Jira (PUP-11082) Use PKey.read when loading private keys

0 views
Skip to first unread message

Justin Stoller (Jira)

unread,
Jun 3, 2021, 12:27:01 PM6/3/21
to puppe...@googlegroups.com
Justin Stoller created an issue
 
Puppet / Task PUP-11082
Use PKey.read when loading private keys
Issue Type: Task Task
Assignee: Unassigned
Created: 2021/06/03 9:26 AM
Priority: Normal Normal
Reporter: Justin Stoller

There's a littany of reasons that we couldn't use PKey.read in https://github.com/puppetlabs/puppet/blob/1a13e0cf96c70b303492e684f9ccf4c38207b3dd/lib/puppet/x509/cert_provider.rb#L218-L222.

However, We no longer use this code in Terminii that will be loaded in JRuby (and so don't use this code at all in JRuby) nor do we support older versions of Ruby in Puppet 7.x. Our manual determination of which implementation class to construct is somewhat naive and PKey.read will do a better job.

Consequently, we should use PKey.read in the above code.
Add Comment Add Comment
 
This message was sent by Atlassian Jira (v8.13.2#813002-sha1:c495a97)
Atlassian logo

Justin Stoller (Jira)

unread,
Jun 3, 2021, 12:28:02 PM6/3/21
to puppe...@googlegroups.com
Justin Stoller updated an issue
Change By: Justin Stoller
Fix Version/s: PUP 7.y

Molly Waggett (Jira)

unread,
Jun 4, 2021, 12:05:02 AM6/4/21
to puppe...@googlegroups.com
Molly Waggett commented on Task PUP-11082
 
Re: Use PKey.read when loading private keys

To make sure I'm understanding right, this ticket literally just covers replacing that conditional you linked with OpenSSL::PKey.read(pem, password)? Does this need tests or do we think whatever tests already exist are sufficient? Sorta guessing the latter, but want to make sure.

Josh Cooper (Jira)

unread,
Jun 4, 2021, 12:20:02 PM6/4/21
to puppe...@googlegroups.com
Josh Cooper commented on Task PUP-11082

Yep just need to use PKey.read. The existing tests should be sufficient, as there are fixtures for RSA and EC keys and those tests run in MRI 2.5+ and JRuby.

Molly Waggett (Jira)

unread,
Jun 4, 2021, 2:13:04 PM6/4/21
to puppe...@googlegroups.com
Molly Waggett updated an issue
 
Change By: Molly Waggett
Story Points: 1

Molly Waggett (Jira)

unread,
Jun 4, 2021, 2:15:02 PM6/4/21
to puppe...@googlegroups.com
Molly Waggett updated an issue
There's a littany of reasons that we couldn't use PKey.read in https://github.com/puppetlabs/puppet/blob/1a13e0cf96c70b303492e684f9ccf4c38207b3dd/lib/puppet/x509/cert_provider.rb#L218-L222.

However, We no longer use this code in Terminii that will be loaded in JRuby (and so don't use this code at all in JRuby) nor do we support older versions of Ruby in Puppet 7.x. Our manual determination of which implementation class to construct is somewhat naive and PKey.read will do a better job.

Consequently, we should use PKey.read in the above code.

* * Note: This should only be updated for puppet7 (main branch).* *

Molly Waggett (Jira)

unread,
Jun 4, 2021, 2:15:04 PM6/4/21
to puppe...@googlegroups.com
Molly Waggett updated an issue
There's a littany of reasons that we couldn't use PKey.read in https://github.com/puppetlabs/puppet/blob/1a13e0cf96c70b303492e684f9ccf4c38207b3dd/lib/puppet/x509/cert_provider.rb#L218-L222.

However, We no longer use this code in Terminii that will be loaded in JRuby (and so don't use this code at all in JRuby) nor do we support older versions of Ruby in Puppet 7.x. Our manual determination of which implementation class to construct is somewhat naive and PKey.read will do a better job.

Consequently, we should use PKey.read in the above code.


**Note: This should only be updated for puppet7 (main branch).**

Molly Waggett (Jira)

unread,
Jun 11, 2021, 5:44:01 PM6/11/21
to puppe...@googlegroups.com
Molly Waggett updated an issue
Change By: Molly Waggett
Sprint: Froyo - 6/30/2021

Maggie Dreyer (Jira)

unread,
Jun 15, 2021, 6:10:02 PM6/15/21
to puppe...@googlegroups.com
Maggie Dreyer assigned an issue to Maggie Dreyer
Change By: Maggie Dreyer
Assignee: Maggie Dreyer

Maggie Dreyer (Jira)

unread,
Jun 15, 2021, 7:14:02 PM6/15/21
to puppe...@googlegroups.com
Maggie Dreyer commented on Task PUP-11082
 
Re: Use PKey.read when loading private keys

I ended up adding a test with the other format (openssl/PKCS#8) that uses the header without the "EC" in it, that didn't work before.

Maggie Dreyer (Jira)

unread,
Jun 15, 2021, 7:14:02 PM6/15/21
to puppe...@googlegroups.com
Maggie Dreyer updated an issue
 
Change By: Maggie Dreyer
Sprint: Froyo - 6/ 30 16 /2021

Molly Waggett (Jira)

unread,
Jun 16, 2021, 5:38:01 PM6/16/21
to puppe...@googlegroups.com
Molly Waggett updated an issue
Change By: Molly Waggett
Sprint: Froyo - 6/16/2021 , Froyo - 6/30/2021

Maggie Dreyer (Jira)

unread,
Jun 17, 2021, 6:36:01 PM6/17/21
to puppe...@googlegroups.com
Maggie Dreyer updated an issue
Change By: Maggie Dreyer
Fix Version/s: PUP 7.y
Fix Version/s: PUP 7.9.0
Fix Version/s: PUP 6.24.0

Maggie Dreyer (Jira)

unread,
Jun 24, 2021, 12:47:03 PM6/24/21
to puppe...@googlegroups.com
Maggie Dreyer updated an issue
Change By: Maggie Dreyer
Release Notes: Bug Fix

Maggie Dreyer (Jira)

unread,
Jun 24, 2021, 12:48:02 PM6/24/21
to puppe...@googlegroups.com
Maggie Dreyer updated an issue
Change By: Maggie Dreyer
Release Notes Summary: Puppet Agent can now load private keys in PKCS#8 format.

Josh Cooper (Jira)

unread,
Jun 28, 2021, 12:20:03 PM6/28/21
to puppe...@googlegroups.com
Josh Cooper commented on Task PUP-11082
 
Re: Use PKey.read when loading private keys

Passed CI in b7c9dd387a

Claire Cadman (Jira)

unread,
Jul 13, 2021, 7:49:04 AM7/13/21
to puppe...@googlegroups.com
Claire Cadman updated an issue
 
Change By: Claire Cadman
Labels: doc-reviewed
Reply all
Reply to author
Forward
0 new messages