TSA - update to SHA-2 #474
Conversation
|
Note: sha1 usage is not completely eliminated by this PR. For now I have left it in openssl config tsa There's yet another usage of sha1, and that's ESSCertIDv1 (https://github.com/openssl/openssl/blob/OpenSSL_1_0_2d/crypto/ts/ts_rsp_sign.c#L845-L857). ESSCertIDv2 (rfc5816) allows using different hashes than sha1, but is not yet implemented. I did not examine thoroughly how widespread it currently is in trusted time-stamps.., our country's major QCA is providing trusted timestamps with sha256 signature algorithm, but still using v1 ESSCertID, i.e. sha1 hash as signer cert identifier. |
|
Similar patch is waiting for inclusion since 2010. Good luck :) |
|
I was not aware of the patch. I like the idea of configurable option, it came to me as well. But I finally took more simple/conservative/lazy approach :) |
|
I think this can now be closed? |
|
Yes, I think this can be closed. Please let me know if you want me to make another pull request with the |
|
Can you please look at #771 and see if it meets your needs? |
OpenSSL is still using rather obsolete SHA-1 in TSA (ts) code.
This pull request contains following changes:
apps/ts.c) (d4c5edc)crypto/ts/ts_rsp_sign.c) (71af5e7)digeststsa section config value (default acceptable time-stamp query message digest algorithms) in sections frommd5, sha1(!) tosha1, sha256, ...(apps/openssl.cnf,apps/openssl-vms.cnf) (ef86470)$datafileto$confsectionincreate_time_stamp_response; probably relict fromverify_time_stamp_responsecopy); fix typo in test msg string (fromreq3.reqtoreq3.tsq) (the changeset as above)