Issue #13435 has been updated by Michael Smith.

Thanks, it's really nice to see the switch from MD5/SHA1 to SHA256.

By the way, I was concerned with the CSR signature. The CSR signature is used 
for proof-of-possession of the private key. The fingerprint/digest is just a 
hash of the whole CSR including signature.

I couldn't find the place where the server verifies the CSR signature. I think 
that's because it doesn't check. I can open a separate bug for that; it's not 
really critical when the cert is just used for Puppet authentication, but it 
becomes important if people are using the certs for other purposes.
----------------------------------------
Feature #13435: CSRs should be signed with SHA1, not MD5
https://projects.puppetlabs.com/issues/13435#change-59052

Author: Michael Smith
Status: In Topic Branch Pending Review
Priority: Normal
Assignee: Jeff Weiss
Category: SSL
Target version: 
Affected Puppet version: 2.6.12
Keywords: 
Branch: https://github.com/puppetlabs/puppet/pull/616


The code in certificate_authority.rb uses SHA1 to issue certs, but the CSR 
generation code in certificate_request.rb signs the CSR using "csr.sign(key, 
OpenSSL::Digest::MD5.new)".

I might be naive, but I figure this could be changed to SHA1 and get Puppet one 
step closer to working in FIPS mode (#8120).

I couldn't find the spot in the CA code where the CSR signature is actually 
verified. I suppose the CA should probably check the CSR is signed using a 
recommended algorithm, but FIPS mode would take care of disabling other 
algorithms anyway so I'm not particularly worried.


-- 
You have received this notification because you have either subscribed to it, 
or are involved in it.
To change your notification preferences, please click here: 
http://projects.puppetlabs.com/my/account

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Bugs" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to 
[email protected].
For more options, visit this group at 
http://groups.google.com/group/puppet-bugs?hl=en.

Reply via email to