square / certstrap

Tools to bootstrap CAs, certificate requests, and signed certificates.
Apache License 2.0
2.32k stars 207 forks source link

Crypto Go :we are a research group to help developers build secure applications. #172

Open 1047261438 opened 2 years ago

1047261438 commented 2 years ago

Hi, we are a research group to help developers build secure applications. We designed a cryptographic misuse detector (i.e., CryptoGo) on Go language. We found your great public repository from Github, and several security issues detected by CryptoGo are shown in the following. Note that the cryptographic algorithms are categorized with two aspects: security strength and security vulnerability based on NIST Special Publication 800-57 and other public publications. Moreover, CryptoGo defined certain rules derived from the APIs of Go cryptographic library and other popular cryptographic misuse detectors. The specific security issues we found are as follows: Location: pkix/key.go:233; Broken rule: R-01: SHA-1 is an insecure algorithm; We wish the above security issues could truly help you to build a secure application. If you have any concern or suggestion, please feel free to contact us, we are looking forward to your reply. Thanks.

alokmenghrajani commented 1 year ago

Per https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.2 (and https://datatracker.ietf.org/doc/html/rfc7093), implementations can pick a method for generating the SKI, so we could switch to sha256 or something else.

Openssl uses sha1: https://github.com/openssl/openssl/blob/a275afc527d05b5187b457bdbcd0e1dcb18839f1/crypto/x509/v3_skid.c#L72