VirtualBox

Ignore:
Timestamp:
Aug 6, 2020 9:03:14 AM (4 years ago)
Author:
vboxsync
Message:

VBoxManage/signova: Use SHA-3 for the PKCS#7/CMS signature. Fixed newline/space separator confusion. bugref:9699

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/src/VBox/Frontends/VBoxManage/VBoxManageAppliance.cpp

    r85361 r85631  
    21282128     * Add a blank line, just for good measure.
    21292129     */
    2130     int rc = RTVfsFileWrite(hVfsFileSignature, " ", 1, NULL);
     2130    int rc = RTVfsFileWrite(hVfsFileSignature, "\n", 1, NULL);
    21312131    if (RT_FAILURE(rc))
    21322132        return RTMsgErrorRc(rc, "RTVfsFileWrite/signature: %Rrc", rc);
     
    22032203                                RTMsgInfo("Created PKCS#7/CMS signature: %zu bytes, %s.",
    22042204                                          cbResult, RTCrDigestTypeToName(enmDigestType));
     2205                            if (enmDigestType == RTDIGESTTYPE_SHA1)
     2206                                RTMsgWarning("Using SHA-1 instead of SHA-3 for the PKCS#7/CMS signature.");
    22052207
    22062208                            /*
     
    22492251    }
    22502252
    2251     /** @todo Use SHA-3 instead, better diversity. @bugref{9734} */
     2253    /* Try SHA-3 for better diversity, only fall back on SHA1 if the private
     2254       key doesn't have enough bits (we skip SHA2 as it has the same variants
     2255       and key size requirements as SHA-3). */
    22522256    RTDIGESTTYPE enmPkcs7DigestType;
    2253     if (   enmDigestType == RTDIGESTTYPE_SHA1
    2254         || enmDigestType == RTDIGESTTYPE_SHA256
    2255         || enmDigestType == RTDIGESTTYPE_SHA224)
    2256     {
    2257         /* Use a SHA-512 variant: */
    2258         if (RTCrPkixCanCertHandleDigestType(pCertificate, RTDIGESTTYPE_SHA512, NULL))
    2259             enmPkcs7DigestType = RTDIGESTTYPE_SHA512;
    2260         else if (RTCrPkixCanCertHandleDigestType(pCertificate, RTDIGESTTYPE_SHA384, NULL))
    2261             enmPkcs7DigestType = RTDIGESTTYPE_SHA384;
    2262         /// @todo openssl misses these in check_padding_md() in rsa_pmeth.c, causing
    2263         /// failure in EVP_PKEY_CTX_set_signature_md() and CMS_final().
    2264         //else if (RTCrPkixCanCertHandleDigestType(pCertificate, RTDIGESTTYPE_SHA512T256, NULL))
    2265         //    enmPkcs7DigestType = RTDIGESTTYPE_SHA512T256;
    2266         //else if (RTCrPkixCanCertHandleDigestType(pCertificate, RTDIGESTTYPE_SHA512T224, NULL))
    2267         //    enmPkcs7DigestType = RTDIGESTTYPE_SHA512T224;
    2268         else
    2269             enmPkcs7DigestType = RTDIGESTTYPE_SHA1;
    2270     }
    2271     else /* The .cert file uses SHA-512, pick SHA-256 for diversity. */
    2272         enmPkcs7DigestType = RTDIGESTTYPE_SHA256;
     2257    if (RTCrPkixCanCertHandleDigestType(pCertificate, RTDIGESTTYPE_SHA3_512, NULL))
     2258        enmPkcs7DigestType = RTDIGESTTYPE_SHA3_512;
     2259    else if (RTCrPkixCanCertHandleDigestType(pCertificate, RTDIGESTTYPE_SHA3_384, NULL))
     2260        enmPkcs7DigestType = RTDIGESTTYPE_SHA3_384;
     2261    else if (RTCrPkixCanCertHandleDigestType(pCertificate, RTDIGESTTYPE_SHA3_256, NULL))
     2262        enmPkcs7DigestType = RTDIGESTTYPE_SHA3_256;
     2263    else if (RTCrPkixCanCertHandleDigestType(pCertificate, RTDIGESTTYPE_SHA3_224, NULL))
     2264        enmPkcs7DigestType = RTDIGESTTYPE_SHA3_224;
     2265    else
     2266        enmPkcs7DigestType = RTDIGESTTYPE_SHA1;
    22732267
    22742268    /*
Note: See TracChangeset for help on using the changeset viewer.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette