From a373d559e2feaec7ac9930230b5c2659185b3c81 Mon Sep 17 00:00:00 2001 From: Adrian Vladu Date: Mon, 4 Mar 2024 12:09:51 +0200 Subject: [PATCH] winrmlistener: use sha2 instead of insecure sha1 SHA1 is no longer secure and thus needs to be replaced by a secure algorithm, in this case SHA256. See: https://en.wikipedia.org/wiki/SHA-1#Attacks Fixes: https://github.com/cloudbase/cloudbase-init/issues/123 Change-Id: Ib565b99116fe966421f57b6c1f3bf6d6b9589288 Signed-off-by: Adrian Vladu --- cloudbaseinit/utils/windows/cryptoapi.py | 2 ++ cloudbaseinit/utils/windows/x509.py | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/cloudbaseinit/utils/windows/cryptoapi.py b/cloudbaseinit/utils/windows/cryptoapi.py index 033f1a52..bb57e577 100644 --- a/cloudbaseinit/utils/windows/cryptoapi.py +++ b/cloudbaseinit/utils/windows/cryptoapi.py @@ -137,8 +137,10 @@ CERT_FIND_SHA1_HASH = 0x10000 CERT_KEY_PROV_INFO_PROP_ID = 2 CERT_KEY_CONTEXT_PROP_ID = 5 +# https://learn.microsoft.com/en-us/windows/win32/api/wincrypt/ns-wincrypt-crypt_algorithm_identifier szOID_PKIX_KP_SERVER_AUTH = b"1.3.6.1.5.5.7.3.1" szOID_RSA_SHA1RSA = b"1.2.840.113549.1.1.5" +szOID_RSA_SHA256RSA = b"1.2.840.113549.1.1.11" advapi32 = windll.advapi32 crypt32 = windll.crypt32 diff --git a/cloudbaseinit/utils/windows/x509.py b/cloudbaseinit/utils/windows/x509.py index ce6d75b2..493a3524 100644 --- a/cloudbaseinit/utils/windows/x509.py +++ b/cloudbaseinit/utils/windows/x509.py @@ -195,7 +195,7 @@ class CryptoAPICertManager(object): key_prov_info.dwFlags = 0 sign_alg = cryptoapi.CRYPT_ALGORITHM_IDENTIFIER() - sign_alg.pszObjId = cryptoapi.szOID_RSA_SHA1RSA + sign_alg.pszObjId = cryptoapi.szOID_RSA_SHA256RSA start_time = cryptoapi.SYSTEMTIME() cryptoapi.GetSystemTime(ctypes.byref(start_time))