From 1687ae45c088789287b9d6ca77289e9b1ec4c68a Mon Sep 17 00:00:00 2001
From: James Moger <james.moger@gitblit.com>
Date: Fri, 30 Nov 2012 16:17:04 -0500
Subject: [PATCH] Cranked up signing algorithm from SHA1 to SHA512.  This makes
 Opera P12 Import happy.

---
 src/com/gitblit/utils/X509Utils.java | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/src/com/gitblit/utils/X509Utils.java b/src/com/gitblit/utils/X509Utils.java
index 1d144897..7a402dac 100644
--- a/src/com/gitblit/utils/X509Utils.java
+++ b/src/com/gitblit/utils/X509Utils.java
@@ -111,6 +111,12 @@ public class X509Utils {
 
 	private static final String BC = org.bouncycastle.jce.provider.BouncyCastleProvider.PROVIDER_NAME;
 	
+	private static final int KEY_LENGTH = 2048;
+	
+	private static final String KEY_ALGORITHM = "RSA";
+	
+	private static final String SIGNING_ALGORITHM = "SHA512withRSA";
+	
 	public static final boolean unlimitedStrength;
 	
 	private static final Logger logger = LoggerFactory.getLogger(X509Utils.class);
@@ -475,8 +481,8 @@ public class X509Utils {
 	 * @throws Exception
 	 */
 	private static KeyPair newKeyPair() throws Exception {
-		KeyPairGenerator kpGen = KeyPairGenerator.getInstance("RSA", BC);
-		kpGen.initialize(2048, new SecureRandom());
+		KeyPairGenerator kpGen = KeyPairGenerator.getInstance(KEY_ALGORITHM, BC);
+		kpGen.initialize(KEY_LENGTH, new SecureRandom());
 		return kpGen.generateKeyPair();
 	}
 	
@@ -550,7 +556,7 @@ public class X509Utils {
 			certBuilder.addExtension(X509Extension.basicConstraints, false, new BasicConstraints(false));
 			certBuilder.addExtension(X509Extension.authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(caCert.getPublicKey()));
 
-			ContentSigner caSigner = new JcaContentSignerBuilder("SHA256WithRSAEncryption")
+			ContentSigner caSigner = new JcaContentSignerBuilder(SIGNING_ALGORITHM)
 					.setProvider(BC).build(caPrivateKey);
 			X509Certificate cert = new JcaX509CertificateConverter().setProvider(BC)
 					.getCertificate(certBuilder.build(caSigner));
@@ -589,7 +595,7 @@ public class X509Utils {
 		try {
 			KeyPair caPair = newKeyPair();
 			
-			ContentSigner caSigner = new JcaContentSignerBuilder("SHA1WithRSA").setProvider(BC).build(caPair.getPrivate());
+			ContentSigner caSigner = new JcaContentSignerBuilder(SIGNING_ALGORITHM).setProvider(BC).build(caPair.getPrivate());
 			
 			// clone metadata
 			X509Metadata caMetadata = metadata.clone(CA_CN, metadata.password);
@@ -659,7 +665,7 @@ public class X509Utils {
 			X509v2CRLBuilder crlBuilder = new X509v2CRLBuilder(issuerDN, new Date());
 			
 			// build and sign CRL with CA private key
-			ContentSigner signer = new JcaContentSignerBuilder("SHA1WithRSA").setProvider(BC).build(caPrivateKey);
+			ContentSigner signer = new JcaContentSignerBuilder(SIGNING_ALGORITHM).setProvider(BC).build(caPrivateKey);
 			X509CRLHolder crl = crlBuilder.build(signer);
 
 			File tmpFile = new File(caRevocationList.getParentFile(), Long.toHexString(System.currentTimeMillis()) + ".tmp");
@@ -809,7 +815,7 @@ public class X509Utils {
 				certBuilder.addExtension(X509Extension.subjectAlternativeName, false, subjectAltName);
 			}
 
-			ContentSigner signer = new JcaContentSignerBuilder("SHA1WithRSA").setProvider(BC).build(caPrivateKey);
+			ContentSigner signer = new JcaContentSignerBuilder(SIGNING_ALGORITHM).setProvider(BC).build(caPrivateKey);
 
 			X509Certificate userCert = new JcaX509CertificateConverter().setProvider(BC).getCertificate(certBuilder.build(signer));
 			PKCS12BagAttributeCarrier bagAttr = (PKCS12BagAttributeCarrier)pair.getPrivate();
-- 
2.39.5