Hi Andy,
On Tuesday, January 8, 2013 6:19:40 AM UTC+11, Andy Parker wrote:
>
> On Sat, Jan 5, 2013 at 8:28 AM, Alex Harvey <[email protected]<javascript:>
> > wrote:
>
>>
>> From reading the help page for puppet agent I tend to agree with the Greg
>> Boug who raised the issue that --digest ought to affect both the algorithm
>> used to generate a fingerprint (which it apparently does) and also the
>> algorithm used to generate the CSR.
>>
>
> I would be a little wary of conflating these things together. It isn't
> clear to me how much the --digest should affect.
>
Yes I am also wary.
Here's what I can see --digest doing so far -
1)
# puppet cert list --all |grep myhost
+ "myhost.example.com" (SHA256)
E7:96:FB:68:38:B5:6B:B7:98:AB:79:79:6C:A6:84:3F:97:F1:1E:D6:5B:3A:AB:F4:0F:5D:EF:ED:CB:DF:F9:75
# puppet cert list --all --digest MD5 |grep myhost
+ "myhost.example.com" (MD5) C0:46:14:5E:0E:73:63:00:5A:72:5A:61:84:A9:24:C5
>From the help pages -
# puppet help cert
...
* --digest:
Set the digest for fingerprinting (defaults to the the digest used when
signing the cert). Valid values depends on your openssl and openssl ruby
extension version.
2)
Second use is in
# puppet help agent
...
* --fingerprint:
Display the current certificate or certificate signing request
fingerprint and then exit. Use the '--digest' option to change the
digest algorithm used.
...
* --digest:
Change the certificate fingerprinting digest algorithm. The default is
SHA256. Valid values depends on the version of OpenSSL installed, but
will likely contain MD5, MD2, SHA1 and SHA256.
This allows me on my client to do
# puppet agent --fingerprint
(SHA256)
E7:96:FB:68:38:B5:6B:B7:98:AB:79:79:6C:A6:84:3F:97:F1:1E:D6:5B:3A:AB:F4:0F:5D:EF:ED:CB:DF:F9:75
and then because I am really in love with MD5 hashes I can also do -
# puppet agent --fingerprint --digest MD5
(MD5) C0:46:14:5E:0E:73:63:00:5A:72:5A:61:84:A9:24:C5
3)
# puppet man ca
* `fingerprint` - :
`SYNOPSIS`
puppet ca fingerprint [--digest ALGORITHM]
`DESCRIPTION`
Undocumented action.
`OPTIONS`
<--digest ALGORITHM> -
The hash algorithm to use when displaying the fingerprint
I also note a comment by Jeff Weiss in lib/puppet/ssl/host.rb -
def to_pson(*args)
my_cert = Puppet::SSL::Certificate.indirection.find(name)
pson_hash = { :name => name }
my_state = state
pson_hash[:state] = my_state
pson_hash[:desired_state] = desired_state if desired_state
thing_to_use = (my_state == 'requested') ? certificate_request : my_cert
# this is for backwards-compatibility
# we should deprecate it and transition people to using
# pson[:fingerprints][:default]
# It appears that we have no internal consumers of this api
# --jeffweiss 30 aug 2012
pson_hash[:fingerprint] = thing_to_use.fingerprint
# The above fingerprint doesn't tell us what message digest algorithm
was used
# No problem, except that the default is changing between 2.7 and 3.0.
Also, as
# we move to FIPS 140-2 compliance, MD5 is no longer allowed (and,
gasp, will
# segfault in rubies older than 1.9.3)
# So, when we add the newer fingerprints, we're explicit about the
hashing
# algorithm used.
# --jeffweiss 31 july 2012
pson_hash[:fingerprints] = {}
pson_hash[:fingerprints][:default] = thing_to_use.fingerprint
suitable_message_digest_algorithms.each do |md|
pson_hash[:fingerprints][md] = thing_to_use.fingerprint md
end
pson_hash[:dns_alt_names] = thing_to_use.subject_alt_names
pson_hash.to_pson(*args)
end
# eventually we'll probably want to move this somewhere else or make it
# configurable
# --jeffweiss 29 aug 2012
def suitable_message_digest_algorithms
[:SHA1, :SHA256, :SHA512]
end
I am yet to fully get my head around what to_pson is used for. However, I
am wondering if this move to FIPS 140-2 compliance and Jeff's comment about
ruby segfaulting when using MD5 means I should handle a case where neither
SHA1 nor SHA256 is available differently.
So perhaps a new option is needed to choose (1) the algorithm used to
generate a CSR (2) the algorithm used to create a certificate using puppet
cert generate, (3) option used via puppet ca generate.
Or maybe all this is too ambitious and I should just refactor to create a
class that takes care of signing a certificate and have it gracefully
handle the situation where SHA256 isn't available.
--
You received this message because you are subscribed to the Google Groups
"Puppet Developers" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-dev/-/Bql3ya0CPX8J.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-dev?hl=en.
