Bug#759481: tinyca: No support for SHA2 as a signature algorithm. SHA1 gets deprecated in 2016.

2014-11-01 Thread Ross Vandegrift 
Package: tinyca
Version: 0.7.5-5
Followup-For: Bug #759481

Dear Maintainer,

Attached is a patch to add support for SHA-224, SHA-256, SHA-384, and
SHA-512.  It also makes the default digest algorithm SHA-512.  I've run
it though very basic server cert testing.

The patch is on top of the Debian local changes.  I couldn't find an
upstream.  If it exists, I'd be happy to help push it up.

Ross

-- System Information:
Debian Release: 7.7
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable'), (50, 'testing'), (40, 
'unstable'), (30, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.14-0.bpo.2-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages tinyca depends on:
ii  libgtk2-perl2:1.244-1
ii  liblocale-gettext-perl  1.05-7+b1
ii  openssl 1.0.1e-2+deb7u13

Versions of packages tinyca recommends:
ii  zip  3.0-6

tinyca suggests no packages.

-- no debconf information
diff -ur orig/tinyca-0.7.5/lib/CA.pm tinyca-0.7.5/lib/CA.pm
--- orig/tinyca-0.7.5/lib/CA.pm	2006-07-25 15:12:00.0 -0500
+++ tinyca-0.7.5/lib/CA.pm	2014-11-01 12:32:46.277413381 -0500
@@ -349,7 +349,7 @@
   $opts = {};
   $opts->{'days'} = 3650; # set default to 10 years
   $opts->{'bits'} = 4096;
-  $opts->{'digest'} = 'sha1';
+  $opts->{'digest'} = 'sha512';
 
   if(defined($mode) && $mode eq "sub") { # create SubCA, use defaults
  $opts->{'parentca'} = $main->{'CA'}->{'actca'};
@@ -453,7 +453,7 @@
   $opts = {};
   $opts->{'days'} = 3650; # set default to 10 years
   $opts->{'bits'} = 4096;
-  $opts->{'digest'} = 'sha1';
+  $opts->{'digest'} = 'sha512';
   
   $main->show_ca_import_dialog($opts);
   return;
diff -ur orig/tinyca-0.7.5/lib/GUI.pm tinyca-0.7.5/lib/GUI.pm
--- orig/tinyca-0.7.5/lib/GUI.pm	2014-11-01 12:51:39.0 -0500
+++ tinyca-0.7.5/lib/GUI.pm	2014-11-01 12:25:31.123392155 -0500
@@ -37,6 +37,10 @@
 		 'ripemd160' => 'RIPEMD-160',
 #		 'sha' => 'SHA',
 		 'sha1' => 'SHA-1',
+		 'sha224' => 'SHA-224',
+		 'sha256' => 'SHA-256',
+		 'sha384' => 'SHA-384',
+		 'sha512' => 'SHA-512',
 		 );
 
 my %bit_lengths = (
diff -ur orig/tinyca-0.7.5/lib/REQ.pm tinyca-0.7.5/lib/REQ.pm
--- orig/tinyca-0.7.5/lib/REQ.pm	2006-07-25 15:12:00.0 -0500
+++ tinyca-0.7.5/lib/REQ.pm	2014-11-01 12:30:12.025870028 -0500
@@ -59,7 +59,7 @@
  GUI::HELPERS::print_error($t);
   }
   $opts->{'bits'}   = 4096;
-  $opts->{'digest'} = 'sha1';
+  $opts->{'digest'} = 'sha512';
   $opts->{'algo'}   = 'rsa';
   if(defined($opts) && $opts eq "sign") {
  $opts->{'sign'} = 1;
@@ -426,6 +426,14 @@
  $opts->{'digest'} = "md5";
   } elsif ($opts->{'digest'} =~ /^sha1/) {
  $opts->{'digest'} = "sha1";
+  } elsif ($opts->{'digest'} =~ /^sha224/) {
+ $opts->{'digest'} = "sha224";
+  } elsif ($opts->{'digest'} =~ /^sha256/) {
+ $opts->{'digest'} = "sha256";
+  } elsif ($opts->{'digest'} =~ /^sha384/) {
+ $opts->{'digest'} = "sha384";
+  } elsif ($opts->{'digest'} =~ /^sha512/) {
+ $opts->{'digest'} = "sha512";
   } elsif ($opts->{'digest'} =~ /^ripemd160/) {
  $opts->{'digest'} = "ripemd160";
   } else {
diff -ur orig/tinyca-0.7.5/templates/openssl.cnf tinyca-0.7.5/templates/openssl.cnf
--- orig/tinyca-0.7.5/templates/openssl.cnf	2006-07-25 15:12:01.0 -0500
+++ tinyca-0.7.5/templates/openssl.cnf	2014-11-01 12:30:43.238590285 -0500
@@ -15,7 +15,7 @@
 x509_extensions = client_cert
 default_days= 365
 default_crl_days= 30
-default_md  = sha1
+default_md  = sha512
 preserve= no
 policy  = policy_client
 
@@ -33,7 +33,7 @@
 x509_extensions = server_cert
 default_days= 365
 default_crl_days= 30
-default_md  = sha1
+default_md  = sha512
 preserve= no
 policy  = policy_server
 
@@ -51,7 +51,7 @@
 x509_extensions = v3_ca
 default_days= 365
 default_crl_days= 30
-default_md  = sha1
+default_md  = sha512
 preserve= no
 policy  = policy_ca

Bug#759481: tinyca: No support for SHA2 as a signature algorithm. SHA1 gets deprecated in 2016.

2014-08-27 Thread Aiko Barz 
Package: tinyca
Version: 0.7.5-5
Severity: important

Dear Maintainer,

Microsoft released a SHA1 Deprecation Policy[1]. Example:

"For SSL certificates, Windows will stop accepting SHA1 end-entity certificates
by 1 January 2017. This means any time valid SHA1 SSL certificates must be
replaced with a SHA2 equivalent by 1 January 2017."

Google also deprecates SHA1 end-entity certificates within Chrome[2]:

- "All SHA-1-using certificates that are valid AFTER 2017/1/1 are treated
insecure, but without an interstitial. That is, they will receive a degraded UI
indicator, but users will NOT be directed to click through an error page."
- "Additionally, the mixed content blocker will be taught to treat these as
mixed content, which WILL require a user action to interact with."
- "All SHA-1-using certificates that are valid AFTER 2016/1/1 are treated as
insecure, but without an interstitial. They will receive a degraded UI
indicator, but will NOT be treated as mixed content."

TinyCA has no SHA2 support. So, does TinyCA become deprecated as well?

Kind regards,
Aiko Barz

[1]: http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-
policy.aspx
[2]: https://groups.google.com/a/chromium.org/forum/#!msg/blink-
dev/2-R4XziFc7A/YO0ZSrX_X4wJ



-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.14-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US, LC_CTYPE=en_US.utf8 (charmap=UTF-8) (ignored: LC_ALL set to 
en_US.utf8)
Shell: /bin/sh linked to /bin/dash

Versions of packages tinyca depends on:
ii  libgtk2-perl2:1.2492-2+b1
ii  liblocale-gettext-perl  1.05-8+b1
ii  openssl 1.0.1i-2

Versions of packages tinyca recommends:
ii  zip  3.0-8

tinyca suggests no packages.

-- no debconf information


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org