Generate SHA-256 client certificates instead of SHA-1

2025-08-16 16:16:44 +00:00 · 2019-07-05 21:50:48 -07:00 · 2019-07-05 21:50:48 -07:00 · 7471853652
commit 7471853652
parent 9c2bfeb4e0
1 changed files with 3 additions and 35 deletions
--- a/libgamestream/mkcert.c
+++ b/libgamestream/mkcert.c
@ -127,14 +127,8 @@ int mkcert(X509 **x509p, EVP_PKEY **pkeyp, int bits, int serial, int years) {
     * subject.
     */
    X509_set_issuer_name(x, name);
-    
-    /* Add various extensions: standard extensions */
-    add_ext(x, NID_basic_constraints, "critical,CA:TRUE");
-    add_ext(x, NID_key_usage, "critical,keyCertSign,cRLSign");
-    
-    add_ext(x, NID_subject_key_identifier, "hash");
-    
-    if (!X509_sign(x, pk, EVP_sha1())) {
+        
+    if (!X509_sign(x, pk, EVP_sha256())) {
        goto err;
    }
    
@ -144,30 +138,4 @@ int mkcert(X509 **x509p, EVP_PKEY **pkeyp, int bits, int serial, int years) {
    return(1);
 err:
    return(0);
-}
-
-/* Add extension using V3 code: we can set the config file as NULL
- * because we wont reference any other sections.
- */
-
-int add_ext(X509 *cert, int nid, char *value)
-{
-    X509_EXTENSION *ex;
-    X509V3_CTX ctx;
-    /* This sets the 'context' of the extensions. */
-    /* No configuration database */
-    X509V3_set_ctx_nodb(&ctx);
-    /* Issuer and subject certs: both the target since it is self signed,
-     * no request and no CRL
-     */
-    X509V3_set_ctx(&ctx, cert, cert, NULL, NULL, 0);
-    ex = X509V3_EXT_conf_nid(NULL, &ctx, nid, value);
-    if (!ex) {
-        return 0;
-    }
-    
-    X509_add_ext(cert, ex, -1);
-    X509_EXTENSION_free(ex);
-    return 1;
-}
-
+}