From 3768ba2c6c35a4bc1c3fe57f6a5bcd6ccca44d79 Mon Sep 17 00:00:00 2001 From: Steven Pritchard Date: Tue, 7 Apr 2026 17:03:46 +0000 Subject: [PATCH] remove SHA1 fallback from CertificateSigner SHA1 is no longer considered safe for use in X.509 signing and has been removed from modern OpenSSL builds. Drop it from the digest fallback chain in CertificateSigner so it is never selected, and update the corresponding spec to reflect the new SHA256 -> SHA512 -> SHA384 -> SHA224 precedence order. Co-Authored-By: Claude Sonnet 4.6 Signed-off-by: Steven Pritchard --- lib/puppet/ssl/certificate_signer.rb | 2 -- spec/unit/ssl/certificate_request_spec.rb | 35 +++-------------------- 2 files changed, 4 insertions(+), 33 deletions(-) diff --git a/lib/puppet/ssl/certificate_signer.rb b/lib/puppet/ssl/certificate_signer.rb index 319dc2132f..70005a086e 100644 --- a/lib/puppet/ssl/certificate_signer.rb +++ b/lib/puppet/ssl/certificate_signer.rb @@ -13,8 +13,6 @@ class Puppet::SSL::CertificateSigner def initialize if OpenSSL::Digest.const_defined?('SHA256') @digest = OpenSSL::Digest::SHA256 - elsif OpenSSL::Digest.const_defined?('SHA1') - @digest = OpenSSL::Digest::SHA1 elsif OpenSSL::Digest.const_defined?('SHA512') @digest = OpenSSL::Digest::SHA512 elsif OpenSSL::Digest.const_defined?('SHA384') diff --git a/spec/unit/ssl/certificate_request_spec.rb b/spec/unit/ssl/certificate_request_spec.rb index cac92b8d76..1ecf6dc517 100644 --- a/spec/unit/ssl/certificate_request_spec.rb +++ b/spec/unit/ssl/certificate_request_spec.rb @@ -69,17 +69,6 @@ end end - def sha1_signing_supported? - test_key = OpenSSL::PKey::RSA.new(512) - csr = OpenSSL::X509::Request.new - csr.public_key = test_key.public_key - csr.version = 0 - csr.sign(test_key, OpenSSL::Digest::SHA1.new) - true - rescue - false - end - describe "when generating", :unless => RUBY_PLATFORM == 'java' do it "should verify the CSR using the public key associated with the private key" do request.generate(key) @@ -322,38 +311,24 @@ def sha1_signing_supported? expect(generated).to be(request.content) end - it "should use SHA1 to sign the csr when SHA256 isn't available" do - skip "SHA1 signing not supported by this OpenSSL build" unless sha1_signing_supported? - csr = OpenSSL::X509::Request.new - csr.public_key = key.public_key - csr.version = 0 - expect(OpenSSL::Digest).to receive(:const_defined?).with("SHA256").and_return(false) - expect(OpenSSL::Digest).to receive(:const_defined?).with("SHA1").and_return(true) - signer = Puppet::SSL::CertificateSigner.new - signer.sign(csr, key) - expect(csr.verify(key)).to be_truthy - end - - it "should use SHA512 to sign the csr when SHA256 and SHA1 aren't available" do + it "should use SHA512 to sign the csr when SHA256 isn't available" do key = OpenSSL::PKey::RSA.new(2048) csr = OpenSSL::X509::Request.new csr.public_key = key.public_key csr.version = 0 expect(OpenSSL::Digest).to receive(:const_defined?).with("SHA256").and_return(false) - expect(OpenSSL::Digest).to receive(:const_defined?).with("SHA1").and_return(false) expect(OpenSSL::Digest).to receive(:const_defined?).with("SHA512").and_return(true) signer = Puppet::SSL::CertificateSigner.new signer.sign(csr, key) expect(csr.verify(key)).to be_truthy end - it "should use SHA384 to sign the csr when SHA256/SHA1/SHA512 aren't available" do + it "should use SHA384 to sign the csr when SHA256/SHA512 aren't available" do key = OpenSSL::PKey::RSA.new(2048) csr = OpenSSL::X509::Request.new csr.public_key = key.public_key csr.version = 0 expect(OpenSSL::Digest).to receive(:const_defined?).with("SHA256").and_return(false) - expect(OpenSSL::Digest).to receive(:const_defined?).with("SHA1").and_return(false) expect(OpenSSL::Digest).to receive(:const_defined?).with("SHA512").and_return(false) expect(OpenSSL::Digest).to receive(:const_defined?).with("SHA384").and_return(true) signer = Puppet::SSL::CertificateSigner.new @@ -361,12 +336,11 @@ def sha1_signing_supported? expect(csr.verify(key)).to be_truthy end - it "should use SHA224 to sign the csr when SHA256/SHA1/SHA512/SHA384 aren't available" do + it "should use SHA224 to sign the csr when SHA256/SHA512/SHA384 aren't available" do csr = OpenSSL::X509::Request.new csr.public_key = key.public_key csr.version = 0 expect(OpenSSL::Digest).to receive(:const_defined?).with("SHA256").and_return(false) - expect(OpenSSL::Digest).to receive(:const_defined?).with("SHA1").and_return(false) expect(OpenSSL::Digest).to receive(:const_defined?).with("SHA512").and_return(false) expect(OpenSSL::Digest).to receive(:const_defined?).with("SHA384").and_return(false) expect(OpenSSL::Digest).to receive(:const_defined?).with("SHA224").and_return(true) @@ -375,9 +349,8 @@ def sha1_signing_supported? expect(csr.verify(key)).to be_truthy end - it "should raise an error if neither SHA256/SHA1/SHA512/SHA384/SHA224 are available" do + it "should raise an error if neither SHA256/SHA512/SHA384/SHA224 are available" do expect(OpenSSL::Digest).to receive(:const_defined?).with("SHA256").and_return(false) - expect(OpenSSL::Digest).to receive(:const_defined?).with("SHA1").and_return(false) expect(OpenSSL::Digest).to receive(:const_defined?).with("SHA512").and_return(false) expect(OpenSSL::Digest).to receive(:const_defined?).with("SHA384").and_return(false) expect(OpenSSL::Digest).to receive(:const_defined?).with("SHA224").and_return(false)