Update the test OCSP server to use SHA-256 for the generated test server certificate

net/tools/testserver/minica.py

 # Copyright (c) 2012 The Chromium Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
 import asn1
 import hashlib
 import os
 
 
 # This file implements very minimal certificate and OCSP generation. It's
@@ skipping 12 matching lines @@
 def ModExp(n, e, p):
   '''ModExp returns n^e mod p'''
   r = 1
   while e != 0:
     if e & 1:
       r = (r*n) % p
     e >>= 1
     n = (n*n) % p
   return r
 
-# PKCS1v15_SHA1_PREFIX is the ASN.1 prefix for a SHA1 signature.
-PKCS1v15_SHA1_PREFIX = '3021300906052b0e03021a05000414'.decode('hex')
+# PKCS1v15_SHA256_PREFIX is the ASN.1 prefix for a SHA256 signature.
+PKCS1v15_SHA256_PREFIX = '3031300d060960864801650304020105000420'.decode('hex')
 
 class RSA(object):
   def __init__(self, modulus, e, d):
     self.m = modulus
     self.e = e
     self.d = d
 
     self.modlen = 0
     m = modulus
     while m != 0:
       self.modlen += 1
       m >>= 8
 
   def Sign(self, message):
-    digest = hashlib.sha1(message).digest()
-    prefix = PKCS1v15_SHA1_PREFIX
+    digest = hashlib.sha256(message).digest()
+    prefix = PKCS1v15_SHA256_PREFIX
 
     em = ['\xff'] * (self.modlen - 1 - len(prefix) - len(digest))
     em[0] = '\x00'
     em[1] = '\x01'
     em += "\x00" + prefix + digest
 
     n = 0
     for x in em:
       n <<= 8
       n |= ord(x)
@@ skipping 97 matching lines @@
 AIA_OCSP = asn1.OID([1, 3, 6, 1, 5, 5, 7, 48, 1])
 AUTHORITY_INFORMATION_ACCESS = asn1.OID([1, 3, 6, 1, 5, 5, 7, 1, 1])
 BASIC_CONSTRAINTS = asn1.OID([2, 5, 29, 19])
 CERT_POLICIES = asn1.OID([2, 5, 29, 32])
 COMMON_NAME = asn1.OID([2, 5, 4, 3])
 COUNTRY = asn1.OID([2, 5, 4, 6])
 HASH_SHA1 = asn1.OID([1, 3, 14, 3, 2, 26])
 OCSP_TYPE_BASIC = asn1.OID([1, 3, 6, 1, 5, 5, 7, 48, 1, 1])
 ORGANIZATION = asn1.OID([2, 5, 4, 10])
 PUBLIC_KEY_RSA = asn1.OID([1, 2, 840, 113549, 1, 1, 1])
-SHA1_WITH_RSA_ENCRYPTION = asn1.OID([1, 2, 840, 113549, 1, 1, 5])
+SHA256_WITH_RSA_ENCRYPTION = asn1.OID([1, 2, 840, 113549, 1, 1, 11])
 
 
 def MakeCertificate(
     issuer_cn, subject_cn, serial, pubkey, privkey, ocsp_url = None):
   '''MakeCertificate returns a DER encoded certificate, signed by privkey.'''
   extensions = asn1.SEQUENCE([])
 
   # Default subject name fields
   c = "XX"
   o = "Testing Org"
@@ skipping 33 matching lines @@
         asn1.SEQUENCE([ # PolicyInformation
           CERT_POLICY_OID,
         ]),
       ]))),
     ])
   )
 
   tbsCert = asn1.ToDER(asn1.SEQUENCE([
       asn1.Explicit(0, 2), # Version
       serial,
-      asn1.SEQUENCE([SHA1_WITH_RSA_ENCRYPTION, None]), # SignatureAlgorithm
+      asn1.SEQUENCE([SHA256_WITH_RSA_ENCRYPTION, None]), # SignatureAlgorithm
       Name(cn = issuer_cn), # Issuer
       asn1.SEQUENCE([ # Validity
         asn1.UTCTime("100101060000Z"), # NotBefore
         asn1.UTCTime("321201060000Z"), # NotAfter
       ]),
       Name(cn = subject_cn, c = c, o = o), # Subject
       asn1.SEQUENCE([ # SubjectPublicKeyInfo
         asn1.SEQUENCE([ # Algorithm
           PUBLIC_KEY_RSA,
           None,
         ]),
         asn1.BitString(asn1.ToDER(pubkey)),
       ]),
       asn1.Explicit(3, extensions),
     ]))
 
   return asn1.ToDER(asn1.SEQUENCE([
     asn1.Raw(tbsCert),
     asn1.SEQUENCE([
-      SHA1_WITH_RSA_ENCRYPTION,
+      SHA256_WITH_RSA_ENCRYPTION,
       None,
     ]),
     asn1.BitString(privkey.Sign(tbsCert)),
   ]))
 
 
 def MakeOCSPResponse(issuer_cn, issuer_key, serial, ocsp_state):
   # https://tools.ietf.org/html/rfc2560
   issuer_name_hash = asn1.OCTETSTRING(
       hashlib.sha1(asn1.ToDER(Name(cn = issuer_cn))).digest())
@@ skipping 28 matching lines @@
         cert_status,
         asn1.GeneralizedTime("20100101060000Z"), # thisUpdate
         asn1.Explicit(0, asn1.GeneralizedTime("20300101060000Z")), # nextUpdate
       ]),
     ]),
   ]))
 
   basic_resp = asn1.SEQUENCE([
     asn1.Raw(basic_resp_data_der),
     asn1.SEQUENCE([
-      SHA1_WITH_RSA_ENCRYPTION,
+      SHA256_WITH_RSA_ENCRYPTION,
       None,
     ]),
     asn1.BitString(issuer_key.Sign(basic_resp_data_der)),
   ])
 
   resp = asn1.SEQUENCE([
     asn1.ENUMERATED(0),
     asn1.Explicit(0, asn1.SEQUENCE([
       OCSP_TYPE_BASIC,
       asn1.OCTETSTRING(asn1.ToDER(basic_resp)),
@@ skipping 38 matching lines @@
   ocsp_der = None
   if ocsp_url is not None:
     if ocsp_state == OCSP_STATE_UNAUTHORIZED:
       ocsp_der = unauthorizedDER
     elif ocsp_state == OCSP_STATE_INVALID:
       ocsp_der = '3'
     else:
       ocsp_der = MakeOCSPResponse(ISSUER_CN, KEY, serial, ocsp_state)
 
   return (cert_pem + KEY_PEM, ocsp_der)