Replaced obsolete cryptographic primitive with a modern/secure one. (#8450)

Motivation:

SHA1 is a broken hash function and shouldn't be used anymore (see: https://shattered.io/).
Security scanning tools will raise this as an issue and it will reflect badly on netty and I, therefore, recommend to use a SHA2 hash function which is secure and won't be flagged by such tools.

Modifications:

Replaced insecure SHA1 based signing scheme with SHA2.

Result:

Modern and thus secure cryptographic primitives will be in use and won't be flagged by security scanning tools.
This commit is contained in:
Daniel Gartmann 2018-11-02 06:20:54 +00:00 committed by Norman Maurer
parent d533befa96
commit 9c70dc8ba5

View File

@ -64,16 +64,16 @@ final class OpenJdkSelfSignedCertGenerator {
info.set(X509CertInfo.VALIDITY, new CertificateValidity(notBefore, notAfter)); info.set(X509CertInfo.VALIDITY, new CertificateValidity(notBefore, notAfter));
info.set(X509CertInfo.KEY, new CertificateX509Key(keypair.getPublic())); info.set(X509CertInfo.KEY, new CertificateX509Key(keypair.getPublic()));
info.set(X509CertInfo.ALGORITHM_ID, info.set(X509CertInfo.ALGORITHM_ID,
new CertificateAlgorithmId(new AlgorithmId(AlgorithmId.sha1WithRSAEncryption_oid))); new CertificateAlgorithmId(new AlgorithmId(AlgorithmId.sha256WithRSAEncryption_oid)));
// Sign the cert to identify the algorithm that's used. // Sign the cert to identify the algorithm that's used.
X509CertImpl cert = new X509CertImpl(info); X509CertImpl cert = new X509CertImpl(info);
cert.sign(key, "SHA1withRSA"); cert.sign(key, "SHA256withRSA");
// Update the algorithm and sign again. // Update the algorithm and sign again.
info.set(CertificateAlgorithmId.NAME + '.' + CertificateAlgorithmId.ALGORITHM, cert.get(X509CertImpl.SIG_ALG)); info.set(CertificateAlgorithmId.NAME + '.' + CertificateAlgorithmId.ALGORITHM, cert.get(X509CertImpl.SIG_ALG));
cert = new X509CertImpl(info); cert = new X509CertImpl(info);
cert.sign(key, "SHA1withRSA"); cert.sign(key, "SHA256withRSA");
cert.verify(keypair.getPublic()); cert.verify(keypair.getPublic());
return newSelfSignedCertificate(fqdn, key, cert); return newSelfSignedCertificate(fqdn, key, cert);