Project

General

Profile

Actions
Copy link

Feature #11552

closed

ext/openssl: choose the OpenSSL::Digest class for OpenSSL::OCSP::Request.sign and OpenSSL::OCSP::BasicResponse.sign

Added by tshirley (Tim Shirley) about 9 years ago. Updated over 8 years ago.

Status:
Closed
Assignee:
-
Target version:
-
[ruby-core:<unknown>]

Description

ossl_ocsp.c is currently hard-coded to use SHA1 signatures when signing OCSP requests and basic responses, but SHA1 is being phased out for this purpose by web clients. The attached patch provides an optional parameter to the two sign methods to allow other digest algorithms to be specified. It is a backwards-compatible change since the new parameter is last and optional, and it will default to SHA1 if not specified. I've included basic tests as well in the patch.

Files

ruby-changes.patch (5.49 KB) ruby-changes.patch tshirley (Tim Shirley), 09/25/2015 08:04 PM
Actions
Copy link
 #1

Updated by zzak (zzak _) about 9 years ago

  • Assignee set to 7150
Actions
Copy link
 #2

Updated by Anonymous over 8 years ago

  • Status changed from Open to Closed

Applied in changeset r55422.

openssl: allow specifying hash algorithm in OCSP::*#sign

  • ext/openssl/ossl_ocsp.c (ossl_ocspreq_sign, ossl_ocspbres_sign): Allow
    specifying hash algorithm used in signing. They are hard coded to use
    SHA-1.
    Based on a patch provided by Tim Shirley .
    [ruby-core:70915] [Feature #11552] [GH ruby/openssl#28]

  • test/openssl/test_ocsp.rb: Test sign-verify works.

Actions
Copy link

Also available in: Atom PDF

Like0
Like0Like0