1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61
|
From: Apollon Oikonomopoulos <apoikos@debian.org>
Date: Thu, 14 Feb 2019 15:15:54 +0200
Subject: Sign generated certs using SHA256
Last-Update: 2018-08-27
Bug-Debian: https://bugs.debian.org/907216
Ganeti uses SHA1 digests for signed certificates, which are then rejected by
OpenSSL when using SECLEVEL >= 2. Since SHA1 is deprecated and considered weak
by several parties, we switch to using SHA256 instead.
While at it, drop the private definition of X509_CERT_SIGN_DIGEST from
utils.x509 and use the global definition from constants instead.
---
lib/utils/x509.py | 5 ++---
src/Ganeti/Constants.hs | 2 +-
2 files changed, 3 insertions(+), 4 deletions(-)
diff --git a/lib/utils/x509.py b/lib/utils/x509.py
index 2e4aa81..cd50595 100644
--- a/lib/utils/x509.py
+++ b/lib/utils/x509.py
@@ -55,7 +55,6 @@ X509_SIGNATURE = re.compile(r"^%s:\s*(?P<salt>%s+)/(?P<sign>%s+)$" %
(re.escape(constants.X509_CERT_SIGNATURE_HEADER),
HEX_CHAR_RE, HEX_CHAR_RE),
re.S | re.I)
-X509_CERT_SIGN_DIGEST = "SHA1"
# Certificate verification results
(CERT_WARNING,
@@ -350,7 +349,7 @@ def GenerateSignedX509Cert(common_name, validity, serial_no,
req = OpenSSL.crypto.X509Req()
req.get_subject().CN = common_name
req.set_pubkey(key_pair)
- req.sign(key_pair, X509_CERT_SIGN_DIGEST)
+ req.sign(key_pair, constants.X509_CERT_SIGN_DIGEST)
# Load the certificates used for signing.
signing_key = OpenSSL.crypto.load_privatekey(
@@ -366,7 +365,7 @@ def GenerateSignedX509Cert(common_name, validity, serial_no,
cert.gmtime_adj_notAfter(validity)
cert.set_issuer(signing_cert.get_subject())
cert.set_pubkey(req.get_pubkey())
- cert.sign(signing_key, X509_CERT_SIGN_DIGEST)
+ cert.sign(signing_key, constants.X509_CERT_SIGN_DIGEST)
# Encode the key and certificate in PEM format.
key_pem = OpenSSL.crypto.dump_privatekey(
diff --git a/src/Ganeti/Constants.hs b/src/Ganeti/Constants.hs
index a1f84d9..28b15f1 100644
--- a/src/Ganeti/Constants.hs
+++ b/src/Ganeti/Constants.hs
@@ -619,7 +619,7 @@ x509CertSignatureHeader = "X-Ganeti-Signature"
-- | Digest used to sign certificates ("openssl x509" uses SHA1 by default)
x509CertSignDigest :: String
-x509CertSignDigest = "SHA1"
+x509CertSignDigest = "SHA256"
-- * Import/export daemon mode
|