Drop SHA-1 fingerprints

base/ca/src/main/java/com/netscape/cms/servlet/cert/scep/CRSEnrollment.java

@@ -1853,7 +1853,7 @@ public Hashtable<String, byte[]> makeFingerPrints(CRSPKIMessage req) {
         Hashtable<String, byte[]> fingerprints = new Hashtable<>();
 
         MessageDigest md;
-        String[] hashes = new String[] { "MD2", "MD5", "SHA1", "SHA256", "SHA512" };
+        String[] hashes = new String[] { "MD2", "MD5", "SHA256", "SHA512" };
         PKCS10 p10 = req.getP10();
 
         for (int i = 0; i < hashes.length; i++) {

base/server/src/main/java/com/netscape/cmscore/cert/CertUtils.java

@@ -768,27 +768,25 @@ public static String getFingerPrint(Certificate cert)
 
     /**
      * Returns a string that has the certificate's fingerprint using
-     * MD5, MD2 and SHA1 hashes.
+     * MD5 and MD2 hashes.
      * A certificate's fingerprint is a hash digest of the DER encoded
      * certificate.
      *
      * @param cert Certificate to get the fingerprints of.
-     * @return a String with fingerprints using the MD5, MD2 and SHA1 hashes.
+     * @return a String with fingerprints using the MD5 and MD2 hashes.
      *         For example,
      *
      *         <pre>
      * MD2:   78:7E:D1:F9:3E:AF:50:18:68:A7:29:50:C3:21:1F:71
      *
      * MD5:   0E:89:91:AC:40:50:F7:BE:6E:7B:39:4F:56:73:75:75
-     *
-     * SHA1:  DC:D9:F7:AF:E2:83:10:B2:F7:0A:77:E8:50:E2:F7:D1:15:9A:9D:00
      * </pre>
      */
     public static String getFingerPrints(Certificate cert)
             throws NoSuchAlgorithmException, CertificateEncodingException {
         byte certDer[] = cert.getEncoded();
         /*
-        String[] hashes = new String[] {"MD2", "MD5", "SHA1"};
+        String[] hashes = new String[] {"MD2", "MD5"};
         String certFingerprints = "";
         PrettyPrintFormat pp = new PrettyPrintFormat(":");
 
@@ -806,26 +804,24 @@ public static String getFingerPrints(Certificate cert)
 
     /**
      * Returns a string that has the certificate's fingerprint using
-     * MD5, MD2 and SHA1 hashes.
+     * MD5 and MD2 hashes.
      * A certificate's fingerprint is a hash digest of the DER encoded
      * certificate.
      *
      * @param certDer Certificate to get the fingerprints of.
-     * @return a String with fingerprints using the MD5, MD2 and SHA1 hashes.
+     * @return a String with fingerprints using the MD5 and MD2 hashes.
      *         For example,
      *
      *         <pre>
      * MD2:   78:7E:D1:F9:3E:AF:50:18:68:A7:29:50:C3:21:1F:71
      *
      * MD5:   0E:89:91:AC:40:50:F7:BE:6E:7B:39:4F:56:73:75:75
-     *
-     * SHA1:  DC:D9:F7:AF:E2:83:10:B2:F7:0A:77:E8:50:E2:F7:D1:15:9A:9D:00
      * </pre>
      */
     public static String getFingerPrints(byte[] certDer)
             throws NoSuchAlgorithmException/*, CertificateEncodingException*/{
         //        byte certDer[] = cert.getEncoded();
-        String[] hashes = new String[] { "MD2", "MD5", "SHA1", "SHA256", "SHA512" };
+        String[] hashes = new String[] { "MD2", "MD5", "SHA256", "SHA512" };
         StringBuffer certFingerprints = new StringBuffer();
         PrettyPrintFormat pp = new PrettyPrintFormat(":");
 

base/tools/src/main/native/p12tool/secutil.c

@@ -2589,22 +2589,6 @@ SECU_PrintFingerprints(FILE *out, SECItem *derCert, char *m, int level)
     if (rv != SECSuccess && !err)
         err = PORT_GetError();
 
-    /* print SHA1 fingerprint */
-    memset(fingerprint, 0, sizeof fingerprint);
-    rv = PK11_HashBuf(SEC_OID_SHA1, fingerprint, derCert->data, derCert->len);
-    fpItem.data = fingerprint;
-    fpItem.len = SHA1_LENGTH;
-    fpStr = CERT_Hexify(&fpItem, 1);
-    SECU_Indent(out, level);
-    fprintf(out, "%s (SHA1):", m);
-    if (SECU_GetWrapEnabled()) {
-        fprintf(out, "\n");
-        SECU_Indent(out, level + 1);
-    } else {
-        fprintf(out, " ");
-    }
-    fprintf(out, "%s\n", fpStr);
-    PORT_Free(fpStr);
     if (SECU_GetWrapEnabled())
         fprintf(out, "\n");
 

base/tools/src/main/native/p12tool/secutil.h

@@ -245,7 +245,7 @@ extern void SECU_PrintRSAPublicKey(FILE *out, SECKEYPublicKey *pk, char *m, int
 /* Dump contents of a DSA public key */
 extern void SECU_PrintDSAPublicKey(FILE *out, SECKEYPublicKey *pk, char *m, int level);
 
-/* Print the MD5 and SHA1 fingerprints of a cert */
+/* Print the SHA-256 fingerprint of a cert */
 extern int SECU_PrintFingerprints(FILE *out, SECItem *derCert, char *m,
                                   int level);
 

base/tools/src/main/native/p7tool/secutil.c

@@ -2438,15 +2438,6 @@ SECU_PrintFingerprints(FILE *out, SECItem *derCert, const char *m, int level)
     if (rv != SECSuccess && !err)
 	err = PORT_GetError();
 
-    /* print SHA1 fingerprint */
-    memset(fingerprint, 0, sizeof fingerprint);
-    rv = PK11_HashBuf(SEC_OID_SHA1,fingerprint, derCert->data, derCert->len);
-    fpItem.data = fingerprint;
-    fpItem.len = SHA1_LENGTH;
-    fpStr = CERT_Hexify(&fpItem, 1);
-    SECU_Indent(out, level);  fprintf(out, "%s (SHA1):\n", m);
-    SECU_Indent(out, level+1); fprintf(out, "%s\n", fpStr);
-    PORT_Free(fpStr);
     fprintf(out, "\n");
 
     if (err) 

base/tools/src/main/native/p7tool/secutil.h

@@ -260,7 +260,7 @@ extern int SECU_PrintPublicKey(FILE *out, SECItem *der, const char *m, int level
 extern int SECU_PrintPrivateKey(FILE *out, SECItem *der, char *m, int level);
 #endif
 
-/* Print the MD5 and SHA1 fingerprints of a cert */
+/* Print the MD5 fingerprint of a cert */
 extern int SECU_PrintFingerprints(FILE *out, SECItem *derCert, const char *m,
                                   int level);
 

base/tools/src/main/native/pistool/include/secutil.h

@@ -260,7 +260,7 @@ extern int SECU_PrintPublicKey(FILE *out, SECItem *der, char *m, int level);
 extern int SECU_PrintPrivateKey(FILE *out, SECItem *der, char *m, int level);
 #endif
 
-/* Print the MD5 and SHA1 fingerprints of a cert */
+/* Print the MD5 fingerprint of a cert */
 extern int SECU_PrintFingerprints(FILE *out, SECItem *derCert, char *m,
                                   int level);
 

base/tools/src/main/native/pistool/src/secutil.c

@@ -2434,15 +2434,6 @@ SECU_PrintFingerprints(FILE *out, SECItem *derCert, char *m, int level)
     if (rv != SECSuccess && !err)
 	err = PORT_GetError();
 
-    /* print SHA1 fingerprint */
-    memset(fingerprint, 0, sizeof fingerprint);
-    rv = PK11_HashBuf(SEC_OID_SHA1,fingerprint, derCert->data, derCert->len);
-    fpItem.data = fingerprint;
-    fpItem.len = SHA1_LENGTH;
-    fpStr = CERT_Hexify(&fpItem, 1);
-    SECU_Indent(out, level);  fprintf(out, "%s (SHA1):\n", m);
-    SECU_Indent(out, level+1); fprintf(out, "%s\n", fpStr);
-    PORT_Free(fpStr);
     fprintf(out, "\n");
 
     if (err) 

base/tools/src/main/native/tkstool/secutil.c

@@ -2436,15 +2436,6 @@ SECU_PrintFingerprints(FILE *out, SECItem *derCert, const char *m, int level)
     if (rv != SECSuccess && !err)
 	err = PORT_GetError();
 
-    /* print SHA1 fingerprint */
-    memset(fingerprint, 0, sizeof fingerprint);
-    rv = PK11_HashBuf(SEC_OID_SHA1,fingerprint, derCert->data, derCert->len);
-    fpItem.data = fingerprint;
-    fpItem.len = SHA1_LENGTH;
-    fpStr = CERT_Hexify(&fpItem, 1);
-    SECU_Indent(out, level);  fprintf(out, "%s (SHA1):\n", m);
-    SECU_Indent(out, level+1); fprintf(out, "%s\n", fpStr);
-    PORT_Free(fpStr);
     fprintf(out, "\n");
 
     if (err) 

base/tools/src/main/native/tkstool/secutil.h

@@ -260,7 +260,7 @@ extern int SECU_PrintPublicKey(FILE *out, SECItem *der, char *m, int level);
 extern int SECU_PrintPrivateKey(FILE *out, SECItem *der, char *m, int level);
 #endif
 
-/* Print the MD5 and SHA1 fingerprints of a cert */
+/* Print the MD5 fingerprint of a cert */
 extern int SECU_PrintFingerprints(FILE *out, SECItem *derCert, const char *m,
                                   int level);