diff options
author | Daiki Ueno <ueno@gnu.org> | 2021-12-20 15:56:24 +0100 |
---|---|---|
committer | Daiki Ueno <ueno@gnu.org> | 2022-01-07 17:45:14 +0100 |
commit | f56736cd3e1f940140f628f42ccec0481ff1de31 (patch) | |
tree | d4eb7b329edd40b603b037f8bfdf6618aec5a385 /src | |
parent | 527f2f799fa18f80941470ce89706c33e671b5ef (diff) | |
download | gnutls-f56736cd3e1f940140f628f42ccec0481ff1de31.tar.gz |
certtool: --to-p12: use modern algorithms by default
Currently certtool uses PKCS12-3DES-SHA1 for encrypting keys in
PKCS#12, while it is suggested to migrate to more modern algorithms,
namely AES-128-CBC with PBKDF2 and SHA-256:
https://bugzilla.redhat.com/show_bug.cgi?id=1759982
Signed-off-by: Daiki Ueno <ueno@gnu.org>
Diffstat (limited to 'src')
-rw-r--r-- | src/certtool-common.c | 4 | ||||
-rw-r--r-- | src/certtool.c | 2 |
2 files changed, 1 insertions, 5 deletions
diff --git a/src/certtool-common.c b/src/certtool-common.c index 3fd63ab7aa..5e7bc5666c 100644 --- a/src/certtool-common.c +++ b/src/certtool-common.c @@ -1149,11 +1149,7 @@ void dh_info(FILE * infile, FILE * outfile, common_info_st * ci) int cipher_to_flags(const char *cipher) { if (cipher == NULL) { -#ifdef ENABLE_FIPS140 return GNUTLS_PKCS_USE_PBES2_AES_128; -#else /* compatibility mode - most implementations don't support PBES2 with AES */ - return GNUTLS_PKCS_USE_PKCS12_3DES; -#endif } else if (strcasecmp(cipher, "3des") == 0) { return GNUTLS_PKCS_USE_PBES2_3DES; } else if (strcasecmp(cipher, "3des-pkcs12") == 0) { diff --git a/src/certtool.c b/src/certtool.c index 825a306bc9..1d7a98064d 100644 --- a/src/certtool.c +++ b/src/certtool.c @@ -2960,7 +2960,7 @@ void generate_pkcs12(common_info_st * cinfo) if (cinfo->hash != GNUTLS_DIG_UNKNOWN) mac = (gnutls_mac_algorithm_t)cinfo->hash; else - mac = GNUTLS_MAC_SHA1; + mac = GNUTLS_MAC_SHA256; if (HAVE_OPT(P12_NAME)) { name = OPT_ARG(P12_NAME); |