mirror of
https://github.com/certbot/certbot.git
synced 2026-06-08 16:22:18 -04:00
Use SHA256 openssl signatures
This commit is contained in:
Peter Eckersley
parent
e17bb27508
commit
be653e8e6b
2 changed files with 9 additions and 9 deletions
|
|
@ -12,18 +12,18 @@
|
|||
// To compile:
|
||||
// gcc half-sign.c -lssl -lcrypto -o half-sign
|
||||
|
||||
// Sign with SHA1
|
||||
#define HASH_SIZE 20
|
||||
// Sign with SHA256
|
||||
#define HASH_SIZE 32
|
||||
|
||||
void usage() {
|
||||
printf("half-sign <private key file> [binary hash file]\n");
|
||||
printf("\n");
|
||||
printf(" Computes and prints a binary RSA signature over data given the SHA1 hash of\n");
|
||||
printf(" Computes and prints a binary RSA signature over data given the SHA256 hash of\n");
|
||||
printf(" the data as input.\n");
|
||||
printf("\n");
|
||||
printf(" <private key file> should be PEM encoded.\n");
|
||||
printf("\n");
|
||||
printf(" The input SHA1 hash should be %d bytes in length. If no binary hash file is\n", HASH_SIZE);
|
||||
printf(" The input SHA256 hash should be %d bytes in length. If no binary hash file is\n", HASH_SIZE);
|
||||
printf(" specified, it will be read from stdin.\n");
|
||||
exit(1);
|
||||
}
|
||||
|
|
@ -41,7 +41,7 @@ void sign_hashed_data(EVP_PKEY *signing_key, unsigned char *md, size_t mdlen) {
|
|||
if ((!ctx)
|
||||
|| (EVP_PKEY_sign_init(ctx) <= 0)
|
||||
|| (EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING) <= 0)
|
||||
|| (EVP_PKEY_CTX_set_signature_md(ctx, EVP_sha1()) <= 0)) {
|
||||
|| (EVP_PKEY_CTX_set_signature_md(ctx, EVP_sha256()) <= 0)) {
|
||||
fprintf(stderr, "Failure establishing ctx for signature\n");
|
||||
exit(1);
|
||||
}
|
||||
|
|
@ -108,7 +108,7 @@ int main(int argc, char *argv[]) {
|
|||
exit(1);
|
||||
}
|
||||
if (fread(buffer, HASH_SIZE, 1, input) != 1) {
|
||||
perror("half-sign: Failed to read SHA1 from input\n");
|
||||
perror("half-sign: Failed to read SHA256 from input\n");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -34,8 +34,8 @@ else
|
|||
echo Releasing developer version "$version"...
|
||||
fi
|
||||
|
||||
if [ "$RELEASE_OPENSSL_KEY" = "" ] ; then
|
||||
RELEASE_OPENSSL_KEY="`realpath \`dirname $0\``/eff-pubkey.pem"
|
||||
if [ "$RELEASE_OPENSSL_PUBKEY" = "" ] ; then
|
||||
RELEASE_OPENSSL_PUBKEY="`realpath \`dirname $0\``/eff-pubkey.pem"
|
||||
fi
|
||||
RELEASE_GPG_KEY=${RELEASE_GPG_KEY:-A2CFB51FA275A7286234E7B24D17C995CD9775F2}
|
||||
# Needed to fix problems with git signatures and pinentry
|
||||
|
|
@ -85,7 +85,7 @@ git checkout "$RELEASE_BRANCH"
|
|||
letsencrypt-auto-source/build.py
|
||||
|
||||
# and that it's signed correctly
|
||||
if ! openssl dgst -sha256 -verify $RELEASE_OPENSSL_KEY -signature \
|
||||
if ! openssl dgst -sha256 -verify $RELEASE_OPENSSL_PUBKEY -signature \
|
||||
letsencrypt-auto-source/letsencrypt-auto.sig \
|
||||
letsencrypt-auto-source/letsencrypt-auto ; then
|
||||
echo Failed letsencrypt-auto signature check on "$RELEASE_BRANCH"
|
||||
|
|
|
|||
Loading…
Reference in a new issue