ext/openssl: choose the OpenSSL::Digest class for OpenSSL::OCSP::Request.sign and OpenSSL::OCSP::BasicResponse.sign
ossl_ocsp.c is currently hard-coded to use SHA1 signatures when signing OCSP requests and basic responses, but SHA1 is being phased out for this purpose by web clients. The attached patch provides an optional parameter to the two sign methods to allow other digest algorithms to be specified. It is a backwards-compatible change since the new parameter is last and optional, and it will default to SHA1 if not specified. I've included basic tests as well in the patch.
Updated by Anonymous over 4 years ago
- Status changed from Open to Closed
Applied in changeset r55422.
openssl: allow specifying hash algorithm in OCSP::*#sign
ext/openssl/ossl_ocsp.c (ossl_ocspreq_sign, ossl_ocspbres_sign): Allow
specifying hash algorithm used in signing. They are hard coded to use
Based on a patch provided by Tim Shirley email@example.com.
[ruby-core:70915] [Feature #11552] [GH ruby/openssl#28]
test/openssl/test_ocsp.rb: Test sign-verify works.