mirror/openssl
2
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2025-04-06 20:20:50 +08:00
Code Issues Packages Projects Releases Wiki Activity

ts: Use sha256 as default digest for TS query

Browse Source 
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7900)
This commit is contained in:
Tomas Mraz 2018-12-14 12:10:58 +01:00
parent c162c126be
commit a6dfa18820
3 changed files with 8 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
CHANGES
View File

@ -9,6 +9,9 @@
Changes between 1.1.1 and 3.0.0 [xx XXX xxxx]
*) Use SHA256 as the default digest for TS query in the ts app.
[Tomas Mraz]
*) Change PBKDF2 to conform to SP800-132 instead of the older PKCS5 RFC2898.
This checks that the salt length is at least 128 bits, the derived key
length is at least 112 bits, and that the iteration count is at least 1000.

2
apps/ts.c
View File

@ -425,7 +425,7 @@ static TS_REQ *create_query(BIO *data_bio, const char *digest, const EVP_MD *md,
ASN1_OBJECT *policy_obj = NULL;
ASN1_INTEGER *nonce_asn1 = NULL;
if (md == NULL && (md = EVP_get_digestbyname("sha1")) == NULL)
if (md == NULL && (md = EVP_get_digestbyname("sha256")) == NULL)
goto err;
if ((ts_req = TS_REQ_new()) == NULL)
goto err;

8
doc/man1/ts.pod
View File

@ -518,7 +518,7 @@ included. Default is no. (Optional)
=item B<ess_cert_id_alg>
This option specifies the hash function to be used to calculate the TSA's
public key certificate identifier. Default is sha1. (Optional)
public key certificate identifier. Default is sha256. (Optional)
=back
@ -530,7 +530,7 @@ openssl/apps/openssl.cnf will do.
=head2 Time Stamp Request
To create a time stamp request for design1.txt with SHA-1
To create a time stamp request for design1.txt with SHA-256
without nonce and policy and no certificate is required in the response:
openssl ts -query -data design1.txt -no_nonce \
@ -546,12 +546,12 @@ To print the content of the previous request in human readable format:
openssl ts -query -in design1.tsq -text
To create a time stamp request which includes the MD-5 digest
To create a time stamp request which includes the SHA-512 digest
of design2.txt, requests the signer certificate and nonce,
specifies a policy id (assuming the tsa_policy1 name is defined in the
OID section of the config file):
openssl ts -query -data design2.txt -md5 \
openssl ts -query -data design2.txt -sha512 \
-tspolicy tsa_policy1 -cert -out design2.tsq
=head2 Time Stamp Response