remoting/base/rsa_key_pair.cc - Issue 27832002: Sign self-signed certs with SHA256.

Side by Side Diff: remoting/base/rsa_key_pair.cc

Issue 27832002: Sign self-signed certs with SHA256. (Closed) Base URL: https://src.chromium.org/chrome/trunk/src/

Patch Set: Created 7 years, 1 month ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

OLD	NEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "remoting/base/rsa_key_pair.h"	5 #include "remoting/base/rsa_key_pair.h"

6	6

7 #include <limits>	7 #include <limits>

8 #include <string>	8 #include <string>

9 #include <vector>	9 #include <vector>

10	10

(...skipping 75 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
86 std::vector<uint8> signature_buf;	86 std::vector<uint8> signature_buf;

87 signature_creator->Final(&signature_buf);	87 signature_creator->Final(&signature_buf);

88 std::string signature_str(signature_buf.begin(), signature_buf.end());	88 std::string signature_str(signature_buf.begin(), signature_buf.end());

89 std::string signature_base64;	89 std::string signature_base64;

90 base::Base64Encode(signature_str, &signature_base64);	90 base::Base64Encode(signature_str, &signature_base64);

91 return signature_base64;	91 return signature_base64;

92 }	92 }

93	93

94 std::string RsaKeyPair::GenerateCertificate() const {	94 std::string RsaKeyPair::GenerateCertificate() const {

95 std::string der_cert;	95 std::string der_cert;

	96 // Certificates are SHA1-signed because \|key_\| has likely been used to sign

	97 // with SHA1 previously, and you should not re-use a key for signing data with

	98 // multiple signature algorithms.
	Wez 2013/10/30 19:45:08 So should we be making arrangements to switch Chro So should we be making arrangements to switch Chromoting to SHA256? bemasc 2013/10/30 20:18:45 The important thing here is not really SHA1 vs. SH Show quoted text On 2013/10/30 19:45:08, Wez wrote: > So should we be making arrangements to switch Chromoting to SHA256? The important thing here is not really SHA1 vs. SHA256, but "hash agility" in general. I think you should probably be making arrangements to be able to upgrade hash functions periodically without creating a big headache. (My favorite discussion of hash agility is: http://valerieaurora.org/hash.html) Sergey Ulanov 2013/10/31 06:25:29 Why signing the same key with a different hash fun Why signing the same key with a different hash function is a problem? Beside that, it it's not \|key_\| that's being signed, but the whole certificate, so we are not signing the same data because serial number is generated randomly and different expiration date is used every time. Also, we never rely on signature for self-signed certs, so the choice of the hash function here is immaterial for security of the chromoting protocol.
96 net::x509_util::CreateSelfSignedCert(	99 net::x509_util::CreateSelfSignedCert(

97 key_.get(),	100 key_.get(),

	101 net::x509_util::DIGEST_SHA1,

98 "CN=chromoting",	102 "CN=chromoting",

99 base::RandInt(1, std::numeric_limits<int>::max()),	103 base::RandInt(1, std::numeric_limits<int>::max()),

100 base::Time::Now(),	104 base::Time::Now(),

101 base::Time::Now() + base::TimeDelta::FromDays(1),	105 base::Time::Now() + base::TimeDelta::FromDays(1),

102 &der_cert);	106 &der_cert);

103 return der_cert;	107 return der_cert;

104 }	108 }

105	109

106 } // namespace remoting	110 } // namespace remoting

OLD	NEW

« content/browser/media/webrtc_identity_store.cc ('K') | « net/ssl/server_bound_cert_service.cc ('k') | no next file » | no next file with comments »