From f9166f8e985401e598de39bd72f0304c799bc0f0 Mon Sep 17 00:00:00 2001 From: Joseph Nuthalpati Date: Mon, 28 Aug 2017 15:50:47 +0530 Subject: [PATCH] sso: Upgrade crypto - using latest version of lib-apache2-mod-authpubtkt - upgraded keys to 4096-bit RSA - upgraded hashing algorithm to sha512 Plinth needs dependency on libapache2-mod-auth-pubtkt >= 0.11 Signed-off-by: Joseph Nuthalpati Reviewed-by: Sunil Mohan Adapa --- actions/auth-pubtkt | 6 ++---- data/etc/apache2/includes/freedombox-single-sign-on.conf | 2 +- 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/actions/auth-pubtkt b/actions/auth-pubtkt index 379cfe2b3..c8cd15fc2 100755 --- a/actions/auth-pubtkt +++ b/actions/auth-pubtkt @@ -66,8 +66,7 @@ def subcommand_create_key_pair(_): for key_file in [public_key_file, private_key_file] ]): pkey = crypto.PKey() - # XXX: Use RSA when available in mod-auth-pubtkt. - pkey.generate_key(crypto.TYPE_DSA, 1024) + pkey.generate_key(crypto.TYPE_RSA, 4096) with open(private_key_file, 'w') as priv_key_file: priv_key = crypto.dump_privatekey(crypto.FILETYPE_PEM, @@ -102,8 +101,7 @@ def create_ticket(pkey, uid, validuntil, ip=None, tokens=None, def sign(pkey, data): """Calculates and returns ticket's signature.""" - # XXX: Use SHA256 when available in mod-auth-pubtkt. - sig = crypto.sign(pkey, data, 'sha1') + sig = crypto.sign(pkey, data, 'sha512') return base64.b64encode(sig).decode() diff --git a/data/etc/apache2/includes/freedombox-single-sign-on.conf b/data/etc/apache2/includes/freedombox-single-sign-on.conf index a36944977..1cc675b9c 100644 --- a/data/etc/apache2/includes/freedombox-single-sign-on.conf +++ b/data/etc/apache2/includes/freedombox-single-sign-on.conf @@ -2,7 +2,7 @@ TKTAuthPublicKey /etc/apache2/auth-pubtkt-keys/pubkey.pem TKTAuthLoginURL /plinth/accounts/sso/login/ TKTAuthBackArgName next - TKTAuthDigest SHA1 + TKTAuthDigest SHA512 TKTAuthRefreshURL /plinth/accounts/sso/refresh/ TKTAuthUnauthURL /plinth AuthType mod_auth_pubtkt