From e0c1e3efd187a3cfa77906eef978fa6beada0b31 Mon Sep 17 00:00:00 2001
From: Ken Goldman <kgoldman@us.ibm.com>
Date: Thu, 1 Jul 2021 13:55:28 -0400
Subject: [PATCH] utils: Generate X509 certificate serial number using sha256

This is just a test certificate, not a real CA.  Certificate serial
numbers can be 20 octets maximum.  Use a truncated sha256 because some
'lint' programs are now scanning for sha1.

Signed-off-by: Ken Goldman <kgoldman@us.ibm.com>
---
 utils/ekutils.c | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

diff --git a/utils/ekutils.c b/utils/ekutils.c
index a0a2734..aad6fba 100644
--- a/utils/ekutils.c
+++ b/utils/ekutils.c
@@ -61,6 +61,7 @@
 
 #include <openssl/pem.h>
 #include <openssl/x509.h>
+#include <openssl/evp.h>
 
 #include <ibmtss/tssresponsecode.h>
 #include <ibmtss/tssutils.h>
@@ -1835,7 +1836,7 @@ TPM_RC startCertificate(X509 *x509Certificate,	/* X509 certificate to be generat
     ASN1_TIME 		*arc;			/* return code */
     ASN1_INTEGER 	*x509Serial;		/* certificate serial number in ASN1 */
     BIGNUM 		*x509SerialBN;		/* certificate serial number as a BIGNUM */
-    unsigned char 	x509Serialbin[SHA1_DIGEST_SIZE]; /* certificate serial number in binary */
+    unsigned char 	x509Serialbin[EVP_MAX_MD_SIZE]; /* certificate serial number in binary */
     X509_NAME 		*x509IssuerName;	/* composite issuer name, key/value pairs */
     X509_NAME 		*x509SubjectName;	/* composite subject name, key/value pairs */
 
@@ -1855,11 +1856,20 @@ TPM_RC startCertificate(X509 *x509Certificate,	/* X509 certificate to be generat
       add certificate serial number
     */
     if (rc == 0) {
+	const EVP_MD *type;
+
 	if (tssUtilsVerbose) printf("startCertificate: Adding certificate serial number\n");
 	/* to create a unique serial number, hash the key to be certified */
-	SHA1(keyBuffer, keyLength, x509Serialbin);
-	/* convert the SHA1 digest to a BIGNUM */
-	x509SerialBN = BN_bin2bn(x509Serialbin, SHA1_DIGEST_SIZE, x509SerialBN);
+	type = EVP_sha256();
+	irc = EVP_Digest(keyBuffer, keyLength, x509Serialbin, NULL, type, NULL);
+	if (irc == 0) {
+	    printf("startCertificate: Error in serial number EVP_Digest\n");
+	    rc = TSS_RC_X509_ERROR;
+	}
+    }
+    if (rc == 0) {
+	/* convert the digest to a BIGNUM, use 20 octets */
+	x509SerialBN = BN_bin2bn(x509Serialbin, 20, x509SerialBN);
 	if (x509SerialBN == NULL) {
 	    printf("startCertificate: Error in serial number BN_bin2bn\n");
 	    rc = TSS_RC_X509_ERROR;
-- 
2.34.1