sso: Upgrade crypto

- using latest version of lib-apache2-mod-authpubtkt
- upgraded keys to 4096-bit RSA
- upgraded hashing algorithm to sha512

Plinth needs dependency on libapache2-mod-auth-pubtkt >= 0.11

Signed-off-by: Joseph Nuthalpati <njoseph@thoughtworks.com>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>

actions/auth-pubtkt

@@ -66,8 +66,7 @@ def subcommand_create_key_pair(_):
             for key_file in [public_key_file, private_key_file]
     ]):
         pkey = crypto.PKey()
-        # XXX: Use RSA when available in mod-auth-pubtkt.
-        pkey.generate_key(crypto.TYPE_DSA, 1024)
+        pkey.generate_key(crypto.TYPE_RSA, 4096)
 
         with open(private_key_file, 'w') as priv_key_file:
             priv_key = crypto.dump_privatekey(crypto.FILETYPE_PEM,
@@ -102,8 +101,7 @@ def create_ticket(pkey, uid, validuntil, ip=None, tokens=None,
 
 def sign(pkey, data):
     """Calculates and returns ticket's signature."""
-    # XXX: Use SHA256 when available in mod-auth-pubtkt.
-    sig = crypto.sign(pkey, data, 'sha1')
+    sig = crypto.sign(pkey, data, 'sha512')
     return base64.b64encode(sig).decode()
 
 

data/etc/apache2/includes/freedombox-single-sign-on.conf

@@ -2,7 +2,7 @@
     TKTAuthPublicKey /etc/apache2/auth-pubtkt-keys/pubkey.pem
     TKTAuthLoginURL /plinth/accounts/sso/login/
     TKTAuthBackArgName next
-    TKTAuthDigest SHA1
+    TKTAuthDigest SHA512
     TKTAuthRefreshURL /plinth/accounts/sso/refresh/
     TKTAuthUnauthURL /plinth
     AuthType mod_auth_pubtkt