Disallow SHA1

[DemiMarie]

It is broken and should not be used, period.

[csnook]

Given that SHA1 support is still needed to interoperate with a lot of legacy systems, I think this is something that is better addressed in documentation than code, because support for legacy crypto allows people to use cfssl to enable migrations to modern crypto. If cfssl is using SHA1 by default anywhere, that's a bug, but I can't find any default uses of SHA1.

[MarkusTeufelberger]

It seems to be used to verify that root certificate files haven't changed:

cfssl server --help:

-metadata="": Metadata file for root certificate presence. The content of the file is a json dictionary (k,v): each key k is SHA-1 digest of a root certificate while value v is a list of key store filenames.