From 960ab68fed7c19eb0dd7a02776ef2ddfa82fa8bc Mon Sep 17 00:00:00 2001 From: kiarn Date: Sat, 25 Jun 2022 18:11:35 +0200 Subject: [PATCH] Replace deprecated digest sha1 with sha256. Breaks actual client cert. --- ajenti-core/aj/security/verifier.py | 8 +++++++- ajenti-core/aj/wsgi.py | 2 +- ajenti-panel/ajenti-client-ssl-gen | 4 ++-- ajenti-panel/ajenti-ssl-gen | 2 +- plugins/settings/views.py | 6 +++--- 5 files changed, 14 insertions(+), 8 deletions(-) diff --git a/ajenti-core/aj/security/verifier.py b/ajenti-core/aj/security/verifier.py index 06d89e20f..d82cab7f6 100644 --- a/ajenti-core/aj/security/verifier.py +++ b/ajenti-core/aj/security/verifier.py @@ -1,5 +1,6 @@ from jadi import service import aj +import logging @service @@ -9,7 +10,12 @@ def __init__(self, context): def verify(self, x509): serial = x509.get_serial_number() - digest = x509.digest('sha1') + digest = x509.digest('sha256') + if not b'sha256' in x509.get_signature_algorithm(): + logging.warning( + f'Sha1 digest algorithm is deprecated,' + f'you should revoke the client certificate with serial {serial}' + f'and create a new one.') # logging.debug(f'SSL verify: {x509.get_subject()} / {digest}') for c in aj.config.data['ssl']['client_auth']['certificates']: if int(c['serial']) == serial and c['digest'].encode('utf-8') == digest: diff --git a/ajenti-core/aj/wsgi.py b/ajenti-core/aj/wsgi.py index 010f9061b..3c2894efd 100644 --- a/ajenti-core/aj/wsgi.py +++ b/ajenti-core/aj/wsgi.py @@ -50,7 +50,7 @@ def get_environ(self): user = ClientCertificateVerificator.get(aj.context).verify(certificate) env['SSL_CLIENT_VALID'] = bool(user) env['SSL_CLIENT_USER'] = user - env['SSL_CLIENT_DIGEST'] = certificate.digest('sha1') + env['SSL_CLIENT_DIGEST'] = certificate.digest('sha256') return env def _sendall(self, data): diff --git a/ajenti-panel/ajenti-client-ssl-gen b/ajenti-panel/ajenti-client-ssl-gen index 98dcd2cd0..9d9ddb26f 100755 --- a/ajenti-panel/ajenti-client-ssl-gen +++ b/ajenti-panel/ajenti-client-ssl-gen @@ -40,7 +40,7 @@ cert.set_serial_number(random.getrandbits(8 * 20)) cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(10 * 365 * 24 * 60 * 60) cert.set_issuer(ca_cert.get_subject()) -cert.sign(ca_key, 'sha1') +cert.sign(ca_key, 'sha256') pkcs = PKCS12() #pkcs.set_ca_certificates([ca_cert]) @@ -49,7 +49,7 @@ pkcs.set_privatekey(key) pkcs.set_friendlyname(bytes(cn, encoding="utf-8")) cert_info = { - 'digest': cert.digest('sha1').decode('utf-8'), + 'digest': cert.digest('sha256').decode('utf-8'), 'name': ','.join(b'='.join(x).decode('utf-8') for x in cert.get_subject().get_components() ), diff --git a/ajenti-panel/ajenti-ssl-gen b/ajenti-panel/ajenti-ssl-gen index 3f9841b7b..b1f5e6aec 100755 --- a/ajenti-panel/ajenti-ssl-gen +++ b/ajenti-panel/ajenti-ssl-gen @@ -32,7 +32,7 @@ cert.set_serial_number(random.getrandbits(8 * 20)) cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(10 * 365 * 24 * 60 * 60) cert.set_issuer(cert.get_subject()) -cert.sign(key, 'sha1') +cert.sign(key, 'sha256') with open(certificate_path, 'wb') as f: diff --git a/plugins/settings/views.py b/plugins/settings/views.py index ce10f7f5d..eef926979 100644 --- a/plugins/settings/views.py +++ b/plugins/settings/views.py @@ -53,7 +53,7 @@ def handle_api_generate_client_certificate(self, http_context): cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(10 * 365 * 24 * 60 * 60) cert.set_issuer(ca_cert.get_subject()) - cert.sign(ca_key, 'sha1') + cert.sign(ca_key, 'sha256') pkcs = OpenSSL.crypto.PKCS12() pkcs.set_certificate(cert) @@ -61,7 +61,7 @@ def handle_api_generate_client_certificate(self, http_context): pkcs.set_friendlyname(bytes(data['cn'], encoding="utf-8")) return { - 'digest': cert.digest('sha1').decode('utf-8'), + 'digest': cert.digest('sha256').decode('utf-8'), 'name': ','.join(b'='.join(x).decode('utf-8') for x in cert.get_subject().get_components() ), @@ -95,7 +95,7 @@ def handle_api_generate_server_certificate(self, http_context): cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(10 * 365 * 24 * 60 * 60) cert.set_issuer(cert.get_subject()) - cert.sign(key, 'sha1') + cert.sign(key, 'sha256') with open(certificate_path, 'wb') as f: f.write(OpenSSL.crypto.dump_privatekey(OpenSSL.crypto.FILETYPE_PEM, key))