Package: ganeti-2.15 | Debian Sources

Package: ganeti-2.15 / 2.15.2-15

0027-ca-use-sha256-md.patch
From: Apollon Oikonomopoulos <apoikos@debian.org>
Date: Thu, 14 Feb 2019 14:18:09 +0200
Subject: Sign generated certs using SHA256

Last-Update: 2018-08-27
Bug-Debian: https://bugs.debian.org/907216

Ganeti uses SHA1 digests for signed certificates, which are then rejected by
OpenSSL when using SECLEVEL >= 2. Since SHA1 is deprecated and considered weak
by several parties, we switch to using SHA256 instead.

While at it, drop the private definition of X509_CERT_SIGN_DIGEST from
utils.x509 and use the global definition from constants instead.
---
 lib/utils/x509.py       | 5 ++---
 src/Ganeti/Constants.hs | 2 +-
 2 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/lib/utils/x509.py b/lib/utils/x509.py
index dde88f9..e47588c 100644
--- a/lib/utils/x509.py
+++ b/lib/utils/x509.py
@@ -54,7 +54,6 @@ X509_SIGNATURE = re.compile(r"^%s:\s*(?P<salt>%s+)/(?P<sign>%s+)$" %
                             (re.escape(constants.X509_CERT_SIGNATURE_HEADER),
                              HEX_CHAR_RE, HEX_CHAR_RE),
                             re.S | re.I)
-X509_CERT_SIGN_DIGEST = "SHA1"
 
 # Certificate verification results
 (CERT_WARNING,
@@ -349,7 +348,7 @@ def GenerateSignedX509Cert(common_name, validity, serial_no,
   req = OpenSSL.crypto.X509Req()
   req.get_subject().CN = common_name
   req.set_pubkey(key_pair)
-  req.sign(key_pair, X509_CERT_SIGN_DIGEST)
+  req.sign(key_pair, constants.X509_CERT_SIGN_DIGEST)
 
   # Load the certificates used for signing.
   signing_key = OpenSSL.crypto.load_privatekey(
@@ -365,7 +364,7 @@ def GenerateSignedX509Cert(common_name, validity, serial_no,
   cert.gmtime_adj_notAfter(validity)
   cert.set_issuer(signing_cert.get_subject())
   cert.set_pubkey(req.get_pubkey())
-  cert.sign(signing_key, X509_CERT_SIGN_DIGEST)
+  cert.sign(signing_key, constants.X509_CERT_SIGN_DIGEST)
 
   # Encode the key and certificate in PEM format.
   key_pem = OpenSSL.crypto.dump_privatekey(
diff --git a/src/Ganeti/Constants.hs b/src/Ganeti/Constants.hs
index b05c50b..75b9b14 100644
--- a/src/Ganeti/Constants.hs
+++ b/src/Ganeti/Constants.hs
@@ -617,7 +617,7 @@ x509CertSignatureHeader = "X-Ganeti-Signature"
 
 -- | Digest used to sign certificates ("openssl x509" uses SHA1 by default)
 x509CertSignDigest :: String
-x509CertSignDigest = "SHA1"
+x509CertSignDigest = "SHA256"
 
 -- * Import/export daemon mode