[
https://issues.apache.org/jira/browse/KUDU-3663?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17953223#comment-17953223
]
ASF subversion and git services commented on KUDU-3663:
-------------------------------------------------------
Commit a97f0feafd83505b491967a7655bc6cf9fb516be in kudu's branch
refs/heads/branch-1.18.x from Joe McDonnell
[ https://gitbox.apache.org/repos/asf?p=kudu.git;h=a97f0feaf ]
KUDU-3663: Support certificates signed with RSASSA-PSS for channel bindings
The existing code to determine the hash algorithm for a certificate
does not handle RSASSA-PSS signatures as the hash algorithm is
configurable for RSASSA-PSS. OpenSSL 1.1.1 introduced the
x509_get_signature_info() function, which is able to determine the
hash algorithm even for RSASSA-PSS. This uses x509_get_signature_info()
whenever building against OpenSSL 1.1.1 or above. This is similar to
the fix used in Postgres when faced with the same issue.
Testing:
- Added a test certificate that uses RSASSA-PSS and a test case in
cert-test to verify that it can determine the hash algorithm used
Change-Id: I26a25a43d778fd2f2fcf293ecb199133c675212c
Reviewed-on: http://gerrit.cloudera.org:8080/22910
Reviewed-by: Alexey Serbin <ale...@apache.org>
Tested-by: Alexey Serbin <ale...@apache.org>
(cherry picked from commit c1770c55063076c6e8304643fe7a5d6bd7836fe8)
Reviewed-on: http://gerrit.cloudera.org:8080/22935
Reviewed-by: Abhishek Chennaka <achenn...@cloudera.com>
> Support certificates signed with RSASSA-PSS for channel binding
> ---------------------------------------------------------------
>
> Key: KUDU-3663
> URL: https://issues.apache.org/jira/browse/KUDU-3663
> Project: Kudu
> Issue Type: Task
> Components: security
> Affects Versions: 1.12.0, 1.13.0, 1.14.0, 1.15.0, 1.16.0, 1.17.0, 1.17.1
> Reporter: Joe McDonnell
> Assignee: Joe McDonnell
> Priority: Critical
>
> Impala hit an issue (IMPALA-14038) where certificates signed using RSASSA-PSS
> don't work with KRPC / SASL clusters. It produces an error like:
> {noformat}
> negotiation.cc:311] Negotiation complete: Not implemented: Server connection
> negotiation failed: server connection from ****: server certificate has no
> signature digest (hash) algorithm{noformat}
> That error comes from Cert::GetServerEndPointChannelBindings(), which is code
> shared between Kudu and Impala, so this is the corresponding Kudu JIRA. The
> issue is that RSASSA-PSS has a configurable hash algorithm, and OpenSSL's
> OBJ_find_sigid_algs() doesn't handle finding the hash algorithm for
> RSASSA-PSS.
> OpenSSL 1.1.1 introduced the x509_get_signature_info(), which supports
> fetching the hash algorithm for RSASSA-PSS. Postgres switched their code to
> use this when faced with a similar situation:
> [https://www.postgresql.org/message-id/CAAWbhmgjYym7AsH1fqOx%2BbNqctPpSW1DzyLv_0VhBa_ng%2BNVyQ%40mail.gmail.com]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
