Replaced obsolete cryptographic primitive with a modern/secure one. (#8450)

Motivation: SHA1 is a broken hash function and shouldn't be used anymore (see: https://shattered.io/). Security scanning tools will raise this as an issue and it will reflect badly on netty and I, therefore, recommend to use a SHA2 hash function which is secure and won't be flagged by such tools. Modifications: Replaced insecure SHA1 based signing scheme with SHA2. Result: Modern and thus secure cryptographic primitives will be in use and won't be flagged by security scanning tools.
2018-11-02 06:20:54 +00:00 · 2018-11-02 06:20:54 +00:00 · 9c70dc8ba5
commit 9c70dc8ba5
parent d533befa96
1 changed files with 3 additions and 3 deletions
--- a/handler/src/main/java/io/netty/handler/ssl/util/OpenJdkSelfSignedCertGenerator.java
+++ b/handler/src/main/java/io/netty/handler/ssl/util/OpenJdkSelfSignedCertGenerator.java
@ -64,16 +64,16 @@ final class OpenJdkSelfSignedCertGenerator {
        info.set(X509CertInfo.VALIDITY, new CertificateValidity(notBefore, notAfter));
        info.set(X509CertInfo.KEY, new CertificateX509Key(keypair.getPublic()));
        info.set(X509CertInfo.ALGORITHM_ID,
-                new CertificateAlgorithmId(new AlgorithmId(AlgorithmId.sha1WithRSAEncryption_oid)));
+                new CertificateAlgorithmId(new AlgorithmId(AlgorithmId.sha256WithRSAEncryption_oid)));

        // Sign the cert to identify the algorithm that's used.
        X509CertImpl cert = new X509CertImpl(info);
-        cert.sign(key, "SHA1withRSA");
+        cert.sign(key, "SHA256withRSA");

        // Update the algorithm and sign again.
        info.set(CertificateAlgorithmId.NAME + '.' + CertificateAlgorithmId.ALGORITHM, cert.get(X509CertImpl.SIG_ALG));
        cert = new X509CertImpl(info);
-        cert.sign(key, "SHA1withRSA");
+        cert.sign(key, "SHA256withRSA");
        cert.verify(keypair.getPublic());

        return newSelfSignedCertificate(fqdn, key, cert);