Replaced obsolete cryptographic primitive with a modern/secure one. (#8450)
Motivation: SHA1 is a broken hash function and shouldn't be used anymore (see: https://shattered.io/). Security scanning tools will raise this as an issue and it will reflect badly on netty and I, therefore, recommend to use a SHA2 hash function which is secure and won't be flagged by such tools. Modifications: Replaced insecure SHA1 based signing scheme with SHA2. Result: Modern and thus secure cryptographic primitives will be in use and won't be flagged by security scanning tools.
This commit is contained in:
parent
d533befa96
commit
9c70dc8ba5
@ -64,16 +64,16 @@ final class OpenJdkSelfSignedCertGenerator {
|
||||
info.set(X509CertInfo.VALIDITY, new CertificateValidity(notBefore, notAfter));
|
||||
info.set(X509CertInfo.KEY, new CertificateX509Key(keypair.getPublic()));
|
||||
info.set(X509CertInfo.ALGORITHM_ID,
|
||||
new CertificateAlgorithmId(new AlgorithmId(AlgorithmId.sha1WithRSAEncryption_oid)));
|
||||
new CertificateAlgorithmId(new AlgorithmId(AlgorithmId.sha256WithRSAEncryption_oid)));
|
||||
|
||||
// Sign the cert to identify the algorithm that's used.
|
||||
X509CertImpl cert = new X509CertImpl(info);
|
||||
cert.sign(key, "SHA1withRSA");
|
||||
cert.sign(key, "SHA256withRSA");
|
||||
|
||||
// Update the algorithm and sign again.
|
||||
info.set(CertificateAlgorithmId.NAME + '.' + CertificateAlgorithmId.ALGORITHM, cert.get(X509CertImpl.SIG_ALG));
|
||||
cert = new X509CertImpl(info);
|
||||
cert.sign(key, "SHA1withRSA");
|
||||
cert.sign(key, "SHA256withRSA");
|
||||
cert.verify(keypair.getPublic());
|
||||
|
||||
return newSelfSignedCertificate(fqdn, key, cert);
|
||||
|
Loading…
Reference in New Issue
Block a user