summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorDaniel Kahn Gillmor <dkg@fifthhorseman.net>2009-05-12 00:42:37 -0400
committerDaniel Kahn Gillmor <dkg@fifthhorseman.net>2009-05-12 00:42:37 -0400
commitdc89c4d16b754408f5e24067073ead1e9e231c48 (patch)
tree0fd78f8852eb5c6fc54703e7f0b641151fc63421 /src
parent4ea066ebeb9b01afe213db3455ad1a1ff69c39ea (diff)
pem2openpgp now makes signatures over SHA256 instead of SHA1, due to concerns about the growing weakness of SHA1.
Diffstat (limited to 'src')
-rwxr-xr-xsrc/share/keytrans15
1 files changed, 9 insertions, 6 deletions
diff --git a/src/share/keytrans b/src/share/keytrans
index f9288fa..516f2da 100755
--- a/src/share/keytrans
+++ b/src/share/keytrans
@@ -426,7 +426,7 @@ sub pem2openpgp {
my $uid = shift;
my $args = shift;
- $rsa->use_sha1_hash();
+ $rsa->use_sha256_hash();
# see page 22 of RFC 4880 for why i think this is the right padding
# choice to use:
@@ -442,7 +442,7 @@ sub pem2openpgp {
# RSA
my $pubkey_algo = pack('C', $asym_algos->{rsa});
# SHA1
- my $hash_algo = pack('C', $digests->{sha1});
+ my $hash_algo = pack('C', $digests->{sha256});
# FIXME: i'm worried about generating a bazillion new OpenPGP
# certificates from the same key, which could easily happen if you run
@@ -497,11 +497,14 @@ sub pem2openpgp {
$ciphers->{tripledes}
);
- # prefer SHA-1, SHA-256, RIPE-MD/160
- my $pref_hash_algos = pack('CCCCC', 4, $subpacket_types->{preferred_digest},
- $digests->{sha1},
+ # prefer SHA-512, SHA-384, SHA-256, SHA-224, RIPE-MD/160, SHA-1
+ my $pref_hash_algos = pack('CCCCCCCC', 7, $subpacket_types->{preferred_digest},
+ $digests->{sha512},
+ $digests->{sha384},
$digests->{sha256},
- $digests->{ripemd160}
+ $digests->{sha224},
+ $digests->{ripemd160},
+ $digests->{sha1}
);
# prefer ZLIB, BZip2, ZIP