keyutil, genkey: use SHA-2 hashes by default for certs (#1062444)
Resolves: rhbz#1062444
This commit is contained in:
parent
b0009234d8
commit
a2aaef550c
@ -4,7 +4,7 @@
|
|||||||
Summary: SSL certificate and key management utilities
|
Summary: SSL certificate and key management utilities
|
||||||
Name: crypto-utils
|
Name: crypto-utils
|
||||||
Version: 2.4.1
|
Version: 2.4.1
|
||||||
Release: 55%{?dist}
|
Release: 56%{?dist}
|
||||||
Group: Applications/System
|
Group: Applications/System
|
||||||
# certwatch.c is GPLv2
|
# certwatch.c is GPLv2
|
||||||
# pemutil.c etc are (MPLv1.1+ or GPLv2+ or LPGLv2+)
|
# pemutil.c etc are (MPLv1.1+ or GPLv2+ or LPGLv2+)
|
||||||
@ -135,6 +135,9 @@ chmod -R u+w $RPM_BUILD_ROOT
|
|||||||
%{perl_vendorarch}/auto/Crypt
|
%{perl_vendorarch}/auto/Crypt
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Aug 29 2014 Adam Williamson <awilliam@redhat.com> - 2.4.1-56
|
||||||
|
- keyutil, genkey: use SHA-2 hashes by default for certs (#1062444)
|
||||||
|
|
||||||
* Wed Aug 27 2014 Jitka Plesnikova <jplesnik@redhat.com> - 2.4.1-55
|
* Wed Aug 27 2014 Jitka Plesnikova <jplesnik@redhat.com> - 2.4.1-55
|
||||||
- Perl 5.20 rebuild
|
- Perl 5.20 rebuild
|
||||||
|
|
||||||
|
24
genkey.pl
24
genkey.pl
@ -131,6 +131,7 @@ my $modNssDbDir = '';
|
|||||||
my $nssNickname = '';
|
my $nssNickname = '';
|
||||||
my $nssDBPrefix = '';
|
my $nssDBPrefix = '';
|
||||||
my $gdb = '';
|
my $gdb = '';
|
||||||
|
my $hashalg = "SHA256";
|
||||||
GetOptions('test|t' => \$test_mode,
|
GetOptions('test|t' => \$test_mode,
|
||||||
'genreq' => \$genreq_mode,
|
'genreq' => \$genreq_mode,
|
||||||
'days=i' => \$cert_days,
|
'days=i' => \$cert_days,
|
||||||
@ -455,6 +456,22 @@ sub keyInDatabase {
|
|||||||
return $answer;
|
return $answer;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# Pick an appropriate hashing function for the key length
|
||||||
|
# Ideally we should be able to depend on upstream behaviour and drop this,
|
||||||
|
# but upstream's default was not changed from SHA-1 in a timely fashion:
|
||||||
|
# https://bugzilla.mozilla.org/show_bug.cgi?id=1058933
|
||||||
|
sub getHashForKeyLength {
|
||||||
|
use integer;
|
||||||
|
# See http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf
|
||||||
|
# and http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57_part1_rev3_general.pdf
|
||||||
|
$hashalg = "SHA256";
|
||||||
|
if ($bits > 7680) {
|
||||||
|
$hashalg = "SHA512";
|
||||||
|
} elsif ($bits > 3072) {
|
||||||
|
$hashalg = "SHA384";
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
######################################################################
|
######################################################################
|
||||||
# The window functions
|
# The window functions
|
||||||
|
|
||||||
@ -556,6 +573,8 @@ EOT
|
|||||||
last;
|
last;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
getHashForKeyLength();
|
||||||
|
|
||||||
$panel->Hide();
|
$panel->Hide();
|
||||||
undef $panel;
|
undef $panel;
|
||||||
@ -601,6 +620,8 @@ EOT
|
|||||||
}
|
}
|
||||||
} while ($bits < $minbits || $bits > $maxbits);
|
} while ($bits < $minbits || $bits > $maxbits);
|
||||||
|
|
||||||
|
getHashForKeyLength();
|
||||||
|
|
||||||
$panel->Hide();
|
$panel->Hide();
|
||||||
undef $panel;
|
undef $panel;
|
||||||
|
|
||||||
@ -976,6 +997,7 @@ sub makeCertNSS
|
|||||||
$args .= "-d $modNssDbDir ";
|
$args .= "-d $modNssDbDir ";
|
||||||
$args .= "-p $nssDBPrefix " if $nssDBPrefix;
|
$args .= "-p $nssDBPrefix " if $nssDBPrefix;
|
||||||
$args .= "-o $certfile " if $certfile;
|
$args .= "-o $certfile " if $certfile;
|
||||||
|
$args .= "-Z $hashalg ";
|
||||||
|
|
||||||
nssUtilCmd("$bindir/certutil", $args);
|
nssUtilCmd("$bindir/certutil", $args);
|
||||||
|
|
||||||
@ -1015,6 +1037,7 @@ sub genRequestNSS
|
|||||||
$args .= "-v $months ";
|
$args .= "-v $months ";
|
||||||
$args .= "-z $noisefile " if $noisefile;
|
$args .= "-z $noisefile " if $noisefile;
|
||||||
$args .= "-o $csrfile ";
|
$args .= "-o $csrfile ";
|
||||||
|
$args .= "-Z $hashalg ";
|
||||||
|
|
||||||
nssUtilCmd("$bindir/certutil", $args);
|
nssUtilCmd("$bindir/certutil", $args);
|
||||||
|
|
||||||
@ -1155,6 +1178,7 @@ sub renewCertNSS
|
|||||||
$args .= "-f $pwdfile " if $pwdfile;
|
$args .= "-f $pwdfile " if $pwdfile;
|
||||||
$args .= "-v $months ";
|
$args .= "-v $months ";
|
||||||
$args .= "-o $csrfile ";
|
$args .= "-o $csrfile ";
|
||||||
|
$args .= "-Z $hashalg ";
|
||||||
|
|
||||||
nssUtilCmd("$bindir/certutil", $args);
|
nssUtilCmd("$bindir/certutil", $args);
|
||||||
|
|
||||||
|
17
keyutil.c
17
keyutil.c
@ -1522,7 +1522,22 @@ static int keyutil_main(
|
|||||||
keyutil_extns[ext_policyConstr] = PR_FALSE;
|
keyutil_extns[ext_policyConstr] = PR_FALSE;
|
||||||
keyutil_extns[ext_inhibitAnyPolicy] = PR_FALSE;
|
keyutil_extns[ext_inhibitAnyPolicy] = PR_FALSE;
|
||||||
|
|
||||||
hashAlgTag = SEC_OID_SHA1;
|
/*
|
||||||
|
* Hash algorithm should be at least SHA-256 after 2013:
|
||||||
|
* http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf
|
||||||
|
* Per http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57_part1_rev3_general.pdf
|
||||||
|
* a 3072-bit key provides 128 bits of security and a 7680-bit key provides
|
||||||
|
* 192 bits of security, so when producing certificates that use keys
|
||||||
|
* longer than those lengths, we should use a correspondingly stronger
|
||||||
|
* hash algorithm
|
||||||
|
*/
|
||||||
|
if (keysize > 7680) {
|
||||||
|
hashAlgTag = SEC_OID_SHA512;
|
||||||
|
} else if (keysize > 3072) {
|
||||||
|
hashAlgTag = SEC_OID_SHA384;
|
||||||
|
} else {
|
||||||
|
hashAlgTag = SEC_OID_SHA256;
|
||||||
|
}
|
||||||
|
|
||||||
/* Make a cert request */
|
/* Make a cert request */
|
||||||
rv = CertReq(privkey, pubkey, rsaKey, hashAlgTag, subject,
|
rv = CertReq(privkey, pubkey, rsaKey, hashAlgTag, subject,
|
||||||
|
Loading…
Reference in New Issue
Block a user