Add check for sha1 CA certificate #1004
Conversation
ehelms
force-pushed
the
test-sha1
branch
2 times, most recently
from
85380ae to
6e35c1e
Compare
bin/katello-certs-check
Outdated
| printf "Checking CA signing algorithm for sha1: " | ||
| CHECK=$(openssl x509 -noout -text -in $CA_BUNDLE_FILE | grep 'Signature Algorithm: sha1WithRSAEncryption') | ||
| if [[ $? == "0" ]]; then | ||
| error 4 "The server CA certificate has been signed with sha1 and will break installation." |
There was a problem hiding this comment.
As with the maintain PR, I think the text should hint the user more to obtain a CA (!) that doesn't use SHA1
There was a problem hiding this comment.
"Please acquire a CA and server certificates signed with sha256 or greater." ?
There was a problem hiding this comment.
Don't forget to mention any intermediates. The whole chain needs to be free of SHA1.
There was a problem hiding this comment.
I just saw http://sven.stormbind.net/blog/posts/pkix_look_into_cert_chains/ as a nice way to inspect a full chain
There was a problem hiding this comment.
Please also test this where the chain is one certificate signed by SHA256 and one by SHA1. In reality I think the intermediate is more likely to be SHA256 with a SHA1 root. I think your current code only verifies the first certificate (intermediate) and it will miss the root, which the JIRA issue told us was the actual cause.
I'll take a look at this method - this isn't the first issue we've had with not checking the full chain as it's not been an easy thing to do. |
Signed-off-by: Eric D. Helms <[email protected]>
|
Updated with a bundle and checks on the bundle. |
No description provided.