From 49ace3d96358f6898da77e463d6aa516bdaafafa Mon Sep 17 00:00:00 2001
From: tresf <tres.finocchiaro@gmail.com>
Date: Wed, 27 Nov 2019 14:45:13 -0500
Subject: [PATCH] Update signing examples to use sha512

---
 assets/signing/sign-message.R       | 2 +-
 assets/signing/sign-message.asp     | 2 +-
 assets/signing/sign-message.cfm     | 3 ++-
 assets/signing/sign-message.cs      | 4 ++--
 assets/signing/sign-message.go      | 2 +-
 assets/signing/sign-message.java    | 2 +-
 assets/signing/sign-message.js      | 3 ++-
 assets/signing/sign-message.jsl     | 2 +-
 assets/signing/sign-message.jsp     | 2 +-
 assets/signing/sign-message.node.js | 2 +-
 assets/signing/sign-message.odoo.py | 2 +-
 assets/signing/sign-message.php     | 3 ++-
 assets/signing/sign-message.pl      | 2 +-
 assets/signing/sign-message.py      | 2 +-
 assets/signing/sign-message.rb      | 2 +-
 assets/signing/sign-message.ts      | 3 ++-
 assets/signing/sign-message.vb      | 4 ++--
 assets/signing/sign_message.erl     | 2 +-
 sample.html                         | 1 +
 19 files changed, 25 insertions(+), 20 deletions(-)

diff --git a/assets/signing/sign-message.R b/assets/signing/sign-message.R
index a36b93002..73b5d0c5e 100644
--- a/assets/signing/sign-message.R
+++ b/assets/signing/sign-message.R
@@ -33,6 +33,6 @@ message <- enc2utf8(commandArgs(trailingOnly = TRUE))
 key <- read_key(file = mykey, password = mypass)
 
 # Create the signature
-sig <- signature_create(serialize(message, NULL), key = key)
+sig <- signature_create(serialize(message, NULL), hash = sha512, key = key) # Use hash = sha1 for QZ Tray 2.0 and older
 
 print(sig)
diff --git a/assets/signing/sign-message.asp b/assets/signing/sign-message.asp
index 7825928a5..22ab2ce36 100644
--- a/assets/signing/sign-message.asp
+++ b/assets/signing/sign-message.asp
@@ -38,7 +38,7 @@ pk.LoadPemFile("private-key.pem")
 key = pk.GetXml()
 rsa.ImportPrivateKey(key)
 rsa.EncodingMode = "base64"
-sig = rsa.SignStringENC(data,"sha-1")
+sig = rsa.SignStringENC(data,"SHA-512") ' Use "SHA-1" for QZ Tray 2.0 and older
 
 Response.ContentType = "text/plain"
 Response.Write Server.HTMLEncode(sig)
diff --git a/assets/signing/sign-message.cfm b/assets/signing/sign-message.cfm
index 0e3127cef..cc36133d2 100644
--- a/assets/signing/sign-message.cfm
+++ b/assets/signing/sign-message.cfm
@@ -34,7 +34,8 @@
 * @encoding I am the encoding used when returning the signature (base64 by default).
 * @output false
 */
-public any function sign(required string keyPath, required string message, string algorithm = "SHA1withRSA", string encoding = "base64") {
+public any function sign(required string keyPath, required string message, string algorithm = "SHA512withRSA", string encoding = "base64") {
+	// Note: change algorithm to "SHA1withRSA" for QZ Tray 2.0 and older
 	createObject("java", "java.security.Security")
 		.addProvider(createObject("java", "org.bouncycastle.jce.provider.BouncyCastleProvider").init());
 	privateKey = createPrivateKey(fileRead(expandPath(keyPath)));
diff --git a/assets/signing/sign-message.cs b/assets/signing/sign-message.cs
index 1edfe95a3..771df86ca 100644
--- a/assets/signing/sign-message.cs
+++ b/assets/signing/sign-message.cs
@@ -40,8 +40,8 @@ public static string SignMessage(string request)
         var cert = new X509Certificate2(KEY, PASS, STORAGE_FLAGS);
         RSACryptoServiceProvider csp = (RSACryptoServiceProvider)cert.PrivateKey;
         byte[] data = new ASCIIEncoding().GetBytes(request);
-        byte[] hash = new SHA1CryptoServiceProvider().ComputeHash(data);
-        return Convert.ToBase64String(csp.SignHash(hash, CryptoConfig.MapNameToOID("SHA1")));
+        byte[] hash = new SHA512CryptoServiceProvider().ComputeHash(data);  // Use SHA1CryptoServiceProvider for QZ Tray 2.0 and older
+        return Convert.ToBase64String(csp.SignHash(hash, CryptoConfig.MapNameToOID("SHA512"))); // Use "SHA1" for QZ Tray 2.0 and older
     }
     catch(Exception ex)
     {
diff --git a/assets/signing/sign-message.go b/assets/signing/sign-message.go
index 60ea2b51f..25bd9eece 100644
--- a/assets/signing/sign-message.go
+++ b/assets/signing/sign-message.go
@@ -67,7 +67,7 @@ func handler(w http.ResponseWriter, r *http.Request) {
 
 	hash := sha1.Sum([]byte(data))
 	rng := rand.Reader
-	signature, err := rsa.SignPKCS1v15(rng, rsaPrivateKey, crypto.SHA1, hash[:])
+	signature, err := rsa.SignPKCS1v15(rng, rsaPrivateKey, crypto.SHA512, hash[:]) // Use crypto.SHA1 for QZ Tray 2.0 and older
 	if err != nil {
 		displayError(w, "Error from signing: %s\n", err)
 		return
diff --git a/assets/signing/sign-message.java b/assets/signing/sign-message.java
index 7a80412a3..3efef063f 100644
--- a/assets/signing/sign-message.java
+++ b/assets/signing/sign-message.java
@@ -82,7 +82,7 @@ public MessageSigner(byte[] keyData) throws Exception {
         PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(parseKeyData(keyData));
         KeyFactory kf = KeyFactory.getInstance("RSA");
         PrivateKey key = kf.generatePrivate(keySpec);
-        sig = Signature.getInstance("SHA1withRSA");
+        sig = Signature.getInstance("SHA512withRSA"); // Use "SHA1withRSA" for QZ Tray 2.0 and older
         sig.initSign(key);
     }
 
diff --git a/assets/signing/sign-message.js b/assets/signing/sign-message.js
index 9ece1eb5d..08b62c7f8 100644
--- a/assets/signing/sign-message.js
+++ b/assets/signing/sign-message.js
@@ -67,11 +67,12 @@ var privateKey = "-----BEGIN PRIVATE KEY-----\n" +
    "EjzSn7DcDE1tL2En/tSVXeUY\n" +
    "-----END PRIVATE KEY-----";
 
+qz.security.setSignatureAlgorithm("SHA512"); // Since 2.1
 qz.security.setSignaturePromise(function(toSign) {
     return function(resolve, reject) {
         try {
             var pk = KEYUTIL.getKey(privateKey);
-            var sig = new KJUR.crypto.Signature({"alg": "SHA1withRSA"});
+            var sig = new KJUR.crypto.Signature({"alg": "SHA512withRSA"});  // Use "SHA1withRSA" for QZ Tray 2.0 and older
             sig.init(pk); 
             sig.updateString(toSign);
             var hex = sig.sign();
diff --git a/assets/signing/sign-message.jsl b/assets/signing/sign-message.jsl
index ecd6b09a2..754cb3c96 100644
--- a/assets/signing/sign-message.jsl
+++ b/assets/signing/sign-message.jsl
@@ -36,7 +36,7 @@ let request = "test data"
 // openssl pkcs12 -export -in private-key.pem -inkey digital-certificate.txt -out private-key.pfx
 let cert = new X509Certificate2("private-key.pfx")
 
-let sha1 = new SHA1CryptoServiceProvider()
+let sha1 = new SHA512CryptoServiceProvider() // Use "SHA1CryptoServiceProvider" for QZ Tray 2.0 and older
 
 let csp = cert.PrivateKey :?> RSACryptoServiceProvider
 let encoder = new ASCIIEncoding()
diff --git a/assets/signing/sign-message.jsp b/assets/signing/sign-message.jsp
index b3997a041..70cc97800 100644
--- a/assets/signing/sign-message.jsp
+++ b/assets/signing/sign-message.jsp
@@ -57,7 +57,7 @@ private String getSignature(Object o) {
 		PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(keyData);
 		KeyFactory kf = KeyFactory.getInstance("RSA");
 		PrivateKey key = kf.generatePrivate(keySpec);
-		Signature sig = Signature.getInstance("SHA1withRSA");
+		Signature sig = Signature.getInstance("SHA512withRSA"); // Use "SHA1withRSA" for QZ Tray 2.0 and older
 		sig.initSign(key);
 		sig.update(req.getBytes());
 		String output = DatatypeConverter.printBase64Binary(sig.sign());
diff --git a/assets/signing/sign-message.node.js b/assets/signing/sign-message.node.js
index fa9be362a..5ee68d8d6 100644
--- a/assets/signing/sign-message.node.js
+++ b/assets/signing/sign-message.node.js
@@ -32,7 +32,7 @@ app.get('/sign', function(req, res) {
     var toSign = req.query.requestToSign;
 
     fs.readFile(path.join(__dirname, '\\' + key), 'utf-8', function(err, privateKey) {
-        var sign = crypto.createSign('SHA1');
+        var sign = crypto.createSign('SHA512'); // Use "SHA1" for QZ Tray 2.0 and older
 
         sign.update(toSign);
         var signature = sign.sign({ key: privateKey/*, passphrase: pass */ }, 'base64');
diff --git a/assets/signing/sign-message.odoo.py b/assets/signing/sign-message.odoo.py
index d484a40ae..23212524c 100644
--- a/assets/signing/sign-message.odoo.py
+++ b/assets/signing/sign-message.odoo.py
@@ -38,6 +38,6 @@ def index(self, **kwargs):
         key_file.close()
         password = None
         pkey = crypto.load_privatekey(crypto.FILETYPE_PEM, key, password)
-        sign = crypto.sign(pkey, kwargs.get('request', ''), 'sha1')
+        sign = crypto.sign(pkey, kwargs.get('request', ''), 'sha512') # Use 'sha1' for QZ Tray 2.0 and older
         data_base64 = base64.b64encode(sign)
         return request.make_response(data_base64, [('Content-Type', 'text/plain')])
diff --git a/assets/signing/sign-message.php b/assets/signing/sign-message.php
index 59eed1dc1..e12cda498 100644
--- a/assets/signing/sign-message.php
+++ b/assets/signing/sign-message.php
@@ -30,12 +30,13 @@
 $privateKey = openssl_get_privatekey(file_get_contents($KEY) /*, $PASS */);
 
 $signature = null;
-openssl_sign($req, $signature, $privateKey);
+openssl_sign($req, $signature, $privateKey, "sha512"); // Use "sha1" for QZ Tray 2.0 and older
 
 /*
 // Or alternately, via phpseclib
 include('Crypt/RSA.php');
 $rsa = new Crypt_RSA();
+$rsa.setHash('sha512'); // Use 'sha1' for QZ Tray 2.0 and older
 $rsa->loadKey(file_get_contents($KEY));
 $rsa->setSignatureMode(CRYPT_RSA_SIGNATURE_PKCS1);
 $signature = $rsa->sign($req);
diff --git a/assets/signing/sign-message.pl b/assets/signing/sign-message.pl
index 3d316c38f..977dbf088 100644
--- a/assets/signing/sign-message.pl
+++ b/assets/signing/sign-message.pl
@@ -46,7 +46,7 @@
 my $rsa = Crypt::OpenSSL::RSA->new_private_key($private_key);
 
 # Create signature
-$rsa->use_sha1_hash();
+$rsa->use_sha512_hash(); # use_sha1_hash for QZ Tray 2.0 and older
 my $sig = encode_base64($rsa->sign($request));
 
 print $sig;
diff --git a/assets/signing/sign-message.py b/assets/signing/sign-message.py
index 6228b9881..2433a7813 100644
--- a/assets/signing/sign-message.py
+++ b/assets/signing/sign-message.py
@@ -47,7 +47,7 @@ def index(request):
     )
 
     # Create the signature
-    signature = key.sign(message.encode('utf-8'), padding.PKCS1v15(), hashes.SHA1())
+    signature = key.sign(message.encode('utf-8'), padding.PKCS1v15(), hashes.SHA512()) # Use hashes.SHA1 for QZ Tray 2.0 and older
 
     # Echo the signature
     return HttpResponse(base64.b64encode(signature), content_type="text/plain")
diff --git a/assets/signing/sign-message.rb b/assets/signing/sign-message.rb
index 4ca43f60b..c95e6b682 100644
--- a/assets/signing/sign-message.rb
+++ b/assets/signing/sign-message.rb
@@ -25,7 +25,7 @@
 # Typical rails controller
 class PrintingController < ActionController::Base
   def sign
-    digest   = OpenSSL::Digest.new('sha1')
+    digest   = OpenSSL::Digest.new('sha512') # Use 'sha1' for QZ Tray 2.0 and older
     pkey     = OpenSSL::PKey::read(File.read(Rails.root.join('lib', 'certs', 'private-key.pem')))
 
     signed   = pkey.sign(digest, params[:request])
diff --git a/assets/signing/sign-message.ts b/assets/signing/sign-message.ts
index dbb951d53..efabbb4a5 100644
--- a/assets/signing/sign-message.ts
+++ b/assets/signing/sign-message.ts
@@ -35,13 +35,14 @@ qz.security.setCertificatePromise((resolve, reject) => {
 /*
  * Client-side using jsrsasign
  */
+qz.security.setSignatureAlgorithm("SHA512"); // Since 2.1
 qz.security.setSignaturePromise(hash => {
  return (resolve, reject) => {
   fetch("assets/private-key.pem", {cache: 'no-store', headers: {'Content-Type': 'text/plain'}})
    .then(wrapped => wrapped.text())
    .then(data => {
      var pk = KEYUTIL.getKey(data);
-     var sig = new KJUR.crypto.Signature({"alg": "SHA1withRSA"});
+     var sig = new KJUR.crypto.Signature({"alg": "SHA512withRSA"}); // Use "SHA1withRSA" for QZ Tray 2.0 and older
      sig.init(pk);
      sig.updateString(hash);
      var hex = sig.sign();
diff --git a/assets/signing/sign-message.vb b/assets/signing/sign-message.vb
index 76f8021cd..98328ac95 100644
--- a/assets/signing/sign-message.vb
+++ b/assets/signing/sign-message.vb
@@ -32,9 +32,9 @@ Public Sub SignMessage(message As String)
 	Dim csp As RSACryptoServiceProvider = CType(cert.PrivateKey,RSACryptoServiceProvider)
 	
 	Dim data As Byte() = New ASCIIEncoding().GetBytes(message)
-	Dim hash As Byte() = New SHA1Managed().ComputeHash(data)
+	Dim hash As Byte() = New SHA512Managed().ComputeHash(data) ' Use SHA1Managed() for QZ Tray 2.0 and older
 	
 	Response.ContentType = "text/plain"
-	Response.Write(Convert.ToBase64String(csp.SignHash(hash, CryptoConfig.MapNameToOID("SHA1"))))
+	Response.Write(Convert.ToBase64String(csp.SignHash(hash, CryptoConfig.MapNameToOID("SHA512")))) ' Use "SHA1" for QZ Tray 2.0 and older
 	Environment.[Exit](0)
 End Sub
diff --git a/assets/signing/sign_message.erl b/assets/signing/sign_message.erl
index 8ec9536dd..8a950b1a1 100644
--- a/assets/signing/sign_message.erl
+++ b/assets/signing/sign_message.erl
@@ -45,6 +45,6 @@ sign(Message, KeyPath) ->
   {ok, Data} = file:read_file(KeyPath),
   [KeyEntry] =  public_key:pem_decode(Data),
   PrivateKey = public_key:pem_entry_decode(KeyEntry),
-  Signature = public_key:sign(list_to_binary(Message), sha, PrivateKey),
+  Signature = public_key:sign(list_to_binary(Message), sha512, PrivateKey), % Use sha1 for QZ Tray 2.0 and older
   Base64 = base64:encode(Signature),
   io:fwrite(Base64).
diff --git a/sample.html b/sample.html
index c7d356473..1c00534cd 100644
--- a/sample.html
+++ b/sample.html
@@ -1224,6 +1224,7 @@ <h4 class="panel-title">Options</h4>
                 "-----END CERTIFICATE-----\n");
     });
 
+    qz.security.setSignatureAlgorithm("SHA512"); // Since 2.1
     qz.security.setSignaturePromise(function(toSign) {
         return function(resolve, reject) {
             //Preferred method - from server