Change cms_sign_data to use sha256 message digest
cms_sign_data was not passing the md parameter to openssl, so it was using the default digest of sha1. Some security standards require a SHA2 algorithm for the digest. This if for security hardening. SecurityImpact Change-Id: Iff063149e1f12df69bbf9015222d09d798980872 Closes-Bug: #1362343
This commit is contained in:
parent
7684d95647
commit
84c9ccaed3
|
@ -332,7 +332,8 @@ def cms_sign_data(data_to_sign, signing_cert_file_name, signing_key_file_name,
|
|||
'-inkey', signing_key_file_name,
|
||||
'-outform', 'PEM',
|
||||
'-nosmimecap', '-nodetach',
|
||||
'-nocerts', '-noattr'],
|
||||
'-nocerts', '-noattr',
|
||||
'-md', 'sha256', ],
|
||||
stdin=subprocess.PIPE,
|
||||
stdout=subprocess.PIPE,
|
||||
stderr=subprocess.PIPE)
|
||||
|
|
Loading…
Reference in New Issue