Uploaded image for project: 'Puppet Server'
  1. Puppet Server
  2. SERVER-119

Not signing trusted facts properly according to RFC

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: SERVER 2.0.0
    • Component/s: None
    • Labels:
      None
    • Template:
    • Sub-team:
    • Story Points:
      5
    • Sprint:
      Server 2015-02-04, Server Emerald 2015-03-04, Server Emerald 2015-03-18, Server 2015-02-18, Server Emerald 2015-04-01, Server Emerald 2015-04-15, Server Emerald 2015-04-29

      Description

      Currently, the CA service signs all trusted facts as binary data wrapped in a DER Octet String, which is the same way the Ruby Puppet Master does it. According to RFC 5280, the values of all X.509 extensions must be a valid DER encoded structure contained within a DER Octet String, so the current method is technically incorrect.

      The Bouncy Castle library assumes adherence to this standard, so trying to exactly mimic the way MRI Puppet signs trusted facts has proven to be very unwieldy and brittle.

      Other extensions which contain a simple string as a value will use an IA5String type and then wrap it inside of a DER Octet String and we should probably start doing this before trusted facts become a widespread feature.

      I've attached a link to the section of RFC 5280 which explains this.


      Risk assessment: Medium (manual acceptance test needed)
      Probability: Medium (impacts users using trusted facts)
      Severity: High (security risk)

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              erik Erik Dasher
              Reporter:
              justin.may Justin May
              QA Contact:
              Erik Dasher Erik Dasher
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Zendesk Support