Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Drop SHA1, SHA224 for RSA-PSS/PKCS#1, enforce for RSA-PKCS#1 #234

Merged
merged 1 commit into from
Jan 19, 2022
Merged

Drop SHA1, SHA224 for RSA-PSS/PKCS#1, enforce for RSA-PKCS#1 #234

merged 1 commit into from
Jan 19, 2022

Conversation

haydentherapper
Copy link
Contributor

@haydentherapper haydentherapper commented Jan 18, 2022
edited

This sets the set of supported hashes to SHA256, SHA384,
and SHA512. SHA1 should not be used for RSA-PKCS#1v1.5,
as it is not collision resistant. Not an expert on this,
but technically SHA1 is acceptable for RSA-PSS due to how
the hash function is used, as part of its
"mask generation function". However, since SHA1 is not
supported by cloud KMS services, we should just remove it entirely.
SHA224 is also not supported anywhere.

RSA-PKCS#1v1.5 was not enforcing the set of hashes on load.

Signed-off-by: Hayden Blauzvern hblauzvern@google.com

Summary

Ticket Link

Fixes

Release Note

Dropped support for SHA1 and SHA224 when signing and verifying with RSA-PKCS#1-v1.5 and RSA-PSS

@haydentherapper
Drop SHA1, SHA224 for RSA-PSS/PKCS#1, enforce for RSA-PKCS#1
1f4ad84 
This sets the set of supported hashes to SHA256, SHA384,
and SHA512. SHA1 should not be used for RSA-PKCS#1v1.5,
as it is not collision resistant. Not an expert on this,
but technically SHA1 is acceptable for RSA-PSS due to how
the hash function is used, as part of its
"mask generation function". However, since SHA1 is not
supported by cloud KMS services, we should just remove it entirely.
SHA224 is also not supported anywhere.

RSA-PKCS#1v1.5 was not enforcing the set of hashes on load.

Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
@haydentherapper
Copy link
Contributor Author

cc @lukehinds - Can you kick off the workflows?

@haydentherapper
Copy link
Contributor Author

cc @bobcallaway too, are you able to kick off the workflows?

@dlorenc dlorenc merged commit 245ddc2 into sigstore:main Jan 19, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dlorenc dlorenc dlorenc approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@haydentherapper @dlorenc