From 9c70dc8ba580731cb9c5a031185975384764183b Mon Sep 17 00:00:00 2001 From: Daniel Gartmann Date: Fri, 2 Nov 2018 06:20:54 +0000 Subject: [PATCH] Replaced obsolete cryptographic primitive with a modern/secure one. (#8450) Motivation: SHA1 is a broken hash function and shouldn't be used anymore (see: https://shattered.io/). Security scanning tools will raise this as an issue and it will reflect badly on netty and I, therefore, recommend to use a SHA2 hash function which is secure and won't be flagged by such tools. Modifications: Replaced insecure SHA1 based signing scheme with SHA2. Result: Modern and thus secure cryptographic primitives will be in use and won't be flagged by security scanning tools. --- .../handler/ssl/util/OpenJdkSelfSignedCertGenerator.java | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/handler/src/main/java/io/netty/handler/ssl/util/OpenJdkSelfSignedCertGenerator.java b/handler/src/main/java/io/netty/handler/ssl/util/OpenJdkSelfSignedCertGenerator.java index 07a6fb91eb..30d74e2705 100644 --- a/handler/src/main/java/io/netty/handler/ssl/util/OpenJdkSelfSignedCertGenerator.java +++ b/handler/src/main/java/io/netty/handler/ssl/util/OpenJdkSelfSignedCertGenerator.java @@ -64,16 +64,16 @@ final class OpenJdkSelfSignedCertGenerator { info.set(X509CertInfo.VALIDITY, new CertificateValidity(notBefore, notAfter)); info.set(X509CertInfo.KEY, new CertificateX509Key(keypair.getPublic())); info.set(X509CertInfo.ALGORITHM_ID, - new CertificateAlgorithmId(new AlgorithmId(AlgorithmId.sha1WithRSAEncryption_oid))); + new CertificateAlgorithmId(new AlgorithmId(AlgorithmId.sha256WithRSAEncryption_oid))); // Sign the cert to identify the algorithm that's used. X509CertImpl cert = new X509CertImpl(info); - cert.sign(key, "SHA1withRSA"); + cert.sign(key, "SHA256withRSA"); // Update the algorithm and sign again. info.set(CertificateAlgorithmId.NAME + '.' + CertificateAlgorithmId.ALGORITHM, cert.get(X509CertImpl.SIG_ALG)); cert = new X509CertImpl(info); - cert.sign(key, "SHA1withRSA"); + cert.sign(key, "SHA256withRSA"); cert.verify(keypair.getPublic()); return newSelfSignedCertificate(fqdn, key, cert);