The Puppet Labs Issue Tracker has Moved: https://tickets.puppetlabs.com

This issue tracker is now in read-only archive mode and automatic ticket export has been disabled. Redmine users will need to create a new JIRA account to file tickets using https://tickets.puppetlabs.com. See the following page for information on filing tickets with JIRA:

Bug #17295

Puppet not honouring --digest

Added by Greg Boug over 3 years ago. Updated almost 3 years ago.

Status:ClosedStart date:
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:SSL
Target version:3.1.0
Affected Puppet version:3.0.1 Branch:https://github.com/puppetlabs/puppet/pull/1413
Keywords:solaris openssl hpux

We've Moved!

Ticket tracking is now hosted in JIRA: https://tickets.puppetlabs.com


Description

Am trying to get Puppet 3.0.1 running on Solaris (Previously had 2.7 running no problems and have encountered an issue with the SSL digest.

I’m guessing it was relating to updating the certificates to use SHA256 to be a bit more secure, but it means that if the OpenSSL library isn’t capable of SHA256 then it won’t work – even if you tell it to use a different digest.

For example:

# puppet agent --digest MD5 --verbose --no-daemonize 
Info: Creating a new SSL certificate request for test1
Error: Could not request certificate: uninitialized constant OpenSSL::Digest::SHA256

(—debug doesn’t give any extra information to help here unfortunately).

Puppet is using the Solaris-provided OpenSSL as part of the Ruby install in this case, which runs version 0.9.7 with patches and doesn’t support sha256. I don’t mind the idea of compiling 1.0.x but the issue still seems to stand that you can’t choose the digest method anymore – there is an apparent use of SHA256 regardless of what option you choose.


Related issues

Related to Puppet - Feature #8120: Let user change hashing algorithm, to avoid crashing on F... Code Insufficient 06/28/2011
Related to Puppet - Feature #21029: Allow control over the digest used to create CA certificates Accepted
Related to Puppet - Feature #21257: Add a configuration option for the digest algorithm used ... Needs Decision

History

#1 Updated by Josh Cooper over 3 years ago

  • Description updated (diff)
  • Status changed from Unreviewed to Accepted
  • Keywords set to solaris openssl

The digest command line option only affects the algorithm used to generate a fingerprint, but doesn’t affect the overall signature algorithm used to generate the CSR, e.g. sha256WithRSAEncryption. With that said, we assume SHA256 is available in several places, and should gracefully handle when it’s not. For example, this won’t work:

csr.sign(key, OpenSSL::Digest::SHA256.new)

#2 Updated by Anonymous over 3 years ago

  • Keywords changed from solaris openssl to solaris openssl hpux

This affects HP-UX as well.

#3 Updated by Anonymous over 3 years ago

  • Assignee set to Anonymous

I have a patch and am working on the RSpec.

diff --git a/lib/puppet/ssl/certificate_authority.rb b/lib/puppet/ssl/certificate_authority.rb
index bd9e13d..6229a2d 100644
--- a/lib/puppet/ssl/certificate_authority.rb
+++ b/lib/puppet/ssl/certificate_authority.rb
@@ -1,6 +1,7 @@
 require 'monitor'
 require 'puppet/ssl/host'
 require 'puppet/ssl/certificate_request'
+require 'puppet/ssl/certificate_signer'
 require 'puppet/util'

 # The class that knows how to sign certificates.  It creates
@@ -277,7 +278,9 @@ class Puppet::SSL::CertificateAuthority
     cert = Puppet::SSL::Certificate.new(hostname)
     cert.content = Puppet::SSL::CertificateFactory.
       build(cert_type, csr, issuer, next_serial)
-    cert.content.sign(host.key.content, OpenSSL::Digest::SHA256.new)
+
+    signer = Puppet::SSL::CertificateSigner.new
+    signer.sign(cert.content, host.key.content)

     Puppet.notice "Signed certificate request for #{hostname}"

diff --git a/lib/puppet/ssl/certificate_request.rb b/lib/puppet/ssl/certificate_request.rb
index 4e1cc1a..0d90e5a 100644
--- a/lib/puppet/ssl/certificate_request.rb
+++ b/lib/puppet/ssl/certificate_request.rb
@@ -1,4 +1,5 @@
 require 'puppet/ssl/base'
+require 'puppet/ssl/certificate_signer'

 # Manage certificate requests.
 class Puppet::SSL::CertificateRequest < Puppet::SSL::Base
@@ -59,7 +60,8 @@ class Puppet::SSL::CertificateRequest < Puppet::SSL::Base
       csr.add_attribute(OpenSSL::X509::Attribute.new("extReq", extReq))
     end

-    csr.sign(key, OpenSSL::Digest::SHA256.new)
+    signer = Puppet::SSL::CertificateSigner.new
+    signer.sign(csr, key)

     raise Puppet::Error, "CSR sign verification failed; you need to clean the certificate request for #{name} on the server" unless csr.verify(key.public_key)

diff --git a/lib/puppet/ssl/certificate_signer.rb b/lib/puppet/ssl/certificate_signer.rb
new file mode 100644
index 0000000..ad64fb8
--- /dev/null
+++ b/lib/puppet/ssl/certificate_signer.rb
@@ -0,0 +1,19 @@
+# Take care of signing a certificate.
+#   http://projects.puppetlabs.com/issues/17295
+class Puppet::SSL::CertificateSigner
+  def initialize
+    if OpenSSL::Digest.const_defined?('SHA256')
+      @digest = OpenSSL::Digest::SHA256
+    elsif OpenSSL::Digest.const_defined?('SHA1')
+      @digest = OpenSSL::Digest::SHA1
+    else
+      raise Puppet::Error, "Unable to find support for a FIPS 140-2 compliant"
+        + " message digest algorithm in OpenSSL::Digest"
+    end
+    @digest
+  end
+
+  def sign(content, key)
+    content.sign(key, @digest.new)
+  end
+end

#4 Updated by Anonymous over 3 years ago

  • Assignee changed from Anonymous to Anonymous
  • Target version set to 3.1.0
  • Branch set to https://github.com/puppetlabs/puppet/pull/1398

#5 Updated by Anonymous over 3 years ago

  • Branch changed from https://github.com/puppetlabs/puppet/pull/1398 to https://github.com/puppetlabs/puppet/pull/1401

I’ve submitted another pull request after rebasing.

#6 Updated by Anonymous over 3 years ago

  • Branch changed from https://github.com/puppetlabs/puppet/pull/1401 to https://github.com/puppetlabs/puppet/pull/1413

#7 Updated by Anonymous over 3 years ago

  • Category set to SSL
  • Status changed from Accepted to Merged - Pending Release
  • Assignee deleted (Anonymous)

Merged into master as 2961d63.

This should be released in 3.1.0.

Thanks again for the contribution!

-Jeff

#8 Updated by Jan Örnstedt almost 3 years ago

Just a heads up. If you setup a new master with a modern openssl you will get a sha256 signature on the ca cert. Then your solaris 10 clients will not be able to accept their newly signed certs. Need to downgrade the master to sha1 digest and reissue all certs….

This code will not solve issues where the agents can’t handle SHA256 digests on the CA Key.

#9 Updated by Anonymous almost 3 years ago

  • Status changed from Merged - Pending Release to Closed

Released in 3.1.0

Also available in: Atom PDF