Re: openssl.cnf req defaults -> default_md sha256

Stuart Henderson Wed, 01 Oct 2014 02:40:49 -0700

On 2014/10/01 18:41, Joel Sing wrote:
> On Wed, 1 Oct 2014, Stuart Henderson wrote:
> > Over the coming months, web browsers will progressively start to first
> > warn for certificate chains including SHA-1 hashes, then treat them
> > as insecure (including disabling certain content - scripts etc).
> > Chrome are initially doing this for certs expiring after Jan 2017,
> > but will progressively slide it forward to certs expiring after
> > Jan 2016.
> >
> > Since my previous attempt to at least show this in ssl(8) examples
> > for "openssl req" a few months ago, I've spent some time digging for
> > where the defaults are set in the code as a nicer place to set sane
> > values, but haven't tracked it down yet. Would it be OK to set it
> > in the default config for now? (or does anyone have an idea of where
> > in the code this comes from?)
> 
> Welcome to libkitchensink...
> 
> I'd need to quadruple check, however this should come from openssl/req.c 
> do_X509_sign() being called with a NULL digest, which calls openssl/req.c 
> do_sign_init() with a NULL md, which calls crypto/evp/m_sigver.c 
> EVP_DigestSignInit() with md being NULL, which calls crypto/evp/m_sigver.c 
> do_sigver_init() with type being NULL, which results in:
> 
>         if (type == NULL) {
>                 int def_nid;
>                 if (EVP_PKEY_get_default_digest_nid(pkey, &def_nid) > 0)
>                         type = EVP_get_digestbynid(def_nid);
>         }
> 
> EVP_PKEY_get_default_digest_nid() returns the default digest associated with 
> the given PKEY. Since you're using RSA, pkey_ctrl is implemented by 
> crypto/rsa/rsa_ameth.c rsa_pkey_ctrl(), which has:
> 
>         case ASN1_PKEY_CTRL_DEFAULT_MD_NID:
>                 *(int *)arg2 = NID_sha1;
>                 return 1;
> 
> Catch all that?
> 
> To make SHA-256 the default for RSA, we'd have to change that from NID_sha1 
> to 
> NID_sha256...
> 
> (and yes, clearly I've spent too much time in this code base recently... :)


Bingo :)  So, this has the desired effect. The default key size is of
course set somewhere *completely* different. Good results with this test:

printf '\n\n\n\n\ntest\n\n\n\n' | openssl req -new -newkey rsa \
  -nodes -keyout key -noout  -text -verify 2>/dev/null |
  grep -e Signature.Alg -e Public-Key

I've included an openssl.cnf patch again but this time with the default
hash and key size commented-out, and a number of other things not
necessary to a default file removed (if we want a more complete example
file it can go in /etc/examples, this might be useful sometime to show
people how to setup subjectAlternativeName etc, but that's out of scope
for this diff).


Index: lib/libssl/src/crypto/rsa/rsa_ameth.c
===================================================================
RCS file: /cvs/src/lib/libssl/src/crypto/rsa/rsa_ameth.c,v
retrieving revision 1.12
diff -u -p -r1.12 rsa_ameth.c
--- lib/libssl/src/crypto/rsa/rsa_ameth.c       11 Jul 2014 12:59:10 -0000      
1.12
+++ lib/libssl/src/crypto/rsa/rsa_ameth.c       1 Oct 2014 09:16:39 -0000
@@ -433,7 +433,7 @@ rsa_pkey_ctrl(EVP_PKEY *pkey, int op, lo
 #endif
 
        case ASN1_PKEY_CTRL_DEFAULT_MD_NID:
-               *(int *)arg2 = NID_sha1;
+               *(int *)arg2 = NID_sha256;
                return 1;
 
        default:
Index: usr.bin/openssl/req.c
===================================================================
RCS file: /cvs/src/usr.bin/openssl/req.c,v
retrieving revision 1.2
diff -u -p -r1.2 req.c
--- usr.bin/openssl/req.c       28 Aug 2014 14:23:52 -0000      1.2
+++ usr.bin/openssl/req.c       1 Oct 2014 09:16:39 -0000
@@ -97,7 +97,7 @@
 #define STRING_MASK    "string_mask"
 #define UTF8_IN                "utf8"
 
-#define DEFAULT_KEY_LENGTH     512
+#define DEFAULT_KEY_LENGTH     2048
 #define MIN_KEY_LENGTH         384
 
Index: usr.bin/openssl/openssl.1
===================================================================
RCS file: /cvs/src/usr.bin/openssl/openssl.1,v
retrieving revision 1.3
diff -u -p -r1.3 openssl.1
--- usr.bin/openssl/openssl.1   16 Sep 2014 16:05:44 -0000      1.3
+++ usr.bin/openssl/openssl.1   1 Oct 2014 09:16:39 -0000
@@ -5774,7 +5774,7 @@ They are currently ignored by
 request signing utilities, but some CAs might want them.
 .It Ar default_bits
 This specifies the default key size in bits.
-If not specified, 512 is used.
+If not specified, 2048 is used.
 It is used if the
 .Fl new
 option is used.
@@ -5790,10 +5790,11 @@ option.
 .It Ar default_md
 This option specifies the digest algorithm to use.
 Possible values include
-.Ar md5
+.Ar md5 ,
+.Ar sha1
 and
-.Ar sha1 .
-If not present, MD5 is used.
+.Ar sha256 .
+If not present, SHA256 is used.
 This option can be overridden on the command line.
 .It Ar distinguished_name
 This specifies the section containing the distinguished name fields to
Index: lib/libcrypto/openssl.cnf
===================================================================
RCS file: /cvs/src/lib/libcrypto/openssl.cnf,v
retrieving revision 1.1
diff -u -p -r1.1 openssl.cnf
--- lib/libcrypto/openssl.cnf   11 Apr 2014 22:51:53 -0000      1.1
+++ lib/libcrypto/openssl.cnf   1 Oct 2014 09:34:11 -0000
@@ -1,41 +1,20 @@
-#
-# OpenSSL example configuration file.
-# This is mostly being used for generation of certificate requests.
-#
-
-RANDFILE               = /dev/arandom
-
-####################################################################
 [ req ]
-default_bits           = 1024
-default_keyfile        = privkey.pem
+#default_bits          = 2048
+#default_md            = sha256
+#default_keyfile       = privkey.pem
 distinguished_name     = req_distinguished_name
 attributes             = req_attributes
 
 [ req_distinguished_name ]
 countryName                    = Country Name (2 letter code)
-#countryName_default           = AU
 countryName_min                        = 2
 countryName_max                        = 2
-
 stateOrProvinceName            = State or Province Name (full name)
-#stateOrProvinceName_default   = Some-State
-
 localityName                   = Locality Name (eg, city)
-
 0.organizationName             = Organization Name (eg, company)
-#0.organizationName_default    = Internet Widgits Pty Ltd
-
-# we can do this but it is not needed normally :-)
-#1.organizationName            = Second Organization Name (eg, company)
-#1.organizationName_default    = CryptSoft Pty Ltd
-
 organizationalUnitName         = Organizational Unit Name (eg, section)
-#organizationalUnitName_default        =
-
 commonName                     = Common Name (eg, fully qualified host name)
 commonName_max                 = 64
-
 emailAddress                   = Email Address
 emailAddress_max               = 64
 
@@ -43,23 +22,3 @@ emailAddress_max             = 64
 challengePassword              = A challenge password
 challengePassword_min          = 4
 challengePassword_max          = 20
-
-unstructuredName               = An optional company name
-
-[ x509v3_extensions ]
-
-nsCaRevocationUrl              = http://www.cryptsoft.com/ca-crl.pem
-nsComment                      = "This is a comment"
-
-# under ASN.1, the 0 bit would be encoded as 80
-nsCertType                     = 0x40
-
-#nsBaseUrl
-#nsRevocationUrl
-#nsRenewalUrl
-#nsCaPolicyUrl
-#nsSslServerName
-#nsCertSequence
-#nsCertExt
-#nsDataType
-

Re: openssl.cnf req defaults -> default_md sha256

Reply via email to