diff --git a/lib/hx509/ca.c b/lib/hx509/ca.c index 36fd40f7c..21454cc25 100644 --- a/lib/hx509/ca.c +++ b/lib/hx509/ca.c @@ -543,7 +543,7 @@ ca_sign(hx509_context context, time_t notAfter; unsigned key_usage; - sigalg = hx509_signature_rsa_with_sha1(); + sigalg = hx509_signature_rsa_with_sha256(); memset(&c, 0, sizeof(c)); diff --git a/lib/hx509/cms.c b/lib/hx509/cms.c index dc43a313a..0587660f1 100644 --- a/lib/hx509/cms.c +++ b/lib/hx509/cms.c @@ -1094,7 +1094,7 @@ hx509_cms_create_signed_1(hx509_context context, ret = _hx509_create_signature(context, _hx509_cert_private_key(cert), - hx509_signature_rsa_with_sha1(), + hx509_signature_rsa_with_sha256(), &os, &signer_info->signatureAlgorithm, &signer_info->signature); diff --git a/lib/hx509/crypto.c b/lib/hx509/crypto.c index 9146be6dc..8f03c90d0 100644 --- a/lib/hx509/crypto.c +++ b/lib/hx509/crypto.c @@ -1355,17 +1355,17 @@ static const heim_octet_string null_entry_oid = { 2, rk_UNCONST("\x05\x00") }; static const unsigned sha512_oid_tree[] = { 2, 16, 840, 1, 101, 3, 4, 3 }; const AlgorithmIdentifier _hx509_signature_sha512_data = { - { 8, rk_UNCONST(sha512_oid_tree) }, rk_UNCONST(&null_entry_oid) + { 9, rk_UNCONST(sha512_oid_tree) }, rk_UNCONST(&null_entry_oid) }; static const unsigned sha384_oid_tree[] = { 2, 16, 840, 1, 101, 3, 4, 2 }; const AlgorithmIdentifier _hx509_signature_sha384_data = { - { 8, rk_UNCONST(sha384_oid_tree) }, rk_UNCONST(&null_entry_oid) + { 9, rk_UNCONST(sha384_oid_tree) }, rk_UNCONST(&null_entry_oid) }; static const unsigned sha256_oid_tree[] = { 2, 16, 840, 1, 101, 3, 4, 2, 1 }; const AlgorithmIdentifier _hx509_signature_sha256_data = { - { 8, rk_UNCONST(sha256_oid_tree) }, rk_UNCONST(&null_entry_oid) + { 9, rk_UNCONST(sha256_oid_tree) }, rk_UNCONST(&null_entry_oid) }; static const unsigned sha1_oid_tree[] = { 1, 3, 14, 3, 2, 26 }; @@ -2406,11 +2406,11 @@ hx509_crypto_select(const hx509_context context, if (type == HX509_SELECT_DIGEST) { bits = SIG_DIGEST; - def = hx509_signature_sha1(); + def = hx509_signature_sha256(); } else if (type == HX509_SELECT_PUBLIC_SIG) { bits = SIG_PUBLIC_SIG; /* XXX depend on `sourceŽ and `peerŽ */ - def = hx509_signature_rsa_with_sha1(); + def = hx509_signature_rsa_with_sha256(); } else { hx509_set_error_string(context, 0, EINVAL, "Unknown type %d of selection", type); diff --git a/lib/hx509/req.c b/lib/hx509/req.c index c8c59d530..f375e1734 100644 --- a/lib/hx509/req.c +++ b/lib/hx509/req.c @@ -191,7 +191,7 @@ _hx509_request_to_pkcs10(hx509_context context, ret = _hx509_create_signature(context, signer, - hx509_signature_rsa_with_sha1(), + hx509_signature_rsa_with_sha256(), &data, &r.signatureAlgorithm, &os); diff --git a/lib/hx509/revoke.c b/lib/hx509/revoke.c index 008ab40e6..162fae83f 100644 --- a/lib/hx509/revoke.c +++ b/lib/hx509/revoke.c @@ -800,7 +800,7 @@ hx509_ocsp_request(hx509_context context, memset(&req, 0, sizeof(req)); if (digest == NULL) - digest = hx509_signature_sha1(); + digest = hx509_signature_sha256(); ctx.req = &req.tbsRequest; ctx.certs = pool; diff --git a/lib/hx509/tst-crypto-available1 b/lib/hx509/tst-crypto-available1 index 3bcbd1135..ad0c27fe7 100644 --- a/lib/hx509/tst-crypto-available1 +++ b/lib/hx509/tst-crypto-available1 @@ -3,7 +3,7 @@ 1.2.840.113549.1.1.5 1.2.840.113549.1.1.4 1.2.840.113549.1.1.2 -2.16.840.1.101.3.4.2 +2.16.840.1.101.3.4.2.1 1.3.14.3.2.26 1.2.840.113549.2.5 1.2.840.113549.2.2 diff --git a/lib/hx509/tst-crypto-available2 b/lib/hx509/tst-crypto-available2 index f48db524b..b3f76e376 100644 --- a/lib/hx509/tst-crypto-available2 +++ b/lib/hx509/tst-crypto-available2 @@ -1,4 +1,4 @@ -2.16.840.1.101.3.4.2 +2.16.840.1.101.3.4.2.1 1.3.14.3.2.26 1.2.840.113549.2.5 1.2.840.113549.2.2 diff --git a/lib/hx509/tst-crypto-select1 b/lib/hx509/tst-crypto-select1 index eb0d095ad..c343b5708 100644 --- a/lib/hx509/tst-crypto-select1 +++ b/lib/hx509/tst-crypto-select1 @@ -1 +1 @@ -1.3.14.3.2.26 +2.16.840.1.101.3.4.2.1 diff --git a/lib/hx509/tst-crypto-select2 b/lib/hx509/tst-crypto-select2 index 749a54905..399c883a9 100644 --- a/lib/hx509/tst-crypto-select2 +++ b/lib/hx509/tst-crypto-select2 @@ -1 +1 @@ -1.2.840.113549.1.1.5 +1.2.840.113549.1.1.11