[puppet/el6] application patch
jehane
jehane at fedoraproject.org
Mon Jan 19 13:22:23 UTC 2015
commit a3f7f317b4a2bb336793d246fb3b640d6da08ce3
Author: jehane <marianne at tuxette.fr>
Date: Wed Jan 14 14:09:51 2015 +0100
application patch
fix_md5_issue.patch | 65 +++++++++++++++++++++++++++++++++++++++++++++++++++
1 files changed, 65 insertions(+), 0 deletions(-)
---
diff --git a/fix_md5_issue.patch b/fix_md5_issue.patch
new file mode 100644
index 0000000..82ea492
--- /dev/null
+++ b/fix_md5_issue.patch
@@ -0,0 +1,65 @@
+From 89f9e60df50b52d4840fc4879e15ca8c4e1fa499 Mon Sep 17 00:00:00 2001
+From: Stephen Benjamin <stbenjam at redhat.com>
+Date: Wed, 3 Sep 2014 11:48:19 +0200
+Subject: [PATCH] (PUP-3176) Sign CSR with best digest available
+
+---
+ lib/puppet/ssl/certificate_request.rb | 16 ++++++++++++++--
+ spec/unit/ssl/certificate_request_spec.rb | 13 ++++++++++++-
+ 2 files changed, 26 insertions(+), 3 deletions(-)
+
+diff --git a/lib/puppet/ssl/certificate_request.rb b/lib/puppet/ssl/certificate_request.rb
+index 461dc57..9bbc2ef 100644
+--- a/lib/puppet/ssl/certificate_request.rb
++++ b/lib/puppet/ssl/certificate_request.rb
+@@ -68,12 +68,24 @@ def generate(key, options = {})
+ csr.add_attribute(OpenSSL::X509::Attribute.new("extReq", extReq))
+ end
+
+- csr.sign(key, OpenSSL::Digest::MD5.new)
++ if OpenSSL::Digest.const_defined?('SHA256')
++ md = :SHA256
++ digest = OpenSSL::Digest::SHA256
++ elsif OpenSSL::Digest.const_defined?('SHA1')
++ md = :SHA1
++ digest = OpenSSL::Digest::SHA1
++ else
++ Puppet.info "No FIPS 140-2 compliant digest algorithm - falling back to MD5. This is not safe!"
++ md = :MD5
++ digest = OpenSSL::Digest::MD5
++ end
++
++ csr.sign(key, digest.new)
+
+ raise Puppet::Error, "CSR sign verification failed; you need to clean the certificate request for #{name} on the server" unless csr.verify(key.public_key)
+
+ @content = csr
+- Puppet.info "Certificate Request fingerprint (md5): #{fingerprint}"
++ Puppet.info "Certificate Request fingerprint (#{md.to_s}): #{fingerprint(md)}"
+ @content
+ end
+
+diff --git a/spec/unit/ssl/certificate_request_spec.rb b/spec/unit/ssl/certificate_request_spec.rb
+index e697d82..6c89464 100755
+--- a/spec/unit/ssl/certificate_request_spec.rb
++++ b/spec/unit/ssl/certificate_request_spec.rb
+@@ -205,7 +205,18 @@
+ end
+ end
+
+- it "should sign the csr with the provided key and a digest" do
++ it "should sign the csr with the provided key and best available digest" do
++ digest = mock 'digest'
++ OpenSSL::Digest.stubs(:const_defined?).with('SHA256').returns(false)
++ OpenSSL::Digest.stubs(:const_defined?).with('SHA1').returns(true)
++ OpenSSL::Digest::SHA1.expects(:new).returns(digest)
++ @request.expects(:sign).with(@key, digest)
++ @instance.generate(@key)
++ end
++
++ it "should sign the csr and fall back to md5" do
++ OpenSSL::Digest.stubs(:const_defined?).with('SHA256').returns(false)
++ OpenSSL::Digest.stubs(:const_defined?).with('SHA1').returns(false)
+ digest = mock 'digest'
+ OpenSSL::Digest::MD5.expects(:new).returns(digest)
+ @request.expects(:sign).with(@key, digest)
More information about the scm-commits
mailing list