-
Notifications
You must be signed in to change notification settings - Fork 48
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Certs are always signed with SHA1 (regardless of config.yaml settings) unless explicitly overridden with request params #115
Comments
Hm. As far as the commandline r509 tool goes, this appears to be a problem only with the interactive generation; if I skip interactive and supply all values as arguments it works:
With that revelation, I used @rjes's ever-so-helpful curl/python one-liner from r509-ca-http issue#38 to poke at this a bit, and found that regardless of the |
Interesting. When issuing a cert it should be calling the options builder and then passing the resulting hash to |
As I read that (but bear in mind I'm no Ruby expert) the line you cite shouldn't be reached unless the profile doesn't restrict allowed_mds. All of my profiles do, and at the moment none of them contain SHA1, so I should be raising an exception at https://github.com/r509/r509/blob/master/lib/r509/certificate_authority/options_builder.rb#L72 -- but I don't. In fact, running the r509 CLI in interactive mode I can request a bogus MD (see below) and it still completes (and writes SHA1) which makes me think that the test for
|
Ah, hang on -- the CLI tool ( This doesn't explain why |
Hmm, well if you have an environment that can reproduce this I'd suggest putting some debug statements in where the md enforcement is supposed to occur so we can see what's going on. |
I setup 2 CAs (an offline root CA and a networked intermediate signing CA) mostly by following the tutorial at langui.sh (using "gem install" to grab the r509 gems, rather than building afresh from a git clone.)
On both, config.yaml contains the following stanzas for all profiles:
default_md: SHA256
allowed_mds:
- SHA256
- SHA512
- SHA1
and yet the resultant certs are SHA1 when I run r509 at the command line to gen the root cert and/or hit the test interface on the intermediate to sign a CSR:
Do I need to build from scratch and incorporate pcabido's PR #114 to get SHA256 at all, or is there something I'm missing somewhere?
The text was updated successfully, but these errors were encountered: