Sign self-signed certs with SHA256.

remoting/base/rsa_key_pair.cc

Index: remoting/base/rsa_key_pair.cc
===================================================================
--- remoting/base/rsa_key_pair.cc	(revision 231602)
+++ remoting/base/rsa_key_pair.cc	(working copy)
@@ -93,8 +93,12 @@
 
 std::string RsaKeyPair::GenerateCertificate() const {
   std::string der_cert;
+  // Certificates are SHA1-signed because |key_| has likely been used to sign
+  // with SHA1 previously, and you should not re-use a key for signing data with
+  // multiple signature algorithms.

[Wez, 2013/10/30 19:45:08]

So should we be making arrangements to switch Chromoting to SHA256?

[bemasc, 2013/10/30 20:18:45]

The important thing here is not really SHA1 vs. SHA256, but "hash agility" in
general.  I think you should probably be making arrangements to be able to
upgrade hash functions periodically without creating a big headache.

(My favorite discussion of hash agility is: http://valerieaurora.org/hash.html)

[Sergey Ulanov, 2013/10/31 06:25:29]

Why signing the same key with a different hash function is a problem?
Beside that, it it's not |key_| that's being signed, but the whole certificate,
so we are not signing the same data because serial number is generated randomly
and different expiration date is used every time. 

Also, we never rely on signature for self-signed certs, so the choice of the
hash function here is immaterial for security of the chromoting protocol.

   net::x509_util::CreateSelfSignedCert(
       key_.get(),
+      net::x509_util::DIGEST_SHA1,
       "CN=chromoting",
       base::RandInt(1, std::numeric_limits<int>::max()),
       base::Time::Now(),