Issue #17295 has been updated by Alex Harvey.
Assignee set to Alex Harvey
I have a patch and am working on the RSpec.
<pre>
diff --git a/lib/puppet/ssl/certificate_authority.rb
b/lib/puppet/ssl/certificate_authority.rb
index bd9e13d..6229a2d 100644
--- a/lib/puppet/ssl/certificate_authority.rb
+++ b/lib/puppet/ssl/certificate_authority.rb
@@ -1,6 +1,7 @@
require 'monitor'
require 'puppet/ssl/host'
require 'puppet/ssl/certificate_request'
+require 'puppet/ssl/certificate_signer'
require 'puppet/util'
# The class that knows how to sign certificates. It creates
@@ -277,7 +278,9 @@ class Puppet::SSL::CertificateAuthority
cert = Puppet::SSL::Certificate.new(hostname)
cert.content = Puppet::SSL::CertificateFactory.
build(cert_type, csr, issuer, next_serial)
- cert.content.sign(host.key.content, OpenSSL::Digest::SHA256.new)
+
+ signer = Puppet::SSL::CertificateSigner.new
+ signer.sign(cert.content, host.key.content)
Puppet.notice "Signed certificate request for #{hostname}"
diff --git a/lib/puppet/ssl/certificate_request.rb
b/lib/puppet/ssl/certificate_request.rb
index 4e1cc1a..0d90e5a 100644
--- a/lib/puppet/ssl/certificate_request.rb
+++ b/lib/puppet/ssl/certificate_request.rb
@@ -1,4 +1,5 @@
require 'puppet/ssl/base'
+require 'puppet/ssl/certificate_signer'
# Manage certificate requests.
class Puppet::SSL::CertificateRequest < Puppet::SSL::Base
@@ -59,7 +60,8 @@ class Puppet::SSL::CertificateRequest < Puppet::SSL::Base
csr.add_attribute(OpenSSL::X509::Attribute.new("extReq", extReq))
end
- csr.sign(key, OpenSSL::Digest::SHA256.new)
+ signer = Puppet::SSL::CertificateSigner.new
+ signer.sign(csr, key)
raise Puppet::Error, "CSR sign verification failed; you need to clean the
certificate request for #{name} on the server" unless csr.verify(key.public_key)
diff --git a/lib/puppet/ssl/certificate_signer.rb
b/lib/puppet/ssl/certificate_signer.rb
new file mode 100644
index 0000000..ad64fb8
--- /dev/null
+++ b/lib/puppet/ssl/certificate_signer.rb
@@ -0,0 +1,19 @@
+# Take care of signing a certificate.
+# http://projects.puppetlabs.com/issues/17295
+class Puppet::SSL::CertificateSigner
+ def initialize
+ if OpenSSL::Digest.const_defined?('SHA256')
+ @digest = OpenSSL::Digest::SHA256
+ elsif OpenSSL::Digest.const_defined?('SHA1')
+ @digest = OpenSSL::Digest::SHA1
+ else
+ raise Puppet::Error, "Unable to find support for a FIPS 140-2 compliant"
+ + " message digest algorithm in OpenSSL::Digest"
+ end
+ @digest
+ end
+
+ def sign(content, key)
+ content.sign(key, @digest.new)
+ end
+end
</pre>
----------------------------------------
Bug #17295: Puppet not honouring --digest
https://projects.puppetlabs.com/issues/17295#change-81035
Author: Greg Boug
Status: Accepted
Priority: Normal
Assignee: Alex Harvey
Category:
Target version:
Affected Puppet version: 3.0.1
Keywords: solaris openssl hpux
Branch:
Am trying to get Puppet 3.0.1 running on Solaris (Previously had 2.7 running no
problems and have encountered an issue with the SSL digest.
I'm guessing it was relating to updating the certificates to use SHA256 to be a
bit more secure, but it means that if the OpenSSL library isn't capable of
SHA256 then it won't work - even if you tell it to use a different digest.
For example:
<pre>
# puppet agent --digest MD5 --verbose --no-daemonize
Info: Creating a new SSL certificate request for test1
Error: Could not request certificate: uninitialized constant
OpenSSL::Digest::SHA256
</pre>
(--debug doesn't give any extra information to help here unfortunately).
Puppet is using the Solaris-provided OpenSSL as part of the Ruby install in
this case, which runs version 0.9.7 with patches and doesn't support sha256. I
don't mind the idea of compiling 1.0.x but the issue still seems to stand that
you can't choose the digest method anymore - there is an apparent use of SHA256
regardless of what option you choose.
--
You have received this notification because you have either subscribed to it,
or are involved in it.
To change your notification preferences, please click here:
http://projects.puppetlabs.com/my/account
--
You received this message because you are subscribed to the Google Groups
"Puppet Bugs" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-bugs?hl=en.
