From 10536b7f5b07aab3dc9631e94a56258155a1d942 Mon Sep 17 00:00:00 2001
From: olszomal <Malgorzata.Olszowka@stunnel.org>
Date: Mon, 21 Aug 2023 09:29:28 +0200
Subject: [PATCH] Changed the default value of the "ess_cert_id_alg" option

This is used to calculate the TSA's public key certificate identifier.

The default algorithm is changed from sha1 to sha256.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21794)
---
 apps/openssl-vms.cnf       | 4 ++--
 apps/openssl.cnf           | 4 ++--
 crypto/ts/ts_conf.c        | 2 +-
 doc/man1/openssl-ts.pod.in | 2 +-
 test/CAtsa.cnf             | 2 +-
 5 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/apps/openssl-vms.cnf b/apps/openssl-vms.cnf
index 393789b424..d6d5f58db6 100644
--- a/apps/openssl-vms.cnf
+++ b/apps/openssl-vms.cnf
@@ -330,8 +330,8 @@ tsa_name		= yes	# Must the TSA name be included in the reply?
 				# (optional, default: no)
 ess_cert_id_chain	= no	# Must the ESS cert id chain be included?
 				# (optional, default: no)
-ess_cert_id_alg		= sha1	# algorithm to compute certificate
-				# identifier (optional, default: sha1)
+ess_cert_id_alg		= sha256	# algorithm to compute certificate
+				# identifier (optional, default: sha256)
 
 [insta] # CMP using Insta Demo CA
 # Message transfer
diff --git a/apps/openssl.cnf b/apps/openssl.cnf
index 5597d89a03..0d564d3ba5 100644
--- a/apps/openssl.cnf
+++ b/apps/openssl.cnf
@@ -330,8 +330,8 @@ tsa_name		= yes	# Must the TSA name be included in the reply?
 				# (optional, default: no)
 ess_cert_id_chain	= no	# Must the ESS cert id chain be included?
 				# (optional, default: no)
-ess_cert_id_alg		= sha1	# algorithm to compute certificate
-				# identifier (optional, default: sha1)
+ess_cert_id_alg		= sha256	# algorithm to compute certificate
+				# identifier (optional, default: sha256)
 
 [insta] # CMP using Insta Demo CA
 # Message transfer
diff --git a/crypto/ts/ts_conf.c b/crypto/ts/ts_conf.c
index c415839995..3fde53cf9f 100644
--- a/crypto/ts/ts_conf.c
+++ b/crypto/ts/ts_conf.c
@@ -481,7 +481,7 @@ int TS_CONF_set_ess_cert_id_digest(CONF *conf, const char *section,
     const char *md = NCONF_get_string(conf, section, ENV_ESS_CERT_ID_ALG);
 
     if (md == NULL)
-        md = "sha1";
+        md = "sha256";
 
     cert_md = EVP_get_digestbyname(md);
     if (cert_md == NULL) {
diff --git a/doc/man1/openssl-ts.pod.in b/doc/man1/openssl-ts.pod.in
index 0f9049d2a4..6f71820202 100644
--- a/doc/man1/openssl-ts.pod.in
+++ b/doc/man1/openssl-ts.pod.in
@@ -490,7 +490,7 @@ Default is no.  (Optional)
 =item B<ess_cert_id_alg>
 
 This option specifies the hash function to be used to calculate the TSA's
-public key certificate identifier. Default is sha1. (Optional)
+public key certificate identifier. Default is sha256. (Optional)
 
 =back
 
diff --git a/test/CAtsa.cnf b/test/CAtsa.cnf
index 50f68cbc19..756c94d733 100644
--- a/test/CAtsa.cnf
+++ b/test/CAtsa.cnf
@@ -144,7 +144,7 @@ tsa_name		= yes	# Must the TSA name be included in the reply?
 ess_cert_id_chain	= yes	# Must the ESS cert id chain be included?
 				# (optional, default: no)
 ess_cert_id_alg		= sha256	# algorithm to compute certificate
-					# identifier (optional, default: sha1)
+					# identifier (optional, default: sha256)
 
 [ tsa_config2 ]