[openssl] master update

tmraz at fedoraproject.org tmraz at fedoraproject.org
Wed Jun 12 09:46:47 UTC 2019

The branch master has been updated
       via  a6dfa188204f81231a9d25cd007d0753657bcc1a (commit)
      from  c162c126be342b8cd97996346598ecf7db56130f (commit)

- Log -----------------------------------------------------------------
commit a6dfa188204f81231a9d25cd007d0753657bcc1a
Author: Tomas Mraz <tmraz at fedoraproject.org>
Date:   Fri Dec 14 12:10:58 2018 +0100

    ts: Use sha256 as default digest for TS query
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
    (Merged from https://github.com/openssl/openssl/pull/7900)


Summary of changes:
 CHANGES         | 3 +++
 apps/ts.c       | 2 +-
 doc/man1/ts.pod | 8 ++++----
 3 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/CHANGES b/CHANGES
index 4ccc3f3..0b9add5 100644
@@ -9,6 +9,9 @@
  Changes between 1.1.1 and 3.0.0 [xx XXX xxxx]
+  *) Use SHA256 as the default digest for TS query in the ts app.
+     [Tomas Mraz]
   *) Change PBKDF2 to conform to SP800-132 instead of the older PKCS5 RFC2898.
      This checks that the salt length is at least 128 bits, the derived key
      length is at least 112 bits, and that the iteration count is at least 1000.
diff --git a/apps/ts.c b/apps/ts.c
index 63c5210..4ef8a72 100644
--- a/apps/ts.c
+++ b/apps/ts.c
@@ -425,7 +425,7 @@ static TS_REQ *create_query(BIO *data_bio, const char *digest, const EVP_MD *md,
     ASN1_OBJECT *policy_obj = NULL;
     ASN1_INTEGER *nonce_asn1 = NULL;
-    if (md == NULL && (md = EVP_get_digestbyname("sha1")) == NULL)
+    if (md == NULL && (md = EVP_get_digestbyname("sha256")) == NULL)
         goto err;
     if ((ts_req = TS_REQ_new()) == NULL)
         goto err;
diff --git a/doc/man1/ts.pod b/doc/man1/ts.pod
index 38ecffc..66b8295 100644
--- a/doc/man1/ts.pod
+++ b/doc/man1/ts.pod
@@ -518,7 +518,7 @@ included. Default is no. (Optional)
 =item B<ess_cert_id_alg>
 This option specifies the hash function to be used to calculate the TSA's
-public key certificate identifier. Default is sha1. (Optional)
+public key certificate identifier. Default is sha256. (Optional)
@@ -530,7 +530,7 @@ openssl/apps/openssl.cnf will do.
 =head2 Time Stamp Request
-To create a time stamp request for design1.txt with SHA-1
+To create a time stamp request for design1.txt with SHA-256
 without nonce and policy and no certificate is required in the response:
   openssl ts -query -data design1.txt -no_nonce \
@@ -546,12 +546,12 @@ To print the content of the previous request in human readable format:
   openssl ts -query -in design1.tsq -text
-To create a time stamp request which includes the MD-5 digest
+To create a time stamp request which includes the SHA-512 digest
 of design2.txt, requests the signer certificate and nonce,
 specifies a policy id (assuming the tsa_policy1 name is defined in the
 OID section of the config file):
-  openssl ts -query -data design2.txt -md5 \
+  openssl ts -query -data design2.txt -sha512 \
         -tspolicy tsa_policy1 -cert -out design2.tsq
 =head2 Time Stamp Response

More information about the openssl-commits mailing list