Use native OpenSSL methods to automatically determine the PKey #189
Conversation
ekohl
force-pushed
the
use-better-openssl-methods
branch
from
54fc649
to
3f01ccb
Compare
| options[:dsa_paramgen_bits] = resource[:size] if resource[:size] | ||
| when :rsa | ||
| OpenSSL::PKey::RSA.new(resource[:size]) | ||
| options[:rsa_keygen_bits] = resource[:size] if resource[:size] | ||
| when :ec | ||
| OpenSSL::PKey::EC.new(resource[:curve]).generate_key | ||
| else | ||
| raise Puppet::Error, | ||
| "Unknown authentication type '#{resource[:authentication]}'" | ||
| options[:ec_paramgen_curve] = resource[:curve] if resource[:curve] |
There was a problem hiding this comment.
These options were found via man openssl genpkey.
| @@ -7,7 +7,7 @@ | |||
| require 'openssl' | |||
| describe 'The POSIX provider for type cert_file' do | |||
| before do | |||
| test_keys = OpenSSL::PKey::RSA.new(2049) | |||
There was a problem hiding this comment.
2049 bits was very specific. I wonder if that was intentional.
There was a problem hiding this comment.
Probably a typo.
Note: using short keys in unit tests when a lot of keys have to be generated can speed up the tests significantly. Is it worth here?
|
So |
There was a problem hiding this comment.
So
generate_keyis too new. I'll need to rethink this a bit for older OpenSSL versions.
IIRC this new API had no equivalent before, and for older Ruby we must use OpenSSL::PKey::Foo.new.
Maybe we can keep the code as it is today for generate key, but already move to agnostic key type loading?
| @@ -7,7 +7,7 @@ | |||
| require 'openssl' | |||
| describe 'The POSIX provider for type cert_file' do | |||
| before do | |||
| test_keys = OpenSSL::PKey::RSA.new(2049) | |||
There was a problem hiding this comment.
Probably a typo.
Note: using short keys in unit tests when a lot of keys have to be generated can speed up the tests significantly. Is it worth here?
ekohl
force-pushed
the
use-better-openssl-methods
branch
from
3f01ccb
to
37e2ce8
Compare
| case resource[:authentication] | ||
| when :dsa | ||
| OpenSSL::PKey::DSA.new(resource[:size]) | ||
| options[:dsa_paramgen_bits] = resource[:size] if resource[:size] |
There was a problem hiding this comment.
Isn't it time to drop DSA? We need to do a major release anyway and there's a reason why modern distributions don't support it anymore or block it.
|
New attempt in #223. That now passes on Fedora 40. |
|
Replaced by #167. |
This came up in #187 (comment) but it's probably also needed for #167.
One thing to note is that we may have more problems in the future. For example, on my Fedora I don't appear to be allowed to generate any DSA key in the default SSL policy. I imagine future enterprise distros will follow this exampe.