Joe McDonnell created KUDU-3663:
-----------------------------------
Summary: Support certificates signed with RSASSA-PSS for channel
binding
Key: KUDU-3663
URL: https://issues.apache.org/jira/browse/KUDU-3663
Project: Kudu
Issue Type: Task
Components: security
Affects Versions: 1.17.0
Reporter: Joe McDonnell
Assignee: Joe McDonnell
Impala hit an issue (IMPALA-14038) where certificates signed using RSASSA-PSS
don't work with KRPC / SASL clusters. It produces an error like:
{noformat}
negotiation.cc:311] Negotiation complete: Not implemented: Server connection
negotiation failed: server connection from ****: server certificate has no
signature digest (hash) algorithm{noformat}
That error comes from Cert::GetServerEndPointChannelBindings(), which is code
shared between Kudu and Impala, so this is the corresponding Kudu JIRA. The
issue is that RSASSA-PSS has a configurable hash algorithm, and OpenSSL's
OBJ_find_sigid_algs() doesn't handle finding the hash algorithm for RSASSA-PSS.
OpenSSL 1.1.1 introduced the x509_get_signature_info(), which supports fetching
the hash algorithm for RSASSA-PSS. Postgres switched their code to use this
when faced with a similar situation:
[https://www.postgresql.org/message-id/CAAWbhmgjYym7AsH1fqOx%2BbNqctPpSW1DzyLv_0VhBa_ng%2BNVyQ%40mail.gmail.com]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
