x
/
cloudbase-init
Code Issues Proposed changes

winrmlistener: use sha2 instead of insecure sha1 

SHA1 is no longer secure and thus needs to be replaced by
a secure algorithm, in this case SHA256.

See:
https://en.wikipedia.org/wiki/SHA-1#Attacks

Fixes: https://github.com/cloudbase/cloudbase-init/issues/123

Change-Id: Ib565b99116fe966421f57b6c1f3bf6d6b9589288
Signed-off-by: Adrian Vladu <avladu@cloudbasesolutions.com>
This commit is contained in:
Adrian Vladu 2024-03-04 12:09:51 +02:00
parent 2ebfe19a88
commit a373d559e2
2 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
cloudbaseinit/utils/windows/cryptoapi.py
View File

@ -137,8 +137,10 @@ CERT_FIND_SHA1_HASH = 0x10000
CERT_KEY_PROV_INFO_PROP_ID = 2
CERT_KEY_CONTEXT_PROP_ID = 5
# https://learn.microsoft.com/en-us/windows/win32/api/wincrypt/ns-wincrypt-crypt_algorithm_identifier
szOID_PKIX_KP_SERVER_AUTH = b"1.3.6.1.5.5.7.3.1"
szOID_RSA_SHA1RSA = b"1.2.840.113549.1.1.5"
szOID_RSA_SHA256RSA = b"1.2.840.113549.1.1.11"
advapi32 = windll.advapi32
crypt32 = windll.crypt32

2
cloudbaseinit/utils/windows/x509.py
View File

@ -195,7 +195,7 @@ class CryptoAPICertManager(object):
key_prov_info.dwFlags = 0
sign_alg = cryptoapi.CRYPT_ALGORITHM_IDENTIFIER()
sign_alg.pszObjId = cryptoapi.szOID_RSA_SHA1RSA
sign_alg.pszObjId = cryptoapi.szOID_RSA_SHA256RSA
start_time = cryptoapi.SYSTEMTIME()
cryptoapi.GetSystemTime(ctypes.byref(start_time))