Package: tinyca
Version: 0.7.5-5
Followup-For: Bug #759481
Dear Maintainer,
Attached is a patch to add support for SHA-224, SHA-256, SHA-384, and
SHA-512. It also makes the default digest algorithm SHA-512. I've run
it though very basic server cert testing.
The patch is on top of the Debian local changes. I couldn't find an
upstream. If it exists, I'd be happy to help push it up.
Ross
-- System Information:
Debian Release: 7.7
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable'), (50, 'testing'), (40,
'unstable'), (30, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.14-0.bpo.2-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages tinyca depends on:
ii libgtk2-perl2:1.244-1
ii liblocale-gettext-perl 1.05-7+b1
ii openssl 1.0.1e-2+deb7u13
Versions of packages tinyca recommends:
ii zip 3.0-6
tinyca suggests no packages.
-- no debconf information
diff -ur orig/tinyca-0.7.5/lib/CA.pm tinyca-0.7.5/lib/CA.pm
--- orig/tinyca-0.7.5/lib/CA.pm 2006-07-25 15:12:00.0 -0500
+++ tinyca-0.7.5/lib/CA.pm 2014-11-01 12:32:46.277413381 -0500
@@ -349,7 +349,7 @@
$opts = {};
$opts->{'days'} = 3650; # set default to 10 years
$opts->{'bits'} = 4096;
- $opts->{'digest'} = 'sha1';
+ $opts->{'digest'} = 'sha512';
if(defined($mode) && $mode eq "sub") { # create SubCA, use defaults
$opts->{'parentca'} = $main->{'CA'}->{'actca'};
@@ -453,7 +453,7 @@
$opts = {};
$opts->{'days'} = 3650; # set default to 10 years
$opts->{'bits'} = 4096;
- $opts->{'digest'} = 'sha1';
+ $opts->{'digest'} = 'sha512';
$main->show_ca_import_dialog($opts);
return;
diff -ur orig/tinyca-0.7.5/lib/GUI.pm tinyca-0.7.5/lib/GUI.pm
--- orig/tinyca-0.7.5/lib/GUI.pm 2014-11-01 12:51:39.0 -0500
+++ tinyca-0.7.5/lib/GUI.pm 2014-11-01 12:25:31.123392155 -0500
@@ -37,6 +37,10 @@
'ripemd160' => 'RIPEMD-160',
# 'sha' => 'SHA',
'sha1' => 'SHA-1',
+ 'sha224' => 'SHA-224',
+ 'sha256' => 'SHA-256',
+ 'sha384' => 'SHA-384',
+ 'sha512' => 'SHA-512',
);
my %bit_lengths = (
diff -ur orig/tinyca-0.7.5/lib/REQ.pm tinyca-0.7.5/lib/REQ.pm
--- orig/tinyca-0.7.5/lib/REQ.pm 2006-07-25 15:12:00.0 -0500
+++ tinyca-0.7.5/lib/REQ.pm 2014-11-01 12:30:12.025870028 -0500
@@ -59,7 +59,7 @@
GUI::HELPERS::print_error($t);
}
$opts->{'bits'} = 4096;
- $opts->{'digest'} = 'sha1';
+ $opts->{'digest'} = 'sha512';
$opts->{'algo'} = 'rsa';
if(defined($opts) && $opts eq "sign") {
$opts->{'sign'} = 1;
@@ -426,6 +426,14 @@
$opts->{'digest'} = "md5";
} elsif ($opts->{'digest'} =~ /^sha1/) {
$opts->{'digest'} = "sha1";
+ } elsif ($opts->{'digest'} =~ /^sha224/) {
+ $opts->{'digest'} = "sha224";
+ } elsif ($opts->{'digest'} =~ /^sha256/) {
+ $opts->{'digest'} = "sha256";
+ } elsif ($opts->{'digest'} =~ /^sha384/) {
+ $opts->{'digest'} = "sha384";
+ } elsif ($opts->{'digest'} =~ /^sha512/) {
+ $opts->{'digest'} = "sha512";
} elsif ($opts->{'digest'} =~ /^ripemd160/) {
$opts->{'digest'} = "ripemd160";
} else {
diff -ur orig/tinyca-0.7.5/templates/openssl.cnf tinyca-0.7.5/templates/openssl.cnf
--- orig/tinyca-0.7.5/templates/openssl.cnf 2006-07-25 15:12:01.0 -0500
+++ tinyca-0.7.5/templates/openssl.cnf 2014-11-01 12:30:43.238590285 -0500
@@ -15,7 +15,7 @@
x509_extensions = client_cert
default_days= 365
default_crl_days= 30
-default_md = sha1
+default_md = sha512
preserve= no
policy = policy_client
@@ -33,7 +33,7 @@
x509_extensions = server_cert
default_days= 365
default_crl_days= 30
-default_md = sha1
+default_md = sha512
preserve= no
policy = policy_server
@@ -51,7 +51,7 @@
x509_extensions = v3_ca
default_days= 365
default_crl_days= 30
-default_md = sha1
+default_md = sha512
preserve= no
policy = policy_ca