Package: tinyca Version: 0.7.5-5 Followup-For: Bug #759481 Dear Maintainer,
Attached is a patch to add support for SHA-224, SHA-256, SHA-384, and SHA-512. It also makes the default digest algorithm SHA-512. I've run it though very basic server cert testing. The patch is on top of the Debian local changes. I couldn't find an upstream. If it exists, I'd be happy to help push it up. Ross -- System Information: Debian Release: 7.7 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable'), (50, 'testing'), (40, 'unstable'), (30, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.14-0.bpo.2-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages tinyca depends on: ii libgtk2-perl 2:1.244-1 ii liblocale-gettext-perl 1.05-7+b1 ii openssl 1.0.1e-2+deb7u13 Versions of packages tinyca recommends: ii zip 3.0-6 tinyca suggests no packages. -- no debconf information
diff -ur orig/tinyca-0.7.5/lib/CA.pm tinyca-0.7.5/lib/CA.pm --- orig/tinyca-0.7.5/lib/CA.pm 2006-07-25 15:12:00.000000000 -0500 +++ tinyca-0.7.5/lib/CA.pm 2014-11-01 12:32:46.277413381 -0500 @@ -349,7 +349,7 @@ $opts = {}; $opts->{'days'} = 3650; # set default to 10 years $opts->{'bits'} = 4096; - $opts->{'digest'} = 'sha1'; + $opts->{'digest'} = 'sha512'; if(defined($mode) && $mode eq "sub") { # create SubCA, use defaults $opts->{'parentca'} = $main->{'CA'}->{'actca'}; @@ -453,7 +453,7 @@ $opts = {}; $opts->{'days'} = 3650; # set default to 10 years $opts->{'bits'} = 4096; - $opts->{'digest'} = 'sha1'; + $opts->{'digest'} = 'sha512'; $main->show_ca_import_dialog($opts); return; diff -ur orig/tinyca-0.7.5/lib/GUI.pm tinyca-0.7.5/lib/GUI.pm --- orig/tinyca-0.7.5/lib/GUI.pm 2014-11-01 12:51:39.000000000 -0500 +++ tinyca-0.7.5/lib/GUI.pm 2014-11-01 12:25:31.123392155 -0500 @@ -37,6 +37,10 @@ 'ripemd160' => 'RIPEMD-160', # 'sha' => 'SHA', 'sha1' => 'SHA-1', + 'sha224' => 'SHA-224', + 'sha256' => 'SHA-256', + 'sha384' => 'SHA-384', + 'sha512' => 'SHA-512', ); my %bit_lengths = ( diff -ur orig/tinyca-0.7.5/lib/REQ.pm tinyca-0.7.5/lib/REQ.pm --- orig/tinyca-0.7.5/lib/REQ.pm 2006-07-25 15:12:00.000000000 -0500 +++ tinyca-0.7.5/lib/REQ.pm 2014-11-01 12:30:12.025870028 -0500 @@ -59,7 +59,7 @@ GUI::HELPERS::print_error($t); } $opts->{'bits'} = 4096; - $opts->{'digest'} = 'sha1'; + $opts->{'digest'} = 'sha512'; $opts->{'algo'} = 'rsa'; if(defined($opts) && $opts eq "sign") { $opts->{'sign'} = 1; @@ -426,6 +426,14 @@ $opts->{'digest'} = "md5"; } elsif ($opts->{'digest'} =~ /^sha1/) { $opts->{'digest'} = "sha1"; + } elsif ($opts->{'digest'} =~ /^sha224/) { + $opts->{'digest'} = "sha224"; + } elsif ($opts->{'digest'} =~ /^sha256/) { + $opts->{'digest'} = "sha256"; + } elsif ($opts->{'digest'} =~ /^sha384/) { + $opts->{'digest'} = "sha384"; + } elsif ($opts->{'digest'} =~ /^sha512/) { + $opts->{'digest'} = "sha512"; } elsif ($opts->{'digest'} =~ /^ripemd160/) { $opts->{'digest'} = "ripemd160"; } else { diff -ur orig/tinyca-0.7.5/templates/openssl.cnf tinyca-0.7.5/templates/openssl.cnf --- orig/tinyca-0.7.5/templates/openssl.cnf 2006-07-25 15:12:01.000000000 -0500 +++ tinyca-0.7.5/templates/openssl.cnf 2014-11-01 12:30:43.238590285 -0500 @@ -15,7 +15,7 @@ x509_extensions = client_cert default_days = 365 default_crl_days= 30 -default_md = sha1 +default_md = sha512 preserve = no policy = policy_client @@ -33,7 +33,7 @@ x509_extensions = server_cert default_days = 365 default_crl_days= 30 -default_md = sha1 +default_md = sha512 preserve = no policy = policy_server @@ -51,7 +51,7 @@ x509_extensions = v3_ca default_days = 365 default_crl_days= 30 -default_md = sha1 +default_md = sha512 preserve = no policy = policy_ca