You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
125 lines
5.5 KiB
125 lines
5.5 KiB
From baa2a485190d1b31f3dae06a18dc24d71dbe35bf Mon Sep 17 00:00:00 2001
|
|
From: Julien Rische <jrische@redhat.com>
|
|
Date: Fri, 11 Mar 2022 12:04:14 +0100
|
|
Subject: [PATCH] Use SHA-256 instead of SHA-1 for PKINIT CMS digest
|
|
|
|
Various organizations including NIST have been strongly recommending to
|
|
stop using SHA-1 for digital signatures for some years already. CMS
|
|
digest is used to generate such signatures, hence it should be upgraded
|
|
to use SHA-256.
|
|
---
|
|
.../preauth/pkinit/pkinit_crypto_openssl.c | 40 ++++++++++---------
|
|
1 file changed, 22 insertions(+), 18 deletions(-)
|
|
|
|
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
|
index dbb054378..32291e3ac 100644
|
|
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
|
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
|
|
@@ -1234,7 +1234,7 @@ cms_signeddata_create(krb5_context context,
|
|
/* will not fill-out EVP_PKEY because it's on the smartcard */
|
|
|
|
/* Set digest algs */
|
|
- p7si->digest_alg->algorithm = OBJ_nid2obj(NID_sha1);
|
|
+ p7si->digest_alg->algorithm = OBJ_nid2obj(NID_sha256);
|
|
|
|
if (p7si->digest_alg->parameter != NULL)
|
|
ASN1_TYPE_free(p7si->digest_alg->parameter);
|
|
@@ -1245,17 +1245,18 @@ cms_signeddata_create(krb5_context context,
|
|
/* Set sig algs */
|
|
if (p7si->digest_enc_alg->parameter != NULL)
|
|
ASN1_TYPE_free(p7si->digest_enc_alg->parameter);
|
|
- p7si->digest_enc_alg->algorithm = OBJ_nid2obj(NID_sha1WithRSAEncryption);
|
|
+ p7si->digest_enc_alg->algorithm =
|
|
+ OBJ_nid2obj(NID_sha256WithRSAEncryption);
|
|
if (!(p7si->digest_enc_alg->parameter = ASN1_TYPE_new()))
|
|
goto cleanup;
|
|
p7si->digest_enc_alg->parameter->type = V_ASN1_NULL;
|
|
|
|
/* add signed attributes */
|
|
- /* compute sha1 digest over the EncapsulatedContentInfo */
|
|
+ /* compute sha256 digest over the EncapsulatedContentInfo */
|
|
ctx = EVP_MD_CTX_new();
|
|
if (ctx == NULL)
|
|
goto cleanup;
|
|
- EVP_DigestInit_ex(ctx, EVP_sha1(), NULL);
|
|
+ EVP_DigestInit_ex(ctx, EVP_sha256(), NULL);
|
|
EVP_DigestUpdate(ctx, data, data_len);
|
|
md_tmp = EVP_MD_CTX_md(ctx);
|
|
EVP_DigestFinal_ex(ctx, md_data, &md_len);
|
|
@@ -1283,12 +1284,14 @@ cms_signeddata_create(krb5_context context,
|
|
goto cleanup2;
|
|
|
|
#ifndef WITHOUT_PKCS11
|
|
- /* Some tokens can only do RSAEncryption without sha1 hash */
|
|
- /* to compute sha1WithRSAEncryption, encode the algorithm ID for the hash
|
|
- * function and the hash value into an ASN.1 value of type DigestInfo
|
|
- * DigestInfo::=SEQUENCE {
|
|
- * digestAlgorithm AlgorithmIdentifier,
|
|
- * digest OCTET STRING }
|
|
+ /*
|
|
+ * Some tokens can only do RSAEncryption without a hash. To compute
|
|
+ * sha256WithRSAEncryption, encode the algorithm ID for the hash
|
|
+ * function and the hash value into an ASN.1 value of type DigestInfo:
|
|
+ * DigestInfo ::= SEQUENCE {
|
|
+ * digestAlgorithm AlgorithmIdentifier,
|
|
+ * digest OCTET STRING
|
|
+ * }
|
|
*/
|
|
if (id_cryptoctx->pkcs11_method == 1 &&
|
|
id_cryptoctx->mech == CKM_RSA_PKCS) {
|
|
@@ -1304,7 +1307,7 @@ cms_signeddata_create(krb5_context context,
|
|
alg = X509_ALGOR_new();
|
|
if (alg == NULL)
|
|
goto cleanup2;
|
|
- X509_ALGOR_set0(alg, OBJ_nid2obj(NID_sha1), V_ASN1_NULL, NULL);
|
|
+ X509_ALGOR_set0(alg, OBJ_nid2obj(NID_sha256), V_ASN1_NULL, NULL);
|
|
alg_len = i2d_X509_ALGOR(alg, NULL);
|
|
|
|
digest = ASN1_OCTET_STRING_new();
|
|
@@ -1333,7 +1336,7 @@ cms_signeddata_create(krb5_context context,
|
|
#endif
|
|
{
|
|
pkiDebug("mech = %s\n",
|
|
- id_cryptoctx->pkcs11_method == 1 ? "CKM_SHA1_RSA_PKCS" : "FS");
|
|
+ id_cryptoctx->pkcs11_method == 1 ? "CKM_SHA256_RSA_PKCS" : "FS");
|
|
retval = pkinit_sign_data(context, id_cryptoctx, abuf, alen,
|
|
&sig, &sig_len);
|
|
}
|
|
@@ -4147,7 +4150,7 @@ create_signature(unsigned char **sig, unsigned int *sig_len,
|
|
ctx = EVP_MD_CTX_new();
|
|
if (ctx == NULL)
|
|
return ENOMEM;
|
|
- EVP_SignInit(ctx, EVP_sha1());
|
|
+ EVP_SignInit(ctx, EVP_sha256());
|
|
EVP_SignUpdate(ctx, data, data_len);
|
|
*sig_len = EVP_PKEY_size(pkey);
|
|
if ((*sig = malloc(*sig_len)) == NULL)
|
|
@@ -4623,10 +4626,11 @@ pkinit_get_certs_pkcs11(krb5_context context,
|
|
|
|
#ifndef PKINIT_USE_MECH_LIST
|
|
/*
|
|
- * We'd like to use CKM_SHA1_RSA_PKCS for signing if it's available, but
|
|
- * many cards seems to be confused about whether they are capable of
|
|
- * this or not. The safe thing seems to be to ignore the mechanism list,
|
|
- * always use CKM_RSA_PKCS and calculate the sha1 digest ourselves.
|
|
+ * We'd like to use CKM_SHA256_RSA_PKCS for signing if it's available, but
|
|
+ * historically many cards seem to be confused about whether they are
|
|
+ * capable of mechanisms or not. The safe thing seems to be to ignore the
|
|
+ * mechanism list, always use CKM_RSA_PKCS and calculate the sha256 digest
|
|
+ * ourselves.
|
|
*/
|
|
|
|
id_cryptoctx->mech = CKM_RSA_PKCS;
|
|
@@ -4654,7 +4658,7 @@ pkinit_get_certs_pkcs11(krb5_context context,
|
|
if (mechp[i] == CKM_RSA_PKCS) {
|
|
/* This seems backwards... */
|
|
id_cryptoctx->mech =
|
|
- (info.flags & CKF_SIGN) ? CKM_SHA1_RSA_PKCS : CKM_RSA_PKCS;
|
|
+ (info.flags & CKF_SIGN) ? CKM_SHA256_RSA_PKCS : CKM_RSA_PKCS;
|
|
}
|
|
}
|
|
free(mechp);
|
|
--
|
|
2.35.1
|
|
|