Allow signing hashes to be configurable

framework/Pgp/lib/Horde/Pgp.php

@@ -150,6 +150,9 @@ public function encryptSymmetric($text, $passphrase, array $opts = array())
      *                      decrypted).
      * @param array $opts   Additional options:
      *   - nocompress: (boolean) If true, don't compress signed data.
+     *   - sign_hash: (string) The hash method to use. (DEFAULT: SHA256)
+     *   - sign_hash_dsa: (string) The hash method to use with DSA. (DEFAULT:
+     *                    SHA1)
      *
      * @return Horde_Pgp_Element_Message  The signed data.
      * @throws Horde_Pgp_Exception
@@ -163,7 +166,9 @@ public function sign($text, $key, array $opts = array())
                 $this->_getPrivateKey($key),
                 'message',
                 array_merge(array(
-                    'nocompress' => false
+                    'nocompress' => false,
+                    'sign_hash' => 'SHA256',
+                    'sign_hash_dsa' => 'SHA1'
                 ), $opts)
             ),
             Horde_Pgp_Translation::t("Could not PGP sign data.")
@@ -176,15 +181,27 @@ public function sign($text, $key, array $opts = array())
      * @param string $text  The text to be signed.
      * @param mixed $key    The private key to use for signing (must be
      *                      decrypted).
+     * @param array $opts   Additional options:
+     *   - sign_hash: (string) The hash method to use. (DEFAULT: SHA256)
+     *   - sign_hash_dsa: (string) The hash method to use with DSA. (DEFAULT:
+     *                    SHA1)
      *
      * @return Horde_Pgp_Element_SignedMessage  The signed data.
      * @throws Horde_Pgp_Exception
      */
-    public function signCleartext($text, $key)
+    public function signCleartext($text, $key, array $opts = array())
     {
         return $this->_runInBackend(
             'sign',
-            array($text, $this->_getPrivateKey($key), 'clear'),
+            array(
+                $text,
+                $this->_getPrivateKey($key),
+                'clear',
+                array_merge(array(
+                    'sign_hash' => 'SHA256',
+                    'sign_hash_dsa' => 'SHA1'
+                ), $opts)
+            ),
             Horde_Pgp_Translation::t("Could not PGP sign data.")
         );
     }
@@ -195,15 +212,27 @@ public function signCleartext($text, $key)
      * @param string $text  The text to be signed.
      * @param mixed $key    The private key to use for signing (must be
      *                      decrypted).
+     * @param array $opts   Additional options:
+     *   - sign_hash: (string) The hash method to use. (DEFAULT: SHA256)
+     *   - sign_hash_dsa: (string) The hash method to use with DSA. (DEFAULT:
+     *                    SHA1)
      *
      * @return Horde_Pgp_Element_Signature  The detached signature.
      * @throws Horde_Pgp_Exception
      */
-    public function signDetached($text, $key)
+    public function signDetached($text, $key, array $opts = array())
     {
         return $this->_runInBackend(
             'sign',
-            array($text, $this->_getPrivateKey($key), 'detach'),
+            array(
+                $text,
+                $this->_getPrivateKey($key),
+                'detach',
+                array_merge(array(
+                    'sign_hash' => 'SHA256',
+                    'sign_hash_dsa' => 'SHA1'
+                ), $opts)
+            ),
             Horde_Pgp_Translation::t("Could not PGP sign data.")
         );
     }

framework/Pgp/lib/Horde/Pgp/Backend.php

@@ -97,7 +97,9 @@ public function encryptSymmetric($text, $passphrase, $opts)
      *                                           'message'.
      * @param array $opts                        Additional options:
      *   - nocompress: (boolean) If true, don't compress signed data.
-     *
+     *   - sign_hash: (string) The hash method to use. (DEFAULT: SHA256)
+     *   - sign_hash_dsa: (string) The hash method to use with DSA. (DEFAULT:
+     *                    SHA1)
      *
      * @return mixed  The signed message.
      */

framework/Pgp/lib/Horde/Pgp/Backend/Openpgp.php

@@ -391,13 +391,17 @@ public function sign($text, $key, $mode, $opts = array())
         case 2:
         case 3:
             // RSA
-            $result = $rsa->sign($text, 'SHA256');
+            $result = $rsa->sign($text, $opts['sign_hash']);
             break;
 
         case 17:
-            // DSA; use SHA1 since that is what it was designed for (at least
-            // with DSS profile)
-            $sig = new OpenPGP_SignaturePacket($text, 'DSA', 'SHA1');
+            // DSA; use SHA1 by default, since that is what DSA/DSS was
+            // designed for.
+            $sig = new OpenPGP_SignaturePacket(
+                $text,
+                'DSA',
+                $opts['sign_hash_dsa']
+            );
             $sig->hashed_subpackets[] = new OpenPGP_SignaturePacket_IssuerPacket(
                 substr($pkey->fingerprint, -16)
             );
@@ -406,8 +410,8 @@ public function sign($text, $key, $mode, $opts = array())
 
             $sig->sign_data(array(
                 'DSA' => array(
-                    'SHA1' => function ($data) use ($dsa) {
-                        return $dsa->sign($data, 'SHA1');
+                    $opts['sign_hash_dsa'] => function ($data) use ($dsa, $opts) {
+                        return $dsa->sign($data, $opts['sign_hash_dsa']);
                     }
                 )
             ));
@@ -421,7 +425,7 @@ public function sign($text, $key, $mode, $opts = array())
             $sm = new Horde_Pgp_Element_SignedMessage(
                 new OpenPGP_Message(array($result[1], $result[0]))
             );
-            $sm->headers['Hash'] = 'SHA1';
+            $sm->headers['Hash'] = $opts['sign_hash_dsa'];
             return $sm;
 
         case 'detach':