+    #elif defined(WOLFSSL_SHA384)
+        req->sigType = CTC_SHA384wRSA;
+    #elif defined(WOLFSSL_SHA512)
+        req->sigType = CTC_SHA512wRSA;
+    #elif defined(WOLFSSL_SHA224)
+        req->sigType = CTC_SHA224wRSA;
     #else
         req->sigType = CTC_SHAwRSA;
     #endif
@@ -37094,6 +37118,12 @@ static wc_test_ret_t ecc_test_cert_gen(WC_RNG* rng)
 
 #ifndef NO_SHA256
     myCert->sigType = CTC_SHA256wECDSA;
+#elif defined(WOLFSSL_SHA384)
+    myCert->sigType = CTC_SHA384wECDSA;
+#elif defined(WOLFSSL_SHA512)
+    myCert->sigType = CTC_SHA512wECDSA;
+#elif defined(WOLFSSL_SHA224)
+    myCert->sigType = CTC_SHA224wECDSA;
 #else
     myCert->sigType = CTC_SHAwECDSA;
 #endif
