On Sat, Jan 5, 2013 at 8:28 AM, Alex Harvey <[email protected]> wrote:
> Hi all,
>
> I've spent the holidays trying to make my upgrade to puppet v3 on my n+1
> versions of Unix work and in the process found two more bugs, one a known
> issue, and the other a new issue, and these are stopping puppet from
> working on HP-UX.
>
>
Thanks for working on this!
> I'm happy to send in patches for them but I'll need some advice/discussion.
>
>
> Redmine #17295 - puppet not honouring --digest
>
> This is a real showstopper on HP-UX unless you happen to like compiling
> OpenSSL.
>
> I've investigated and hacked together a workaround that works for me -
>
> # diff
> /usr/local/lib/ruby/gems/1.8/gems/puppet-3.0.1/lib/puppet/ssl/certificate_request.rb*
> 62c62,66
> < csr.sign(key, OpenSSL::Digest::SHA256.new)
> ---
> > if OpenSSL::Digest.const_defined?('SHA256')
> > csr.sign(key, OpenSSL::Digest::SHA256.new)
> > elsif OpenSSL::Digest.const_defined?('SHA1')
> > csr.sign(key, OpenSSL::Digest::SHA1.new)
> > end
>
> # diff
> /usr/local/lib/ruby/gems/1.8/gems/puppet-3.0.1/lib/puppet/ssl/certificate_authority.rb.orig
> /usr/local/lib/ruby/gems/1.8/gems/puppet-3.0.1/lib/puppet/ssl/certificate_authority.rb
> 278c278,283
> < cert.content.sign(host.key.content, OpenSSL::Digest::SHA256.new)
> ---
> >
> > if OpenSSL::Digest.const_defined?('SHA256')
> > cert.content.sign(host.key.content, OpenSSL::Digest::SHA256.new)
> > elsif OpenSSL::Digest.const_defined?('SHA1')
> > cert.content.sign(host.key.content, OpenSSL::Digest::SHA1.new)
> > end
>
>
I see what you are getting at. The fact that this is showing up in two
places like this makes me think that there needs to be something pulled out
to handle signing. Maybe something like:
class Puppet::SSL::CertificateSigner
def initialize
@digest = OpenSSL::Digest.const_defined?('SHA256')
? OpenSSL::Digest::SHA256 : OpenSSL::Digest::SHA1
end
def sign(content, key)
content.sign(key, @digest.new)
end
end
Then use that at those two points. I haven't looked at the code around what
you show, so there might be more things can can be moved around at the same
time.
> This allows me to generate CSRs which is great, but doesn't seem to be the
> right solution.
>
> From reading the help page for puppet agent I tend to agree with the Greg
> Boug who raised the issue that --digest ought to affect both the algorithm
> used to generate a fingerprint (which it apparently does) and also the
> algorithm used to generate the CSR.
>
> If people agree, I will fix it so that it does this.
>
>
I would be a little wary of conflating these things together. It isn't
clear to me how much the --digest should affect.
>
> Redmine #18393 - puppet assumes that all versions of diff support -u
> whereas the HP-UX version doesn't and neither did Solaris 8.
>
> This one looks harder to fix because there is a global default set in
> diff_args in lib/puppet/defaults.rb. The whole concept of having a global
> default doesn't seem sensible if we're passing an argument in that can't be
> relied upon to be globally available. So some thoughts on what to do here
> would help greatly.
>
>
I've always thought it a little strange that we create these diffs by
shelling out and running diff. There should be another way of doing this.
Normally I would say that we should just rely on a library for generating
diffs, but I know that we like to keep the core from requiring other
libraries in order to work.
>
> Happy new year to all!
>
> Best regards,
> Alex
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Developers" group.
> To view this discussion on the web visit
> https://groups.google.com/d/msg/puppet-dev/-/0uyUg-xObAEJ.
> To post to this group, send email to [email protected].
> To unsubscribe from this group, send email to
> [email protected].
> For more options, visit this group at
> http://groups.google.com/group/puppet-dev?hl=en.
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Developers" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-dev?hl=en.
