Closed s-b-repo closed 3 weeks ago
That's what x2509 requires. Please stop it.
sha1 is insecure
using SHA-1 for cryptographic signing is considered insecure due to known vulnerabilities, and it’s highly recommended to switch to a more secure hash function. Commonly recommended algorithms for secure signing are:
SHA-256: Part of the SHA-2 family and widely supported, providing better security than SHA-1.
SHA-512: Also part of SHA-2, offering even stronger security, though it produces a larger signature.
Here’s how you might modify the line to use a stronger hash algorithm:
cpp
X509_sign(x509, pkey, EVP_sha256()); // or EVP_sha512()
Special Case for EdDSA
If you’re working with EdDSA, it’s best to note that EdDSA uses its own internal hashing mechanism (like SHA-512 for Ed25519), so you’d typically specify NULL for the hash parameter when using EdDSA keys. The modified line for EdDSA would look like this:
cpp
X509_sign(x509, pkey, NULL); // EdDSA uses its own hash, so we pass NULL
Using EVP_sha256 or EVP_sha512 is generally good for other non-EdDSA keys.
Certificate with EdDSA? ChatGPT is kidding
sha1 is insecure
For self-signed certificates and local connection? Before opening issues like this look at the context.
X509_sign (x509, pkey, EVP_sha1 ()); // sign, last param must be NULL for EdDSA
line #420 I2PControl.cpp
EVP_sha1 hash (used in EVP_sha1) is insecure. Consider changing it to a secure hashing algorithm.