Skip to content

Commit

Permalink
Replace deprecated digest sha1 with sha256. Breaks actual client cert.
Browse files Browse the repository at this point in the history
  • Loading branch information
@kiarn
kiarn committed Jun 25, 2022
1 parent 85a59bb commit 960ab68
Show file tree
Hide file tree
Showing 5 changed files with 14 additions and 8 deletions.
8 changes: 7 additions & 1 deletion ajenti-core/aj/security/verifier.py
View file
@@ -1,5 +1,6 @@
from jadi import service
import aj
import logging


@service
Expand All @@ -9,7 +10,12 @@ def __init__(self, context):

def verify(self, x509):
serial = x509.get_serial_number()
digest = x509.digest('sha1')
digest = x509.digest('sha256')
if not b'sha256' in x509.get_signature_algorithm():
logging.warning(
f'Sha1 digest algorithm is deprecated,'
f'you should revoke the client certificate with serial {serial}'
f'and create a new one.')
# logging.debug(f'SSL verify: {x509.get_subject()} / {digest}')
for c in aj.config.data['ssl']['client_auth']['certificates']:
if int(c['serial']) == serial and c['digest'].encode('utf-8') == digest:
Expand Down
2 changes: 1 addition & 1 deletion ajenti-core/aj/wsgi.py
View file
Expand Up @@ -50,7 +50,7 @@ def get_environ(self):
user = ClientCertificateVerificator.get(aj.context).verify(certificate)
env['SSL_CLIENT_VALID'] = bool(user)
env['SSL_CLIENT_USER'] = user
env['SSL_CLIENT_DIGEST'] = certificate.digest('sha1')
env['SSL_CLIENT_DIGEST'] = certificate.digest('sha256')
return env

def _sendall(self, data):
Expand Down
4 changes: 2 additions & 2 deletions ajenti-panel/ajenti-client-ssl-gen
View file
Expand Up @@ -40,7 +40,7 @@ cert.set_serial_number(random.getrandbits(8 * 20))
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(10 * 365 * 24 * 60 * 60)
cert.set_issuer(ca_cert.get_subject())
cert.sign(ca_key, 'sha1')
cert.sign(ca_key, 'sha256')

pkcs = PKCS12()
#pkcs.set_ca_certificates([ca_cert])
Expand All @@ -49,7 +49,7 @@ pkcs.set_privatekey(key)
pkcs.set_friendlyname(bytes(cn, encoding="utf-8"))

cert_info = {
'digest': cert.digest('sha1').decode('utf-8'),
'digest': cert.digest('sha256').decode('utf-8'),
'name': ','.join(b'='.join(x).decode('utf-8')
for x in cert.get_subject().get_components()
),
Expand Down
2 changes: 1 addition & 1 deletion ajenti-panel/ajenti-ssl-gen
View file
Expand Up @@ -32,7 +32,7 @@ cert.set_serial_number(random.getrandbits(8 * 20))
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(10 * 365 * 24 * 60 * 60)
cert.set_issuer(cert.get_subject())
cert.sign(key, 'sha1')
cert.sign(key, 'sha256')


with open(certificate_path, 'wb') as f:
Expand Down
6 changes: 3 additions & 3 deletions plugins/settings/views.py
View file
Expand Up @@ -53,15 +53,15 @@ def handle_api_generate_client_certificate(self, http_context):
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(10 * 365 * 24 * 60 * 60)
cert.set_issuer(ca_cert.get_subject())
cert.sign(ca_key, 'sha1')
cert.sign(ca_key, 'sha256')

pkcs = OpenSSL.crypto.PKCS12()
pkcs.set_certificate(cert)
pkcs.set_privatekey(key)
pkcs.set_friendlyname(bytes(data['cn'], encoding="utf-8"))

return {
'digest': cert.digest('sha1').decode('utf-8'),
'digest': cert.digest('sha256').decode('utf-8'),
'name': ','.join(b'='.join(x).decode('utf-8')
for x in cert.get_subject().get_components()
),
Expand Down Expand Up @@ -95,7 +95,7 @@ def handle_api_generate_server_certificate(self, http_context):
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(10 * 365 * 24 * 60 * 60)
cert.set_issuer(cert.get_subject())
cert.sign(key, 'sha1')
cert.sign(key, 'sha256')

with open(certificate_path, 'wb') as f:
f.write(OpenSSL.crypto.dump_privatekey(OpenSSL.crypto.FILETYPE_PEM, key))
Expand Down

0 comments on commit 960ab68

Please sign in to comment.