Skip to content

Commit dc7f754

Browse files
committed
PYTHON-5740 - Fix weak OCSP hashing algorithm
1 parent db4db92 commit dc7f754

1 file changed

Lines changed: 4 additions & 4 deletions

File tree

pymongo/ocsp_support.py

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -36,7 +36,7 @@
3636
from cryptography.hazmat.primitives.asymmetric.x25519 import (
3737
X25519PublicKey as _X25519PublicKey,
3838
)
39-
from cryptography.hazmat.primitives.hashes import SHA1 as _SHA1
39+
from cryptography.hazmat.primitives.hashes import SHA256 as _SHA256
4040
from cryptography.hazmat.primitives.hashes import Hash as _Hash
4141
from cryptography.hazmat.primitives.serialization import Encoding as _Encoding
4242
from cryptography.hazmat.primitives.serialization import PublicFormat as _PublicFormat
@@ -158,7 +158,7 @@ def _get_extension(
158158
def _public_key_hash(cert: Certificate) -> bytes:
159159
public_key = cert.public_key()
160160
# https://tools.ietf.org/html/rfc2560#section-4.2.1
161-
# "KeyHash ::= OCTET STRING -- SHA-1 hash of responder's public key
161+
# "KeyHash ::= OCTET STRING -- SHA-256 hash of responder's public key
162162
# (excluding the tag and length fields)"
163163
# https://stackoverflow.com/a/46309453/600498
164164
if isinstance(public_key, _RSAPublicKey):
@@ -167,7 +167,7 @@ def _public_key_hash(cert: Certificate) -> bytes:
167167
pbytes = public_key.public_bytes(_Encoding.X962, _PublicFormat.UncompressedPoint)
168168
else:
169169
pbytes = public_key.public_bytes(_Encoding.DER, _PublicFormat.SubjectPublicKeyInfo)
170-
digest = _Hash(_SHA1(), backend=_default_backend()) # noqa: S303
170+
digest = _Hash(_SHA256(), backend=_default_backend())
171171
digest.update(pbytes)
172172
return digest.finalize()
173173

@@ -249,7 +249,7 @@ def _verify_response_signature(issuer: Certificate, response: OCSPResponse) -> i
249249
def _build_ocsp_request(cert: Certificate, issuer: Certificate) -> OCSPRequest:
250250
# https://cryptography.io/en/latest/x509/ocsp/#creating-requests
251251
builder = _OCSPRequestBuilder()
252-
builder = builder.add_certificate(cert, issuer, _SHA1()) # noqa: S303
252+
builder = builder.add_certificate(cert, issuer, _SHA256())
253253
return builder.build()
254254

255255

0 commit comments

Comments
 (0)