Jira (PUP-11849) CRL authorityKeyIdentifier is not printed in puppet8

0 views
Skip to first unread message

Josh Cooper (Jira)

unread,
May 10, 2023, 2:48:02 PM5/10/23
to puppe...@googlegroups.com
Josh Cooper created an issue
 
Puppet / Bug PUP-11849
CRL authorityKeyIdentifier is not printed in puppet8
Issue Type: Bug Bug
Affects Versions: PUP 8.0.0
Assignee: Unassigned
Created: 2023/05/10 11:47 AM
Priority: Normal Normal
Reporter: Josh Cooper

In puppet 7, the agent prints the authorityKeyIdentifier for each CRL like:

Debug: Using CRL 'CN=Puppet CA: <fqdn>' authorityKeyIdentifier 'keyid:2E:53:A9:06:E8:90:B1:DA:46:CD:25:47:3A:0B:F5:92:00:BE:D3:A5' crlNumber '0'

In puppet 8 with openssl 3, it's missing:

Debug: Using CRL 'CN=Puppet CA: <fqdn>' authorityKeyIdentifier '' crlNumber '0'

Something is not right with the way the ruby bindings retrieve the CRL extensions in https://github.com/puppetlabs/puppet/blob/ad7d75b08dfff5e308fde199407d84308d74e538/lib/puppet/ssl/ssl_provider.rb#L225-L230
Add Comment Add Comment
 
This message was sent by Atlassian Jira (v8.20.11#820011-sha1:0629dd8)
Atlassian logo

Josh Cooper (Jira)

unread,
May 10, 2023, 3:09:03 PM5/10/23
to puppe...@googlegroups.com
Josh Cooper commented on Bug PUP-11849
 
Re: CRL authorityKeyIdentifier is not printed in puppet8

The bug is because ruby 3.2.2 & OpenSSL 1.1.1 returns an extension with a trailing newline:

(byebug) RUBY_VERSION
 
"3.2.2"
 
(byebug) OpenSSL::OPENSSL_VERSION
 
"OpenSSL 1.1.1f  31 Mar 2020"
 
(byebug) crl.extensions[1].oid
 
"authorityKeyIdentifier"
 
(byebug) crl.extensions[1].value
 
"keyid:2E:53:A9:06:E8:90:B1:DA:46:CD:25:47:3A:0B:F5:92:00:BE:D3:A5\n"

We then call String#chomp!. However String#chomp! has an annoying behavior that it returns nil if nothing was modified. And Ruby 3.2.2 & OpenSSL 3 doesn't include the newline, thereby triggering the bug:

(byebug) RUBY_VERSION
 
"3.2.2"
 
(byebug) OpenSSL::OPENSSL_VERSION
 
"OpenSSL 3.0.8 7 Feb 2023"
 
(byebug) crl.extensions[1].oid
 
"authorityKeyIdentifier"
 
(byebug) crl.extensions[1].value
 
"2E:53:A9:06:E8:90:B1:DA:46:CD:25:47:3A:0B:F5:92:00:BE:D3:A5"

It's also not clear why the "keyid:" prefix is missing.

Justin Stoller (Jira)

unread,
May 16, 2023, 12:44:03 PM5/16/23
to puppe...@googlegroups.com

FWIW, we don't hit this issue when printing info with the puppetserver-ca-cli.

Michael Hashizume (Jira)

unread,
May 16, 2023, 4:10:02 PM5/16/23
to puppe...@googlegroups.com
Michael Hashizume updated an issue
 
Change By: Michael Hashizume
Epic Link: PA- 5119 5411

Josh Cooper (Jira)

unread,
Jun 6, 2023, 5:52:02 PM6/6/23
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Story Points: 1
This message was sent by Atlassian Jira (v8.20.21#820021-sha1:38274c8)
Atlassian logo

Josh Cooper (Jira)

unread,
Jun 7, 2023, 12:14:01 PM6/7/23
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Sprint: Phoenix 2023-06-21

Josh Cooper (Jira)

unread,
Jun 7, 2023, 1:41:01 PM6/7/23
to puppe...@googlegroups.com

Josh Cooper (Jira)

unread,
Jun 14, 2023, 11:53:03 PM6/14/23
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Fix Version/s: PUP 8.2.0

Josh Cooper (Jira)

unread,
Jun 15, 2023, 1:17:34 AM6/15/23
to puppe...@googlegroups.com
Josh Cooper assigned an issue to Josh Cooper
Change By: Josh Cooper
Assignee: Josh Cooper

Josh Cooper (Jira)

unread,
Jun 15, 2023, 12:42:03 PM6/15/23
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Sprint: Phoenix 2023-07-05
Reply all
Reply to author
Forward
0 new messages