Bug 1062325

Summary: openssl default key generation script uses obsolete hash for signature
Product: [Fedora] Fedora Reporter: Peter Backes <rtc>
Component: opensslAssignee: Tomas Mraz <tmraz>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-02-06 17:09:34 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Peter Backes 2014-02-06 16:35:57 UTC 
Description of problem:
/etc/pki/tls/certs/Makefile invokes openssl in such a way that certificates are signed with SHA-1. SHA-1 is insecure and should not be used anymore according to NIST Special Publication 800-131A (http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf) Use at least SHA256. See p. 14: "SHA-1 shall not be used for digital signature generation after December 31, 2013."

Version-Release number of selected component (if applicable):
openssl-1.0.1e-37.fc20.i686

How reproducible:
always

Steps to Reproduce:
1. generated certificate with /etc/pki/tls/certs/Makefile

Actual results:
SHA-1 signature

Expected results:
SHA-256 signature

Additional info:
invoke openssl with -sha256

see also 1058108
Comment 1 Tomas Mraz 2014-02-06 17:09:34 UTC 
Please try openssl-1.0.1e-39.fc21.
Comment 2 Peter Backes 2014-02-07 00:24:38 UTC 
Seems to work. This brings it up to date, thanks. It would be good to have this in f20, too, as f20 will still be in use for quite some time.

There is another problem: The hash is fixed (previously to SHA-1, now to SHA-256). Instead, it should be chosen according to the key size. See "Recommendation for Key Management," NIST Special Publication 800-57 Part 1 Rev. 3, 07/2012.

Use SHA-256 only for RSA bits <= 3072
use SHA-384 for 3072 < RSA bits <= 7680
use SHA-512 for 7680 < RSA bits

See also bug 1062444.

Do you want me to open another bug for this?
Comment 3 Tomas Mraz 2014-02-07 08:17:41 UTC 
To properly fix this so the hash is chosen according to the key size it would be better to do it in the library code by choosing the hash in the ASN1_PKEY_CTRL_DEFAULT_MD_NID calls for each public key algorithm. This should be implemented upstream first. You can open a RFE for this here but I'd suggest to open it in the upstream issue tracker by sending e-mail to rt as well.