diff options
| author | Daniel Kahn Gillmor <dkg@fifthhorseman.net> | 2009-05-12 00:42:37 -0400 |
|---|---|---|
| committer | Daniel Kahn Gillmor <dkg@fifthhorseman.net> | 2009-05-12 00:42:37 -0400 |
| commit | dc89c4d16b754408f5e24067073ead1e9e231c48 (patch) | |
| tree | 0fd78f8852eb5c6fc54703e7f0b641151fc63421 /src/share/keytrans | |
| parent | 4ea066ebeb9b01afe213db3455ad1a1ff69c39ea (diff) | |
pem2openpgp now makes signatures over SHA256 instead of SHA1, due to concerns about the growing weakness of SHA1.
Diffstat (limited to 'src/share/keytrans')
| -rwxr-xr-x | src/share/keytrans | 15 |
1 files changed, 9 insertions, 6 deletions
diff --git a/src/share/keytrans b/src/share/keytrans index f9288fa..516f2da 100755 --- a/src/share/keytrans +++ b/src/share/keytrans @@ -426,7 +426,7 @@ sub pem2openpgp { my $uid = shift; my $args = shift; - $rsa->use_sha1_hash(); + $rsa->use_sha256_hash(); # see page 22 of RFC 4880 for why i think this is the right padding # choice to use: @@ -442,7 +442,7 @@ sub pem2openpgp { # RSA my $pubkey_algo = pack('C', $asym_algos->{rsa}); # SHA1 - my $hash_algo = pack('C', $digests->{sha1}); + my $hash_algo = pack('C', $digests->{sha256}); # FIXME: i'm worried about generating a bazillion new OpenPGP # certificates from the same key, which could easily happen if you run @@ -497,11 +497,14 @@ sub pem2openpgp { $ciphers->{tripledes} ); - # prefer SHA-1, SHA-256, RIPE-MD/160 - my $pref_hash_algos = pack('CCCCC', 4, $subpacket_types->{preferred_digest}, - $digests->{sha1}, + # prefer SHA-512, SHA-384, SHA-256, SHA-224, RIPE-MD/160, SHA-1 + my $pref_hash_algos = pack('CCCCCCCC', 7, $subpacket_types->{preferred_digest}, + $digests->{sha512}, + $digests->{sha384}, $digests->{sha256}, - $digests->{ripemd160} + $digests->{sha224}, + $digests->{ripemd160}, + $digests->{sha1} ); # prefer ZLIB, BZip2, ZIP |