Blame SOURCES/Use-SHA256-instead-of-SHA1-for-PKINIT-CMS-digest.patch

a0043a
From f0740c131b69f3346f07e7b7b03ebf27c50c0ccd Mon Sep 17 00:00:00 2001
a0043a
From: Julien Rische <jrische@redhat.com>
a0043a
Date: Fri, 11 Mar 2022 11:33:56 +0100
a0043a
Subject: [PATCH] Use SHA-256 instead of SHA-1 for PKINIT CMS digest
a0043a
a0043a
Various organizations including NIST have been strongly recommending to
a0043a
stop using SHA-1 for digital signatures for some years already. CMS
a0043a
digest is used to generate such signatures, hence it should be upgraded
a0043a
to use SHA-256.
a0043a
---
a0043a
 .../preauth/pkinit/pkinit_crypto_openssl.c    | 27 ++++++++++---------
a0043a
 1 file changed, 14 insertions(+), 13 deletions(-)
a0043a
a0043a
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
a0043a
index 42e5c581d..2a6ef4aaa 100644
a0043a
--- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
a0043a
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
a0043a
@@ -1240,7 +1240,7 @@ cms_signeddata_create(krb5_context context,
a0043a
         /* will not fill-out EVP_PKEY because it's on the smartcard */
a0043a
 
a0043a
         /* Set digest algs */
a0043a
-        p7si->digest_alg->algorithm = OBJ_nid2obj(NID_sha1);
a0043a
+        p7si->digest_alg->algorithm = OBJ_nid2obj(NID_sha256);
a0043a
 
a0043a
         if (p7si->digest_alg->parameter != NULL)
a0043a
             ASN1_TYPE_free(p7si->digest_alg->parameter);
a0043a
@@ -1251,17 +1251,17 @@ cms_signeddata_create(krb5_context context,
a0043a
         /* Set sig algs */
a0043a
         if (p7si->digest_enc_alg->parameter != NULL)
a0043a
             ASN1_TYPE_free(p7si->digest_enc_alg->parameter);
a0043a
-        p7si->digest_enc_alg->algorithm = OBJ_nid2obj(NID_sha1WithRSAEncryption);
a0043a
+        p7si->digest_enc_alg->algorithm = OBJ_nid2obj(NID_sha256WithRSAEncryption);
a0043a
         if (!(p7si->digest_enc_alg->parameter = ASN1_TYPE_new()))
a0043a
             goto cleanup;
a0043a
         p7si->digest_enc_alg->parameter->type = V_ASN1_NULL;
a0043a
 
a0043a
         /* add signed attributes */
a0043a
-        /* compute sha1 digest over the EncapsulatedContentInfo */
a0043a
+        /* compute sha256 digest over the EncapsulatedContentInfo */
a0043a
         ctx = EVP_MD_CTX_new();
a0043a
         if (ctx == NULL)
a0043a
             goto cleanup;
a0043a
-        EVP_DigestInit_ex(ctx, EVP_sha1(), NULL);
a0043a
+        EVP_DigestInit_ex(ctx, EVP_sha256(), NULL);
a0043a
         EVP_DigestUpdate(ctx, data, data_len);
a0043a
         md_tmp = EVP_MD_CTX_md(ctx);
a0043a
         EVP_DigestFinal_ex(ctx, md_data, &md_len);
a0043a
@@ -1289,9 +1289,10 @@ cms_signeddata_create(krb5_context context,
a0043a
             goto cleanup2;
a0043a
 
a0043a
 #ifndef WITHOUT_PKCS11
a0043a
-        /* Some tokens can only do RSAEncryption without sha1 hash */
a0043a
-        /* to compute sha1WithRSAEncryption, encode the algorithm ID for the hash
a0043a
-         * function and the hash value into an ASN.1 value of type DigestInfo
a0043a
+        /* Some tokens can only do RSAEncryption without sha256 hash */
a0043a
+        /* to compute sha256WithRSAEncryption, encode the algorithm ID for the
a0043a
+         * hash function and the hash value into an ASN.1 value of type
a0043a
+         * DigestInfo
a0043a
          * DigestInfo::=SEQUENCE {
a0043a
          *  digestAlgorithm  AlgorithmIdentifier,
a0043a
          *  digest OCTET STRING }
a0043a
@@ -1310,7 +1311,7 @@ cms_signeddata_create(krb5_context context,
a0043a
             alg = X509_ALGOR_new();
a0043a
             if (alg == NULL)
a0043a
                 goto cleanup2;
a0043a
-            X509_ALGOR_set0(alg, OBJ_nid2obj(NID_sha1), V_ASN1_NULL, NULL);
a0043a
+            X509_ALGOR_set0(alg, OBJ_nid2obj(NID_sha256), V_ASN1_NULL, NULL);
a0043a
             alg_len = i2d_X509_ALGOR(alg, NULL);
a0043a
 
a0043a
             digest = ASN1_OCTET_STRING_new();
a0043a
@@ -1339,7 +1340,7 @@ cms_signeddata_create(krb5_context context,
a0043a
 #endif
a0043a
         {
a0043a
             pkiDebug("mech = %s\n",
a0043a
-                     id_cryptoctx->pkcs11_method == 1 ? "CKM_SHA1_RSA_PKCS" : "FS");
a0043a
+                     id_cryptoctx->pkcs11_method == 1 ? "CKM_SHA256_RSA_PKCS" : "FS");
a0043a
             retval = pkinit_sign_data(context, id_cryptoctx, abuf, alen,
a0043a
                                       &sig, &sig_len);
a0043a
         }
a0043a
@@ -4189,7 +4190,7 @@ create_signature(unsigned char **sig, unsigned int *sig_len,
a0043a
     ctx = EVP_MD_CTX_new();
a0043a
     if (ctx == NULL)
a0043a
         return ENOMEM;
a0043a
-    EVP_SignInit(ctx, EVP_sha1());
a0043a
+    EVP_SignInit(ctx, EVP_sha256());
a0043a
     EVP_SignUpdate(ctx, data, data_len);
a0043a
     *sig_len = EVP_PKEY_size(pkey);
a0043a
     if ((*sig = malloc(*sig_len)) == NULL)
a0043a
@@ -4663,10 +4664,10 @@ pkinit_get_certs_pkcs11(krb5_context context,
a0043a
 
a0043a
 #ifndef PKINIT_USE_MECH_LIST
a0043a
     /*
a0043a
-     * We'd like to use CKM_SHA1_RSA_PKCS for signing if it's available, but
a0043a
+     * We'd like to use CKM_SHA256_RSA_PKCS for signing if it's available, but
a0043a
      * many cards seems to be confused about whether they are capable of
a0043a
      * this or not. The safe thing seems to be to ignore the mechanism list,
a0043a
-     * always use CKM_RSA_PKCS and calculate the sha1 digest ourselves.
a0043a
+     * always use CKM_RSA_PKCS and calculate the sha256 digest ourselves.
a0043a
      */
a0043a
 
a0043a
     id_cryptoctx->mech = CKM_RSA_PKCS;
a0043a
@@ -4694,7 +4695,7 @@ pkinit_get_certs_pkcs11(krb5_context context,
a0043a
         if (mechp[i] == CKM_RSA_PKCS) {
a0043a
             /* This seems backwards... */
a0043a
             id_cryptoctx->mech =
a0043a
-                (info.flags & CKF_SIGN) ? CKM_SHA1_RSA_PKCS : CKM_RSA_PKCS;
a0043a
+                (info.flags & CKF_SIGN) ? CKM_SHA256_RSA_PKCS : CKM_RSA_PKCS;
a0043a
         }
a0043a
     }
a0043a
     free(mechp);
a0043a
-- 
a0043a
2.35.1
a0043a