Changed the default value of the "ess_cert_id_alg" option

This is used to calculate the TSA's public key certificate identifier.

The default algorithm is changed from sha1 to sha256.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21794)

diff --git a/apps/openssl-vms.cnf b/apps/openssl-vms.cnf
index 393789b424c2ebe7e95d6a5026a60fdcb9b9e4bc..d6d5f58db6e54e7ac6ae5ec69d39f258c10f9767 100644 (file)
--- a/apps/openssl-vms.cnf
+++ b/apps/openssl-vms.cnf
@@ -330,8 +330,8 @@ tsa_name            = yes   # Must the TSA name be included in the reply?
                                # (optional, default: no)
 ess_cert_id_chain      = no    # Must the ESS cert id chain be included?
                                # (optional, default: no)
-ess_cert_id_alg                = sha1  # algorithm to compute certificate
-                               # identifier (optional, default: sha1)
+ess_cert_id_alg                = sha256        # algorithm to compute certificate
+                               # identifier (optional, default: sha256)
 
 [insta] # CMP using Insta Demo CA
 # Message transfer

diff --git a/apps/openssl.cnf b/apps/openssl.cnf
index 5597d89a03cb5b0ab19b41231d7076987b04dcdb..0d564d3ba581306505270a0e142a11df3fd58919 100644 (file)
--- a/apps/openssl.cnf
+++ b/apps/openssl.cnf
@@ -330,8 +330,8 @@ tsa_name            = yes   # Must the TSA name be included in the reply?
                                # (optional, default: no)
 ess_cert_id_chain      = no    # Must the ESS cert id chain be included?
                                # (optional, default: no)
-ess_cert_id_alg                = sha1  # algorithm to compute certificate
-                               # identifier (optional, default: sha1)
+ess_cert_id_alg                = sha256        # algorithm to compute certificate
+                               # identifier (optional, default: sha256)
 
 [insta] # CMP using Insta Demo CA
 # Message transfer

diff --git a/crypto/ts/ts_conf.c b/crypto/ts/ts_conf.c
index c415839995df11c87782f490b000723e9f52edf2..3fde53cf9fb7cabb0c959072ba8669eace9f7e02 100644 (file)
--- a/crypto/ts/ts_conf.c
+++ b/crypto/ts/ts_conf.c
@@ -481,7 +481,7 @@ int TS_CONF_set_ess_cert_id_digest(CONF *conf, const char *section,
     const char *md = NCONF_get_string(conf, section, ENV_ESS_CERT_ID_ALG);
 
     if (md == NULL)
-        md = "sha1";
+        md = "sha256";
 
     cert_md = EVP_get_digestbyname(md);
     if (cert_md == NULL) {

diff --git a/doc/man1/openssl-ts.pod.in b/doc/man1/openssl-ts.pod.in
index 0f9049d2a4cd4ea2f4467521ceb08bb68bf0ae49..6f7182020247574a25dad2a41dfb1e729f33ac77 100644 (file)
--- a/doc/man1/openssl-ts.pod.in
+++ b/doc/man1/openssl-ts.pod.in
@@ -490,7 +490,7 @@ Default is no.  (Optional)
 =item B<ess_cert_id_alg>
 
 This option specifies the hash function to be used to calculate the TSA's
-public key certificate identifier. Default is sha1. (Optional)
+public key certificate identifier. Default is sha256. (Optional)
 
 =back
 

diff --git a/test/CAtsa.cnf b/test/CAtsa.cnf
index 50f68cbc196653bd0d095d6305bcace25ac3eb03..756c94d733e0c3313e198f9344730ec3ef044028 100644 (file)
--- a/test/CAtsa.cnf
+++ b/test/CAtsa.cnf
@@ -144,7 +144,7 @@ tsa_name            = yes   # Must the TSA name be included in the reply?
 ess_cert_id_chain      = yes   # Must the ESS cert id chain be included?
                                # (optional, default: no)
 ess_cert_id_alg                = sha256        # algorithm to compute certificate
-                                       # identifier (optional, default: sha1)
+                                       # identifier (optional, default: sha256)
 
 [ tsa_config2 ]