[puppet/el6] application patch

jehane jehane at fedoraproject.org
Mon Jan 19 13:22:23 UTC 2015 

commit a3f7f317b4a2bb336793d246fb3b640d6da08ce3
Author: jehane <marianne at tuxette.fr>
Date:   Wed Jan 14 14:09:51 2015 +0100

    application patch

 fix_md5_issue.patch |   65 +++++++++++++++++++++++++++++++++++++++++++++++++++
 1 files changed, 65 insertions(+), 0 deletions(-)
---
diff --git a/fix_md5_issue.patch b/fix_md5_issue.patch
new file mode 100644
index 0000000..82ea492
--- /dev/null
+++ b/fix_md5_issue.patch
@@ -0,0 +1,65 @@
+From 89f9e60df50b52d4840fc4879e15ca8c4e1fa499 Mon Sep 17 00:00:00 2001
+From: Stephen Benjamin <stbenjam at redhat.com>
+Date: Wed, 3 Sep 2014 11:48:19 +0200
+Subject: [PATCH] (PUP-3176) Sign CSR with best digest available
+
+---
+ lib/puppet/ssl/certificate_request.rb     | 16 ++++++++++++++--
+ spec/unit/ssl/certificate_request_spec.rb | 13 ++++++++++++-
+ 2 files changed, 26 insertions(+), 3 deletions(-)
+
+diff --git a/lib/puppet/ssl/certificate_request.rb b/lib/puppet/ssl/certificate_request.rb
+index 461dc57..9bbc2ef 100644
+--- a/lib/puppet/ssl/certificate_request.rb
++++ b/lib/puppet/ssl/certificate_request.rb
+@@ -68,12 +68,24 @@ def generate(key, options = {})
+       csr.add_attribute(OpenSSL::X509::Attribute.new("extReq", extReq))
+     end
+ 
+-    csr.sign(key, OpenSSL::Digest::MD5.new)
++    if OpenSSL::Digest.const_defined?('SHA256')
++      md = :SHA256
++      digest = OpenSSL::Digest::SHA256
++    elsif OpenSSL::Digest.const_defined?('SHA1')
++      md = :SHA1
++      digest = OpenSSL::Digest::SHA1
++    else
++      Puppet.info "No FIPS 140-2 compliant digest algorithm - falling back to MD5.  This is not safe!"
++      md = :MD5
++      digest = OpenSSL::Digest::MD5
++    end
++
++    csr.sign(key, digest.new)
+ 
+     raise Puppet::Error, "CSR sign verification failed; you need to clean the certificate request for #{name} on the server" unless csr.verify(key.public_key)
+ 
+     @content = csr
+-    Puppet.info "Certificate Request fingerprint (md5): #{fingerprint}"
++    Puppet.info "Certificate Request fingerprint (#{md.to_s}): #{fingerprint(md)}"
+     @content
+   end
+ 
+diff --git a/spec/unit/ssl/certificate_request_spec.rb b/spec/unit/ssl/certificate_request_spec.rb
+index e697d82..6c89464 100755
+--- a/spec/unit/ssl/certificate_request_spec.rb
++++ b/spec/unit/ssl/certificate_request_spec.rb
+@@ -205,7 +205,18 @@
+       end
+     end
+ 
+-    it "should sign the csr with the provided key and a digest" do
++    it "should sign the csr with the provided key and best available digest" do
++      digest = mock 'digest'
++      OpenSSL::Digest.stubs(:const_defined?).with('SHA256').returns(false)
++      OpenSSL::Digest.stubs(:const_defined?).with('SHA1').returns(true)
++      OpenSSL::Digest::SHA1.expects(:new).returns(digest)
++      @request.expects(:sign).with(@key, digest)
++      @instance.generate(@key)
++    end
++
++    it "should sign the csr and fall back to md5" do
++      OpenSSL::Digest.stubs(:const_defined?).with('SHA256').returns(false)
++      OpenSSL::Digest.stubs(:const_defined?).with('SHA1').returns(false)
+       digest = mock 'digest'
+       OpenSSL::Digest::MD5.expects(:new).returns(digest)
+       @request.expects(:sign).with(@key, digest)

More information about the scm-commits mailing list