pki: Use SHA-256 as default for signatures
Since the BLISS private key supports this we don't do any special handling anymore (if the user choses a digest that is not supported, signing will simply fail later because no signature scheme will be found).
This commit is contained in:
parent
7fa03b308c
commit
ae0604f583
|
@ -32,7 +32,7 @@
|
|||
static int acert()
|
||||
{
|
||||
cred_encoding_type_t form = CERT_ASN1_DER;
|
||||
hash_algorithm_t digest = HASH_SHA1;
|
||||
hash_algorithm_t digest = HASH_SHA256;
|
||||
certificate_t *ac = NULL, *cert = NULL, *issuer =NULL;
|
||||
private_key_t *private = NULL;
|
||||
public_key_t *public = NULL;
|
||||
|
@ -167,14 +167,6 @@ static int acert()
|
|||
error = "issuer private key does not match issuer certificate";
|
||||
goto end;
|
||||
}
|
||||
if (private->get_type(private) == KEY_BLISS)
|
||||
{
|
||||
/* the default hash function is SHA512. SHA1 is not supported */
|
||||
if (digest == HASH_SHA1)
|
||||
{
|
||||
digest = HASH_SHA512;
|
||||
}
|
||||
}
|
||||
|
||||
if (hex)
|
||||
{
|
||||
|
@ -295,7 +287,7 @@ static void __attribute__ ((constructor))reg()
|
|||
{"not-before", 'F', 1, "date/time the validity of the AC starts"},
|
||||
{"not-after", 'T', 1, "date/time the validity of the AC ends"},
|
||||
{"dateform", 'D', 1, "strptime(3) input format, default: %d.%m.%y %T"},
|
||||
{"digest", 'g', 1, "digest for signature creation, default: sha1"},
|
||||
{"digest", 'g', 1, "digest for signature creation, default: sha256"},
|
||||
{"outform", 'f', 1, "encoding of generated cert, default: der"},
|
||||
}
|
||||
});
|
||||
|
|
|
@ -60,7 +60,7 @@ static void destroy_cdp(x509_cdp_t *this)
|
|||
static int issue()
|
||||
{
|
||||
cred_encoding_type_t form = CERT_ASN1_DER;
|
||||
hash_algorithm_t digest = HASH_SHA1;
|
||||
hash_algorithm_t digest = HASH_SHA256;
|
||||
certificate_t *cert_req = NULL, *cert = NULL, *ca =NULL;
|
||||
private_key_t *private = NULL;
|
||||
public_key_t *public = NULL;
|
||||
|
@ -364,14 +364,6 @@ static int issue()
|
|||
}
|
||||
public->destroy(public);
|
||||
|
||||
if (private->get_type(private) == KEY_BLISS)
|
||||
{
|
||||
/* the default hash function is SHA512. SHA1 is not supported */
|
||||
if (digest == HASH_SHA1)
|
||||
{
|
||||
digest = HASH_SHA512;
|
||||
}
|
||||
}
|
||||
if (hex)
|
||||
{
|
||||
serial = chunk_from_hex(chunk_create(hex, strlen(hex)), NULL);
|
||||
|
@ -599,7 +591,7 @@ static void __attribute__ ((constructor))reg()
|
|||
{"crl", 'u', 1, "CRL distribution point URI to include"},
|
||||
{"crlissuer", 'I', 1, "CRL Issuer for CRL at distribution point"},
|
||||
{"ocsp", 'o', 1, "OCSP AuthorityInfoAccess URI to include"},
|
||||
{"digest", 'g', 1, "digest for signature creation, default: sha1"},
|
||||
{"digest", 'g', 1, "digest for signature creation, default: sha256"},
|
||||
{"outform", 'f', 1, "encoding of generated cert, default: der"},
|
||||
}
|
||||
});
|
||||
|
|
|
@ -31,7 +31,7 @@ static int req()
|
|||
{
|
||||
cred_encoding_type_t form = CERT_ASN1_DER;
|
||||
key_type_t type = KEY_RSA;
|
||||
hash_algorithm_t digest = HASH_SHA1;
|
||||
hash_algorithm_t digest = HASH_SHA256;
|
||||
certificate_t *cert = NULL;
|
||||
private_key_t *private = NULL;
|
||||
char *file = NULL, *dn = NULL, *error = NULL;
|
||||
|
@ -103,14 +103,6 @@ static int req()
|
|||
break;
|
||||
}
|
||||
|
||||
if (type == KEY_BLISS)
|
||||
{
|
||||
/* the default hash function is SHA512. SHA1 is not supported */
|
||||
if (digest == HASH_SHA1)
|
||||
{
|
||||
digest = HASH_SHA512;
|
||||
}
|
||||
}
|
||||
if (!dn)
|
||||
{
|
||||
error = "--dn is required";
|
||||
|
@ -208,7 +200,7 @@ static void __attribute__ ((constructor))reg()
|
|||
{"dn", 'd', 1, "subject distinguished name"},
|
||||
{"san", 'a', 1, "subjectAltName to include in cert request"},
|
||||
{"password",'p', 1, "challengePassword to include in cert request"},
|
||||
{"digest", 'g', 1, "digest for signature creation, default: sha1"},
|
||||
{"digest", 'g', 1, "digest for signature creation, default: sha256"},
|
||||
{"outform", 'f', 1, "encoding of generated request, default: der"},
|
||||
}
|
||||
});
|
||||
|
|
|
@ -50,7 +50,7 @@ static int self()
|
|||
{
|
||||
cred_encoding_type_t form = CERT_ASN1_DER;
|
||||
key_type_t type = KEY_RSA;
|
||||
hash_algorithm_t digest = HASH_SHA1;
|
||||
hash_algorithm_t digest = HASH_SHA256;
|
||||
certificate_t *cert = NULL;
|
||||
private_key_t *private = NULL;
|
||||
public_key_t *public = NULL;
|
||||
|
@ -263,14 +263,6 @@ static int self()
|
|||
break;
|
||||
}
|
||||
|
||||
if (type == KEY_BLISS)
|
||||
{
|
||||
/* the default hash function is SHA512. SHA1 is not supported */
|
||||
if (digest == HASH_SHA1)
|
||||
{
|
||||
digest = HASH_SHA512;
|
||||
}
|
||||
}
|
||||
if (!dn)
|
||||
{
|
||||
error = "--dn is required";
|
||||
|
@ -455,7 +447,7 @@ static void __attribute__ ((constructor))reg()
|
|||
{"policy-any", 'A', 1, "inhibitAnyPolicy constraint"},
|
||||
{"flag", 'e', 1, "include extendedKeyUsage flag"},
|
||||
{"ocsp", 'o', 1, "OCSP AuthorityInfoAccess URI to include"},
|
||||
{"digest", 'g', 1, "digest for signature creation, default: sha1"},
|
||||
{"digest", 'g', 1, "digest for signature creation, default: sha256"},
|
||||
{"outform", 'f', 1, "encoding of generated cert, default: der"},
|
||||
}
|
||||
});
|
||||
|
|
|
@ -117,7 +117,7 @@ static int sign_crl()
|
|||
certificate_t *ca = NULL, *crl = NULL;
|
||||
crl_t *lastcrl = NULL;
|
||||
x509_t *x509;
|
||||
hash_algorithm_t digest = HASH_SHA1;
|
||||
hash_algorithm_t digest = HASH_SHA256;
|
||||
char *arg, *cacert = NULL, *cakey = NULL, *lastupdate = NULL, *error = NULL;
|
||||
char *basecrl = NULL;
|
||||
char serial[512], *keyid = NULL;
|
||||
|
@ -335,14 +335,6 @@ static int sign_crl()
|
|||
error = "CA private key does not match CA certificate";
|
||||
goto error;
|
||||
}
|
||||
if (private->get_type(private) == KEY_BLISS)
|
||||
{
|
||||
/* the default hash function is SHA512. SHA1 is not supported */
|
||||
if (digest == HASH_SHA1)
|
||||
{
|
||||
digest = HASH_SHA512;
|
||||
}
|
||||
}
|
||||
|
||||
if (basecrl)
|
||||
{
|
||||
|
@ -473,7 +465,7 @@ static void __attribute__ ((constructor))reg()
|
|||
{"serial", 's', 1, "hex encoded certificate serial number to revoke"},
|
||||
{"reason", 'r', 1, "reason for certificate revocation"},
|
||||
{"date", 'd', 1, "revocation date as unix timestamp, default: now"},
|
||||
{"digest", 'g', 1, "digest for signature creation, default: sha1"},
|
||||
{"digest", 'g', 1, "digest for signature creation, default: sha256"},
|
||||
{"outform", 'f', 1, "encoding of generated crl, default: der"},
|
||||
}
|
||||
});
|
||||
|
|
|
@ -100,7 +100,7 @@ Serial number in hex. It is randomly allocated by default.
|
|||
.BI "\-g, \-\-digest " digest
|
||||
Digest to use for signature creation. One of \fImd5\fR, \fIsha1\fR,
|
||||
\fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. Defaults to
|
||||
\fIsha1\fR.
|
||||
\fIsha256\fR.
|
||||
.TP
|
||||
.BI "\-f, \-\-outform " encoding
|
||||
Encoding of the created certificate file. Either \fIder\fR (ASN.1 DER) or
|
||||
|
|
|
@ -123,7 +123,7 @@ Add extendedKeyUsage flag. One of \fIserverAuth\fR, \fIclientAuth\fR,
|
|||
.BI "\-g, \-\-digest " digest
|
||||
Digest to use for signature creation. One of \fImd5\fR, \fIsha1\fR,
|
||||
\fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. Defaults to
|
||||
\fIsha1\fR.
|
||||
\fIsha256\fR.
|
||||
.TP
|
||||
.BI "\-f, \-\-outform " encoding
|
||||
Encoding of the created certificate file. Either \fIder\fR (ASN.1 DER) or
|
||||
|
|
|
@ -63,7 +63,7 @@ The challengePassword to include in the certificate request.
|
|||
.BI "\-g, \-\-digest " digest
|
||||
Digest to use for signature creation. One of \fImd5\fR, \fIsha1\fR,
|
||||
\fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. Defaults to
|
||||
\fIsha1\fR.
|
||||
\fIsha256\fR.
|
||||
.TP
|
||||
.BI "\-f, \-\-outform " encoding
|
||||
Encoding of the created certificate file. Either \fIder\fR (ASN.1 DER) or
|
||||
|
|
|
@ -110,7 +110,7 @@ Add extendedKeyUsage flag. One of \fIserverAuth\fR, \fIclientAuth\fR,
|
|||
.BI "\-g, \-\-digest " digest
|
||||
Digest to use for signature creation. One of \fImd5\fR, \fIsha1\fR,
|
||||
\fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. Defaults to
|
||||
\fIsha1\fR.
|
||||
\fIsha256\fR.
|
||||
.TP
|
||||
.BI "\-f, \-\-outform " encoding
|
||||
Encoding of the created certificate file. Either \fIder\fR (ASN.1 DER) or
|
||||
|
|
|
@ -99,7 +99,7 @@ Freshest delta CRL URI to include in CRL. Can be used multiple times.
|
|||
.BI "\-g, \-\-digest " digest
|
||||
Digest to use for signature creation. One of \fImd5\fR, \fIsha1\fR,
|
||||
\fIsha224\fR, \fIsha256\fR, \fIsha384\fR, or \fIsha512\fR. Defaults to
|
||||
\fIsha1\fR.
|
||||
\fIsha256\fR.
|
||||
.TP
|
||||
.BI "\-f, \-\-outform " encoding
|
||||
Encoding of the created certificate file. Either \fIder\fR (ASN.1 DER) or
|
||||
|
|
Loading…
Reference in New Issue