On 2011-03-11, Chris Adams cmadams@hiwaay.net wrote:
Once upon a time, Ralf Ertzinger fedora@camperquake.de said:
this document is about a quite special case (regarding lawfully binding digital signatures) and not about SSL in general.
I took a short look at software support for other SSL hashes:
- OpenSSL: openssl only offers md5, sha1, md2, mdc2, md4 for generating a signing request or signing a cert
Not true:
$ openssl req -newkey rsa:2048 -sha256 -new -utf8 -out test.req [...] $ openssl req -noout -text <test.req Certificate Request: [...] Signature Algorithm: sha256WithRSAEncryption
The openssl FOO usage output is out-dated. You need to reuse options from other subcommands (e.g. openssl dgst -h).
- NSS: certutil doesn't seem to offer the option to set the digest (I didn't see one in -H output and there's no man/info page)
NSS is under-documented. E.g. I could not figure out how to select a hardware cryptoengine.
- GnuTLS: certtool supports up to SHA512 for signing, although it only used SHA-1 for a signing request (it appeared to ignore the --hash option when generating a request)
Yes, there is a bug with selecting hash algorithm.
-- Petr