aboutsummaryrefslogtreecommitdiffstats
path: root/src/pki/commands
diff options
context:
space:
mode:
Diffstat (limited to 'src/pki/commands')
-rw-r--r--src/pki/commands/acert.c12
-rw-r--r--src/pki/commands/issue.c12
-rw-r--r--src/pki/commands/req.c12
-rw-r--r--src/pki/commands/self.c12
-rw-r--r--src/pki/commands/signcrl.c12
5 files changed, 10 insertions, 50 deletions
diff --git a/src/pki/commands/acert.c b/src/pki/commands/acert.c
index e57131818..3a35b06d8 100644
--- a/src/pki/commands/acert.c
+++ b/src/pki/commands/acert.c
@@ -32,7 +32,7 @@
static int acert()
{
cred_encoding_type_t form = CERT_ASN1_DER;
- hash_algorithm_t digest = HASH_SHA1;
+ hash_algorithm_t digest = HASH_SHA256;
certificate_t *ac = NULL, *cert = NULL, *issuer =NULL;
private_key_t *private = NULL;
public_key_t *public = NULL;
@@ -167,14 +167,6 @@ static int acert()
error = "issuer private key does not match issuer certificate";
goto end;
}
- if (private->get_type(private) == KEY_BLISS)
- {
- /* the default hash function is SHA512. SHA1 is not supported */
- if (digest == HASH_SHA1)
- {
- digest = HASH_SHA512;
- }
- }
if (hex)
{
@@ -295,7 +287,7 @@ static void __attribute__ ((constructor))reg()
{"not-before", 'F', 1, "date/time the validity of the AC starts"},
{"not-after", 'T', 1, "date/time the validity of the AC ends"},
{"dateform", 'D', 1, "strptime(3) input format, default: %d.%m.%y %T"},
- {"digest", 'g', 1, "digest for signature creation, default: sha1"},
+ {"digest", 'g', 1, "digest for signature creation, default: sha256"},
{"outform", 'f', 1, "encoding of generated cert, default: der"},
}
});
diff --git a/src/pki/commands/issue.c b/src/pki/commands/issue.c
index fba0238ae..050ead77c 100644
--- a/src/pki/commands/issue.c
+++ b/src/pki/commands/issue.c
@@ -60,7 +60,7 @@ static void destroy_cdp(x509_cdp_t *this)
static int issue()
{
cred_encoding_type_t form = CERT_ASN1_DER;
- hash_algorithm_t digest = HASH_SHA1;
+ hash_algorithm_t digest = HASH_SHA256;
certificate_t *cert_req = NULL, *cert = NULL, *ca =NULL;
private_key_t *private = NULL;
public_key_t *public = NULL;
@@ -364,14 +364,6 @@ static int issue()
}
public->destroy(public);
- if (private->get_type(private) == KEY_BLISS)
- {
- /* the default hash function is SHA512. SHA1 is not supported */
- if (digest == HASH_SHA1)
- {
- digest = HASH_SHA512;
- }
- }
if (hex)
{
serial = chunk_from_hex(chunk_create(hex, strlen(hex)), NULL);
@@ -599,7 +591,7 @@ static void __attribute__ ((constructor))reg()
{"crl", 'u', 1, "CRL distribution point URI to include"},
{"crlissuer", 'I', 1, "CRL Issuer for CRL at distribution point"},
{"ocsp", 'o', 1, "OCSP AuthorityInfoAccess URI to include"},
- {"digest", 'g', 1, "digest for signature creation, default: sha1"},
+ {"digest", 'g', 1, "digest for signature creation, default: sha256"},
{"outform", 'f', 1, "encoding of generated cert, default: der"},
}
});
diff --git a/src/pki/commands/req.c b/src/pki/commands/req.c
index 39d71626d..13ef1c9d8 100644
--- a/src/pki/commands/req.c
+++ b/src/pki/commands/req.c
@@ -31,7 +31,7 @@ static int req()
{
cred_encoding_type_t form = CERT_ASN1_DER;
key_type_t type = KEY_RSA;
- hash_algorithm_t digest = HASH_SHA1;
+ hash_algorithm_t digest = HASH_SHA256;
certificate_t *cert = NULL;
private_key_t *private = NULL;
char *file = NULL, *dn = NULL, *error = NULL;
@@ -103,14 +103,6 @@ static int req()
break;
}
- if (type == KEY_BLISS)
- {
- /* the default hash function is SHA512. SHA1 is not supported */
- if (digest == HASH_SHA1)
- {
- digest = HASH_SHA512;
- }
- }
if (!dn)
{
error = "--dn is required";
@@ -208,7 +200,7 @@ static void __attribute__ ((constructor))reg()
{"dn", 'd', 1, "subject distinguished name"},
{"san", 'a', 1, "subjectAltName to include in cert request"},
{"password",'p', 1, "challengePassword to include in cert request"},
- {"digest", 'g', 1, "digest for signature creation, default: sha1"},
+ {"digest", 'g', 1, "digest for signature creation, default: sha256"},
{"outform", 'f', 1, "encoding of generated request, default: der"},
}
});
diff --git a/src/pki/commands/self.c b/src/pki/commands/self.c
index 8dcb046de..13374e2de 100644
--- a/src/pki/commands/self.c
+++ b/src/pki/commands/self.c
@@ -50,7 +50,7 @@ static int self()
{
cred_encoding_type_t form = CERT_ASN1_DER;
key_type_t type = KEY_RSA;
- hash_algorithm_t digest = HASH_SHA1;
+ hash_algorithm_t digest = HASH_SHA256;
certificate_t *cert = NULL;
private_key_t *private = NULL;
public_key_t *public = NULL;
@@ -263,14 +263,6 @@ static int self()
break;
}
- if (type == KEY_BLISS)
- {
- /* the default hash function is SHA512. SHA1 is not supported */
- if (digest == HASH_SHA1)
- {
- digest = HASH_SHA512;
- }
- }
if (!dn)
{
error = "--dn is required";
@@ -455,7 +447,7 @@ static void __attribute__ ((constructor))reg()
{"policy-any", 'A', 1, "inhibitAnyPolicy constraint"},
{"flag", 'e', 1, "include extendedKeyUsage flag"},
{"ocsp", 'o', 1, "OCSP AuthorityInfoAccess URI to include"},
- {"digest", 'g', 1, "digest for signature creation, default: sha1"},
+ {"digest", 'g', 1, "digest for signature creation, default: sha256"},
{"outform", 'f', 1, "encoding of generated cert, default: der"},
}
});
diff --git a/src/pki/commands/signcrl.c b/src/pki/commands/signcrl.c
index 4b81c775c..aa403229f 100644
--- a/src/pki/commands/signcrl.c
+++ b/src/pki/commands/signcrl.c
@@ -117,7 +117,7 @@ static int sign_crl()
certificate_t *ca = NULL, *crl = NULL;
crl_t *lastcrl = NULL;
x509_t *x509;
- hash_algorithm_t digest = HASH_SHA1;
+ hash_algorithm_t digest = HASH_SHA256;
char *arg, *cacert = NULL, *cakey = NULL, *lastupdate = NULL, *error = NULL;
char *basecrl = NULL;
char serial[512], *keyid = NULL;
@@ -335,14 +335,6 @@ static int sign_crl()
error = "CA private key does not match CA certificate";
goto error;
}
- if (private->get_type(private) == KEY_BLISS)
- {
- /* the default hash function is SHA512. SHA1 is not supported */
- if (digest == HASH_SHA1)
- {
- digest = HASH_SHA512;
- }
- }
if (basecrl)
{
@@ -473,7 +465,7 @@ static void __attribute__ ((constructor))reg()
{"serial", 's', 1, "hex encoded certificate serial number to revoke"},
{"reason", 'r', 1, "reason for certificate revocation"},
{"date", 'd', 1, "revocation date as unix timestamp, default: now"},
- {"digest", 'g', 1, "digest for signature creation, default: sha1"},
+ {"digest", 'g', 1, "digest for signature creation, default: sha256"},
{"outform", 'f', 1, "encoding of generated crl, default: der"},
}
});
generated by cgit v1.2.3 (git 2.25.1) at 2025-09-18 22:26:43 +0000