-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi Folks,

I recently created a Debian source git with the patches from this Bugreport 
applied:

https://github.com/simonswine/tinyca2_debian

An interesting feature would be to enforce a certain hash algorithm while 
signing a (external) certificate request. I'm doing this right now with a quick 
and dirty hack. Attached patch or here:

https://github.com/simonswine/tinyca2_debian/commit/f90b6b1f12d99fd2d7ca359269d2ac9caa55d415


Cheers,
Chris

        
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJU+BP7AAoJEB/ywJxiBF7SJbcP/1Ydp/n8f4yEkaDJWdXWaaQq
M3p9Q28mZy7rv0FPV1ZBsL8z4CSHzWhB7yDpsbMpPSdvofrRgWEbFKaa0aEh4MxM
jHA2BZPTnNisTiWcqhkfh6d6/jD1yxVdMgt//w06vZmWsxE2pr19OFxUtScJ3rLh
Mt03UMy3frbWRkhK8aVS2WFVrkxKYwwVfi15Nvan4MKXSI53O3g/4DeDnegtcPh+
6KxNlsD6TfS9B8ZJVTDy28jygVlcKFxXssFgDfMWe7iSIIEMsOozSEf1IYWzQ9yp
vq7wNsyh4Vv6Dk3sT4XJ9CMdggDlDo9ZrgycIvDVuEQT/udQUyi0TPWCNqnJbaPT
rUnkCUTBGJ9z3f+86y2CkQkzvX26HL4iVEHFrsx2LxRsqrYPxmp+ifuS/S+5OP1E
iQMtJNVeamTvsIhfVhWcua0oxGXwbq4khTuLcgF30WgB9yflg9Htb7nmeEiEbZtb
Rny4eBJcAYYTYckCVq7T8UZPYgd0QkwRvp5N9c/mCrxJE1zqeb64d/mLPaudTEZi
nae7/CIUPmONR7OntnwuSHGxfEAiqE5Rl0LJplIWQA7SUu1gP7aV4dx0kpeF8K4C
J1RUSyYtdaQDMznFPtuWdpRIlQ2Kj8sFBiolwJ16lTSp4n6KcjOuTrlXXphW6Cde
z+E9sIzDZxt6khQIk+ep
=CorX
-----END PGP SIGNATURE-----
From f90b6b1f12d99fd2d7ca359269d2ac9caa55d415 Mon Sep 17 00:00:00 2001
From: Christian Simon <[email protected]>
Date: Thu, 5 Mar 2015 09:16:28 +0100
Subject: [PATCH] Enforce SHA256 if the CA is signing with SHA1

---
 lib/OpenSSL.pm | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/lib/OpenSSL.pm b/lib/OpenSSL.pm
index e9f0f21..d3edba3 100644
--- a/lib/OpenSSL.pm
+++ b/lib/OpenSSL.pm
@@ -143,7 +143,12 @@ sub signreq {
    $cmd .= " -in \"$opts->{'reqfile'}\"";
    $cmd .= " -days $opts->{'days'}";
    $cmd .= " -preserveDN";
-   $cmd .= " -md $opts->{'digest'}" if($opts->{'digest'});
+   if($opts->{'digest'}){
+       if (lc $opts->{'digest'} eq 'sha1'){
+           $opts->{'digest'} = "sha256"
+       }
+       $cmd .= " -md $opts->{'digest'}"
+   };
 
    if(defined($opts->{'mode'}) && $opts->{'mode'} eq "sub") {
       $cmd .= " -keyfile \"$opts->{'keyfile'}\"";
-- 
1.9.1

Attachment: 0001-Enforce-SHA256-if-the-CA-is-signing-with-SHA1.patch.sig
Description: PGP signature

Reply via email to