From 2cc7acd273bc39f1360aed52400d18bb65b88a95 Mon Sep 17 00:00:00 2001
From: "Dr. Stephen Henson" <steve@openssl.org>
Date: Thu, 19 Nov 2015 15:50:15 +0000
Subject: [PATCH] Use better defaults for TSA.

Use SHA256 for TSA and setted permitted digests to a sensible value.

Based on PR#4141

Reviewed-by: Matt Caswell <matt@openssl.org>
---
 apps/openssl-vms.cnf |  2 +-
 apps/openssl.cnf     |  4 ++--
 doc/apps/ts.pod      |  7 +++----
 test/CAtsa.cnf       | 10 +++++-----
 4 files changed, 11 insertions(+), 12 deletions(-)

diff --git a/apps/openssl-vms.cnf b/apps/openssl-vms.cnf
index ba6977c01c..51a296b2d8 100644
--- a/apps/openssl-vms.cnf
+++ b/apps/openssl-vms.cnf
@@ -340,7 +340,7 @@ signer_digest  = sha1			# Signing digest to use. (Optional)
 default_policy	= tsa_policy1		# Policy if request did not specify it
 					# (optional)
 other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)
-digests		= md5, sha1		# Acceptable message digests (mandatory)
+digests     = sha1, sha256, sha384, sha512  # Acceptable message digests (mandatory)
 accuracy	= secs:1, millisecs:500, microsecs:100	# (optional)
 clock_precision_digits  = 0	# number of digits after dot. (optional)
 ordering		= yes	# Is ordering defined for timestamps?
diff --git a/apps/openssl.cnf b/apps/openssl.cnf
index 473c884514..53c4bef044 100644
--- a/apps/openssl.cnf
+++ b/apps/openssl.cnf
@@ -335,11 +335,11 @@ signer_cert	= $dir/tsacert.pem 	# The TSA signing certificate
 certs		= $dir/cacert.pem	# Certificate chain to include in reply
 					# (optional)
 signer_key	= $dir/private/tsakey.pem # The TSA private key (optional)
-signer_digest  = sha1			# Signing digest to use. (Optional)
+signer_digest  = sha256			# Signing digest to use. (Optional)
 default_policy	= tsa_policy1		# Policy if request did not specify it
 					# (optional)
 other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)
-digests		= md5, sha1		# Acceptable message digests (mandatory)
+digests     = sha1, sha256, sha384, sha512  # Acceptable message digests (mandatory)
 accuracy	= secs:1, millisecs:500, microsecs:100	# (optional)
 clock_precision_digits  = 0	# number of digits after dot. (optional)
 ordering		= yes	# Is ordering defined for timestamps?
diff --git a/doc/apps/ts.pod b/doc/apps/ts.pod
index 038dfae285..82b9e559c4 100644
--- a/doc/apps/ts.pod
+++ b/doc/apps/ts.pod
@@ -28,7 +28,7 @@ B<-reply>
 [B<-passin> password_src]
 [B<-signer> tsa_cert.pem]
 [B<-inkey> private.pem]
-[B<-md2>|B<-md4>|B<-md5>|B<-sha>|B<-sha1>|B<-mdc2>|B<-ripemd160>|B<...>]
+[B<-sha1|-sha224|-sha256|-sha384|-sha512>]
 [B<-chain> certs_file.pem]
 [B<-policy> object_id]
 [B<-in> response.tsr]
@@ -216,7 +216,7 @@ variable of the config file. (Optional)
 The signer private key of the TSA in PEM format. Overrides the
 B<signer_key> config file option. (Optional)
 
-=item B<-md2>|B<-md4>|B<-md5>|B<-sha>|B<-sha1>|B<-mdc2>|B<-ripemd160>|B<...>
+=item B<-sha1|-sha224|-sha256|-sha384|-sha512>
 
 Signing digest to use. Overrides the B<signer_digest> config file
 option. (Optional)
@@ -405,8 +405,7 @@ command line option. (Optional)
 =item B<signer_digest>
 
 Signing digest to use. The same as the
-B<-md2>|B<-md4>|B<-md5>|B<-sha>|B<-sha1>|B<-mdc2>|B<-ripemd160>|B<...>
-command line option. (Optional)
+B<-sha1|-sha224|-sha256|-sha384|-sha512> command line option. (Optional)
 
 =item B<default_policy>
 
diff --git a/test/CAtsa.cnf b/test/CAtsa.cnf
index 95a21f98b8..ab2f84aa0f 100644
--- a/test/CAtsa.cnf
+++ b/test/CAtsa.cnf
@@ -35,7 +35,7 @@ private_key	= $dir/private/cakey.pem# The private key
 RANDFILE	= $dir/private/.rand	# private random number file
 
 default_days	= 365			# how long to certify for
-default_md	= sha1			# which md to use.
+default_md	= sha256			# which md to use.
 preserve	= no			# keep passed DN ordering
 
 policy		= policy_match
@@ -132,11 +132,11 @@ signer_cert	= $dir/tsa_cert1.pem 	# The TSA signing certificate
 certs		= $dir/tsaca.pem	# Certificate chain to include in reply
 					# (optional)
 signer_key	= $dir/tsa_key1.pem	# The TSA private key (optional)
-signer_digest  = sha1                  # Signing digest to use. (Optional)
+signer_digest  = sha256             # Signing digest to use. (Optional)
 default_policy	= tsa_policy1		# Policy if request did not specify it
 					# (optional)
 other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)
-digests		= md5, sha1		# Acceptable message digests (mandatory)
+digests     = sha1, sha256, sha384, sha512  # Acceptable message digests (mandatory)
 accuracy	= secs:1, millisecs:500, microsecs:100	# (optional)
 ordering		= yes	# Is ordering defined for timestamps?
 				# (optional, default: no)
@@ -156,8 +156,8 @@ signer_cert	= $dir/tsa_cert2.pem 	# The TSA signing certificate
 certs		= $dir/demoCA/cacert.pem# Certificate chain to include in reply
 					# (optional)
 signer_key	= $dir/tsa_key2.pem	# The TSA private key (optional)
-signer_digest  = sha1                  # Signing digest to use. (Optional)
+signer_digest  = sha256             # Signing digest to use. (Optional)
 default_policy	= tsa_policy1		# Policy if request did not specify it
 					# (optional)
 other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)
-digests		= md5, sha1		# Acceptable message digests (mandatory)
+digests     = sha1, sha256, sha384, sha512  # Acceptable message digests (mandatory)
-- 
GitLab