Use SHA2 to encrypt certificate instead of SHA1

microsoft · Sep 15, 2021 · 500c351 · 500c351
1 parent 4ce2cf1
commit 500c351
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 3 deletions.
diff --git a/Unix/configure b/Unix/configure
@@ -2110,7 +2110,7 @@ echo "created $fn"
 
 if [ "$dev" = "1" ]; then
   mkdir -p $certsdir
-  openssl req -x509 -sha1 -newkey rsa:2048 -days 3650 -nodes -config $fn -keyout $certsdir/omikey.pem -out $certsdir/omi.pem
+  openssl req -x509 -sha256 -newkey rsa:2048 -days 3650 -nodes -config $fn -keyout $certsdir/omikey.pem -out $certsdir/omi.pem
   openssl x509 -outform der -in $certsdir/omi.pem -out $certsdir/omi.der
   chmod 600 $certsdir/omikey.pem
   chmod 644 $certsdir/omi.pem
@@ -2378,7 +2378,7 @@ if [ -f "\$keyfile" -a -f "\$certfile" ]; then
   echo "* since they already exist.                                *"
   echo "************************************************************"
 else
-  openssl req -x509 -sha1 -newkey rsa:2048 -days 3650 -nodes -config \$cnffile -keyout \$keyfile -out \$certfile
+  openssl req -x509 -sha256 -newkey rsa:2048 -days 3650 -nodes -config \$cnffile -keyout \$keyfile -out \$certfile
   chmod 600 \$keyfile
   chmod 644 \$certfile
 fi

diff --git a/Unix/installbuilder/datafiles/Base_OMI.data b/Unix/installbuilder/datafiles/Base_OMI.data
@@ -352,11 +352,14 @@ ${{SHELL_HEADER}}
 ${{SHELL_HEADER}}
 
 %Postinstall_10
+certdir=/etc/opt/omi/ssl/
 cnffile=/etc/opt/omi/ssl/ssl.cnf
 keyfile=/etc/opt/omi/ssl/omikey.pem
 certfile=/etc/opt/omi/ssl/omi.pem
 omicertmarkerfile=/etc/opt/omi/ssl/.omi_cert_marker
 OPENSSL_PATH="openssl"
+ALGORITHM_KEY_IN_CERTIFICATE="Signature Algorithm"
+SHA1="sha1"
 #if PF == SunOS
 #if PFMINOR == 9
     LD_LIBRARY_PATH=/usr/local/ssl/lib
@@ -400,7 +403,7 @@ EOF
 }
 
 GenerateKeyCert() {
-    $OPENSSL_PATH req -x509 -sha1 -newkey rsa:2048 -days 3650 -nodes -config $cnffile -keyout $keyfile -out $certfile
+    $OPENSSL_PATH req -x509 -sha256 -newkey rsa:2048 -days 3650 -nodes -config $cnffile -keyout $keyfile -out $certfile
 }
 
 HandleConfigFiles() {
@@ -451,12 +454,28 @@ HandleConfigFiles() {
     fi
 }
 
+DeleteUnsupportedCertificate() {
+    # This function will delete the unsupported sha1 certificate 
+    if [ -f "$keyfile" -a -f "$certfile" ]; then
+        result=`$OPENSSL_PATH x509 -in $certfile -text | grep -i "$ALGORITHM_KEY_IN_CERTIFICATE" | grep -i "$SHA1"`
+
+        if [ -n "$result" ]; then
+            echo "************************************************************"
+            echo "* Deleting unsupported SHA1 certificate *"
+            echo "************************************************************"
+            rm -rf $certdir*
+        fi
+    fi
+}
+
 # Handle upgrade from older SCX configurations. This needs to be in OMI since
 # certain installers (Debian) will delete unused configuration files before
 # %Pre / %Post see the light of day. For OMI config, do it before SCX install.
 
 HandleConfigFiles
 
+DeleteUnsupportedCertificate
+
 if [ -f "$keyfile" -a -f "$certfile" ]; then
     echo
     echo "************************************************************"