Issue #13563 has been updated by Moses Mendoza. Status changed from Merged - Pending Release to Closed
released in 3.0.0-rc6 ---------------------------------------- Bug #13563: Puppet CA doesn't verify CSR signature https://projects.puppetlabs.com/issues/13563#change-71890 Author: Michael Smith Status: Closed Priority: Low Assignee: Patrick Carlisle Category: SSL Target version: 3.0.0 Affected Puppet version: 2.7.12 Keywords: Branch: >From what I can tell, the CA doesn't check the CSR signature. The signature is >not the same as the digest: the digest is just a hash over the entire CSR, >while the signature is used for proof-of-possession of the private key. It >proves the entity applying for the cert actually owns the private key >associated with the public key. >From what I understand, this mostly matters if the certs are being used for >something other than authentication (e.g. non-repudiation). That's not how the >Puppet agent uses the certs, but maybe people are re-using Puppet certs for >other purposes in some cases. Here's a discussion of why proof-of-possession matters: [http://tools.ietf.org/html/rfc4211#appendix-C](http://tools.ietf.org/html/rfc4211#appendix-C) This is the equivalent command-line: `openssl req -in server.csr -noout -text -verify` This came up as part of #13435. To test, submit a CSR to Puppet. On the master, go to /var/lib/puppet/ssl/ca/requests and hex-edit the part of the CSR containing the public key. Make sure the CSR is still valid according to `openssl req -noout -text`, but fails verification with `openssl req -noout -verify`. Run `puppet cert sign` - it doesn't complain. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
