Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/x509: replace MD5 in PEM encryption? #32777

Open
micahhyman1 opened this issue Jun 25, 2019 · 3 comments

Comments

@micahhyman1
Copy link

commented Jun 25, 2019

The deriveKey function in crypto/x509 uses an md5 hash to derive the encryption key. This hash is out-of-date, insecure and non FIPS compliant. It should be replaced with sha-256.

@FiloSottile FiloSottile changed the title crypto/x509 Replace usage of md5 hash with sha-256 in PEM encryption crypto/x509: Replace usage of md5 hash with sha-256 in PEM encryption Jun 25, 2019
@FiloSottile

This comment has been minimized.

Copy link
Member

commented Jun 25, 2019

That's not a change we can make unilaterally. It would make it impossible to decrypt PEM files encrypted by OpenSSL or by previous versions of Go.

Thankfully, it's not being used as a collision-resistant hash, but as a key derivation function, and MD5 is not broken for that purpose.

I will look into the spec to see if there's anything we can change.

@FiloSottile FiloSottile added this to the Unplanned milestone Jun 25, 2019
@FiloSottile FiloSottile changed the title crypto/x509: Replace usage of md5 hash with sha-256 in PEM encryption crypto/x509: replace MD5 in PEM encryption? Jun 25, 2019
@micahhyman1

This comment has been minimized.

Copy link
Author

commented Jun 25, 2019

Could it be made an option on the encryption function to choose which hash is used, the same way one can choose which cipher to use?

@lucasmoten

This comment has been minimized.

Copy link

commented Sep 2, 2019

I think that could be added as additional convenience functions in crypto/x509/pem_decrypt.go.
Similar to how openssl extended to support password based key derivation function. Theoretically, the current implementation of DecryptPEMBlock wouldn't work with a cert encrypted via
openssl enc -aes-256-cbc -md sha512 -pbkdf2 -iter 1000 -salt -in plaintext.pem -out encrypted.pem
Establishing additional functions that support the inputs openssl offers for specifying message digest and iteration count etc would be an improvement.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.