keyutil, genkey: use SHA-2 hashes by default for certs (#1062444)
Resolves: rhbz#1062444
This commit is contained in:
parent
b0009234d8
commit
a2aaef550c
@ -4,7 +4,7 @@
|
||||
Summary: SSL certificate and key management utilities
|
||||
Name: crypto-utils
|
||||
Version: 2.4.1
|
||||
Release: 55%{?dist}
|
||||
Release: 56%{?dist}
|
||||
Group: Applications/System
|
||||
# certwatch.c is GPLv2
|
||||
# pemutil.c etc are (MPLv1.1+ or GPLv2+ or LPGLv2+)
|
||||
@ -135,6 +135,9 @@ chmod -R u+w $RPM_BUILD_ROOT
|
||||
%{perl_vendorarch}/auto/Crypt
|
||||
|
||||
%changelog
|
||||
* Fri Aug 29 2014 Adam Williamson <awilliam@redhat.com> - 2.4.1-56
|
||||
- keyutil, genkey: use SHA-2 hashes by default for certs (#1062444)
|
||||
|
||||
* Wed Aug 27 2014 Jitka Plesnikova <jplesnik@redhat.com> - 2.4.1-55
|
||||
- Perl 5.20 rebuild
|
||||
|
||||
|
24
genkey.pl
24
genkey.pl
@ -131,6 +131,7 @@ my $modNssDbDir = '';
|
||||
my $nssNickname = '';
|
||||
my $nssDBPrefix = '';
|
||||
my $gdb = '';
|
||||
my $hashalg = "SHA256";
|
||||
GetOptions('test|t' => \$test_mode,
|
||||
'genreq' => \$genreq_mode,
|
||||
'days=i' => \$cert_days,
|
||||
@ -455,6 +456,22 @@ sub keyInDatabase {
|
||||
return $answer;
|
||||
}
|
||||
|
||||
# Pick an appropriate hashing function for the key length
|
||||
# Ideally we should be able to depend on upstream behaviour and drop this,
|
||||
# but upstream's default was not changed from SHA-1 in a timely fashion:
|
||||
# https://bugzilla.mozilla.org/show_bug.cgi?id=1058933
|
||||
sub getHashForKeyLength {
|
||||
use integer;
|
||||
# See http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf
|
||||
# and http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57_part1_rev3_general.pdf
|
||||
$hashalg = "SHA256";
|
||||
if ($bits > 7680) {
|
||||
$hashalg = "SHA512";
|
||||
} elsif ($bits > 3072) {
|
||||
$hashalg = "SHA384";
|
||||
}
|
||||
}
|
||||
|
||||
######################################################################
|
||||
# The window functions
|
||||
|
||||
@ -557,6 +574,8 @@ EOT
|
||||
}
|
||||
}
|
||||
|
||||
getHashForKeyLength();
|
||||
|
||||
$panel->Hide();
|
||||
undef $panel;
|
||||
return $ret;
|
||||
@ -601,6 +620,8 @@ EOT
|
||||
}
|
||||
} while ($bits < $minbits || $bits > $maxbits);
|
||||
|
||||
getHashForKeyLength();
|
||||
|
||||
$panel->Hide();
|
||||
undef $panel;
|
||||
|
||||
@ -976,6 +997,7 @@ sub makeCertNSS
|
||||
$args .= "-d $modNssDbDir ";
|
||||
$args .= "-p $nssDBPrefix " if $nssDBPrefix;
|
||||
$args .= "-o $certfile " if $certfile;
|
||||
$args .= "-Z $hashalg ";
|
||||
|
||||
nssUtilCmd("$bindir/certutil", $args);
|
||||
|
||||
@ -1015,6 +1037,7 @@ sub genRequestNSS
|
||||
$args .= "-v $months ";
|
||||
$args .= "-z $noisefile " if $noisefile;
|
||||
$args .= "-o $csrfile ";
|
||||
$args .= "-Z $hashalg ";
|
||||
|
||||
nssUtilCmd("$bindir/certutil", $args);
|
||||
|
||||
@ -1155,6 +1178,7 @@ sub renewCertNSS
|
||||
$args .= "-f $pwdfile " if $pwdfile;
|
||||
$args .= "-v $months ";
|
||||
$args .= "-o $csrfile ";
|
||||
$args .= "-Z $hashalg ";
|
||||
|
||||
nssUtilCmd("$bindir/certutil", $args);
|
||||
|
||||
|
17
keyutil.c
17
keyutil.c
@ -1522,7 +1522,22 @@ static int keyutil_main(
|
||||
keyutil_extns[ext_policyConstr] = PR_FALSE;
|
||||
keyutil_extns[ext_inhibitAnyPolicy] = PR_FALSE;
|
||||
|
||||
hashAlgTag = SEC_OID_SHA1;
|
||||
/*
|
||||
* Hash algorithm should be at least SHA-256 after 2013:
|
||||
* http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf
|
||||
* Per http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57_part1_rev3_general.pdf
|
||||
* a 3072-bit key provides 128 bits of security and a 7680-bit key provides
|
||||
* 192 bits of security, so when producing certificates that use keys
|
||||
* longer than those lengths, we should use a correspondingly stronger
|
||||
* hash algorithm
|
||||
*/
|
||||
if (keysize > 7680) {
|
||||
hashAlgTag = SEC_OID_SHA512;
|
||||
} else if (keysize > 3072) {
|
||||
hashAlgTag = SEC_OID_SHA384;
|
||||
} else {
|
||||
hashAlgTag = SEC_OID_SHA256;
|
||||
}
|
||||
|
||||
/* Make a cert request */
|
||||
rv = CertReq(privkey, pubkey, rsaKey, hashAlgTag, subject,
|
||||
|
Loading…
Reference in New Issue
Block a user