FAQ | This is a LIVE service | Changelog

Commit a919ba4b authored by Tony Finch's avatar Tony Finch

regpg: explicitly tell OpenSSL to use SHA-256

This is to ensure that signatures on CSRs and certificates use
SHA-256. I have not managed to find a version of OpenSSL that
does not use SHA-256 (I checked 1.0.1 and 1.1.0 and 1.1.1) so
this is effectively a no-op, but it might be useful for people
on Red-Hat-alike systems stuck on ante-diluvian versions.
parent 89617a18
......@@ -868,7 +868,7 @@ sub gencrt {
# If we generate a CSR then `openssl x509 -req` drops the
# extensions when making a signed certificate. `openssl ca`
# requires too much faff with config files for our purposes.
pipespew $priv, qw(openssl req -new -x509 -key /dev/stdin),
pipespew $priv, qw(openssl req -new -x509 -sha256 -key /dev/stdin),
random_serial, -days => $days, -config => $cnf, -out => $self;
if (@ARGV == 6) {
# The authorityKeyIdentifier will get the wrong value if
......@@ -877,7 +877,7 @@ sub gencrt {
spewto $ext,
"subjectKeyIdentifier = hash\n",
"authorityKeyIdentifier = keyid:always, issuer:always\n";
pipespew $cakey, qw(openssl x509 -CAkey /dev/stdin),
pipespew $cakey, qw(openssl x509 -sha256 -CAkey /dev/stdin),
random_serial, -days => $days, -CA => $cacrt,
-extfile => $ext, -in => $self, -out => $signed;
unlink $self, $ext;
......@@ -892,7 +892,7 @@ sub gencsr {
my $key = getkey $priv;
my @opt = (-config => $cnf);
push @opt, stdio -out => $req;
pipespew $key, qw(openssl req -new -key /dev/stdin), @opt;
pipespew $key, qw(openssl req -new -sha256 -key /dev/stdin), @opt;
vsystem qw(openssl req -text -in), $req
if $opt{v} and $opt[-2] eq '-out';
return 0;
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment