Merge "winrmlistener: use sha2 instead of insecure sha1"

2024-03-27 09:43:59 +00:00 · 2024-03-27 09:43:59 +00:00 · 4bb6895f11
commit 4bb6895f11
parent 2b1770d1d1 a373d559e2
2 changed files with 3 additions and 1 deletions
--- a/cloudbaseinit/utils/windows/cryptoapi.py
+++ b/cloudbaseinit/utils/windows/cryptoapi.py
@ -137,8 +137,10 @@ CERT_FIND_SHA1_HASH = 0x10000
 CERT_KEY_PROV_INFO_PROP_ID = 2
 CERT_KEY_CONTEXT_PROP_ID = 5

+# https://learn.microsoft.com/en-us/windows/win32/api/wincrypt/ns-wincrypt-crypt_algorithm_identifier
 szOID_PKIX_KP_SERVER_AUTH = b"1.3.6.1.5.5.7.3.1"
 szOID_RSA_SHA1RSA = b"1.2.840.113549.1.1.5"
+szOID_RSA_SHA256RSA = b"1.2.840.113549.1.1.11"

 advapi32 = windll.advapi32
 crypt32 = windll.crypt32
--- a/cloudbaseinit/utils/windows/x509.py
+++ b/cloudbaseinit/utils/windows/x509.py
@ -195,7 +195,7 @@ class CryptoAPICertManager(object):
                key_prov_info.dwFlags = 0

            sign_alg = cryptoapi.CRYPT_ALGORITHM_IDENTIFIER()
-            sign_alg.pszObjId = cryptoapi.szOID_RSA_SHA1RSA
+            sign_alg.pszObjId = cryptoapi.szOID_RSA_SHA256RSA

            start_time = cryptoapi.SYSTEMTIME()
            cryptoapi.GetSystemTime(ctypes.byref(start_time))