Skip to content

Commit

Permalink
Drop DSA key support
Browse files Browse the repository at this point in the history
DSA is considered insecure by now. FIPS 186-5 forbids signing with DSA
and on modern distributions have started to drop support for it.
  • Loading branch information
ekohl committed Jul 18, 2024
1 parent c06b14a commit 5eed966
Show file tree
Hide file tree
Showing 5 changed files with 7 additions and 41 deletions.
6 changes: 3 additions & 3 deletions REFERENCE.md
Original file line number Diff line number Diff line change
Expand Up @@ -1265,9 +1265,9 @@ The following parameters are available in the `ssl_pkey` type.

##### <a name="-ssl_pkey--authentication"></a>`authentication`

Valid values: `rsa`, `dsa`, `ec`
Valid values: `rsa`, `ec`

The authentication algorithm: 'rsa', 'dsa or ec'
The authentication algorithm

Default value: `rsa`

Expand All @@ -1294,7 +1294,7 @@ discover the appropriate provider for your platform.

Valid values: `%r{\d+}`

The key size
The key size for RSA keys

Default value: `2048`

Expand Down
2 changes: 0 additions & 2 deletions lib/puppet/provider/ssl_pkey/openssl.rb
Original file line number Diff line number Diff line change
Expand Up @@ -11,8 +11,6 @@ def self.dirname(resource)

def self.generate_key(resource)
case resource[:authentication]
when :dsa
OpenSSL::PKey::DSA.new(resource[:size])
when :rsa
OpenSSL::PKey::RSA.new(resource[:size])
when :ec
Expand Down
6 changes: 3 additions & 3 deletions lib/puppet/type/ssl_pkey.rb
Original file line number Diff line number Diff line change
Expand Up @@ -15,15 +15,15 @@
end

newparam(:authentication) do
desc "The authentication algorithm: 'rsa', 'dsa or ec'"
newvalues :rsa, :dsa, :ec
desc "The authentication algorithm"

Check failure on line 18 in lib/puppet/type/ssl_pkey.rb

View workflow job for this annotation

GitHub Actions / Puppet / Static validations

Style/StringLiterals: Prefer single-quoted strings when you don't need string interpolation or special symbols. (https://rubystyle.guide#consistent-string-literals)
newvalues :rsa, :ec
defaultto :rsa

munge(&:to_sym)
end

newparam(:size) do
desc 'The key size'
desc 'The key size for RSA keys'
newvalues %r{\d+}
defaultto 2048

Expand Down
32 changes: 1 addition & 31 deletions spec/unit/puppet/provider/ssl_pkey/openssl_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@
end

context 'when setting authentication to rsa' do
it 'creates a dsa key' do
it 'creates an rsa key' do
resource[:authentication] = :rsa
allow(OpenSSL::PKey::RSA).to receive(:new).with(2048).and_return(key)
expect(File).to receive(:write).with('/tmp/foo.key', kind_of(String))
Expand Down Expand Up @@ -79,36 +79,6 @@
end
end

context 'when setting authentication to dsa' do
it 'creates a dsa key' do
resource[:authentication] = :dsa
allow(OpenSSL::PKey::DSA).to receive(:new).with(2048).and_return(key)
expect(File).to receive(:write).with('/tmp/foo.key', kind_of(String))
resource.provider.create
end

context 'when setting size' do
it 'creates with given size' do
resource[:authentication] = :dsa
resource[:size] = 1024
allow(OpenSSL::PKey::DSA).to receive(:new).with(1024).and_return(key)
expect(File).to receive(:write).with('/tmp/foo.key', kind_of(String))
resource.provider.create
end
end

context 'when setting password' do
it 'creates with given password' do
resource[:authentication] = :dsa
resource[:password] = '2x$5{'
allow(OpenSSL::PKey::DSA).to receive(:new).with(2048).and_return(key)
expect(OpenSSL::Cipher).to receive(:new).with('aes-256-cbc')
expect(File).to receive(:write).with('/tmp/foo.key', kind_of(String))
resource.provider.create
end
end
end

context 'when setting authentication to ec' do
key = OpenSSL::PKey::EC.new('secp384r1').generate_key # For mocking

Expand Down
2 changes: 0 additions & 2 deletions spec/unit/puppet/type/ssl_pkey_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -35,8 +35,6 @@
it 'accepts a valid authentication' do
resource[:authentication] = :rsa
expect(resource[:authentication]).to eq(:rsa)
resource[:authentication] = :dsa
expect(resource[:authentication]).to eq(:dsa)
resource[:authentication] = :ec
expect(resource[:authentication]).to eq(:ec)
end
Expand Down

0 comments on commit 5eed966

Please sign in to comment.