search

cloudflare / cfssl

CFSSL: Cloudflare's PKI and TLS toolkit
https://cfssl.org/
BSD 2-Clause "Simplified" License
8.67k stars 1.1k forks source link

cfssl gencsr touches key file #1026

Closed ashemedai closed 2 years ago

ashemedai commented 5 years ago

% cfssl version Version: 1.3.4 Revision: dev Runtime: go1.12.7

When using cfssl gencsr -key <keyfile>, I noticed that cfssl seems to adjust the mtime of the keyfile. Since the use case of gencsr is to use an existing file, I doubt it needs to touch the file.

Can be reproduced by:

  1. Generate JSON file
  2. cfssl keygen JSON | cfssl-json -bare mycert
  3. stat -f "%Sc %Sa %Sm" mycert-key.pem (BSD/Mac syntax) and notice the timestamps
  4. Wait a minute so that clock rolls over
  5. cfssl gencsr -key mycert-key.pem JSON
  6. stat -f "%Sc %Sa %Sm" mycert-key.pem and notice that the ctime and mtime have changed.

What I also find interesting is:

% cfssl gencsr -h
    cfssl gencsr -- generate a csr from a private key with existing CSR json specification or certificate

Usage of genkey:
        cfssl gencsr -key private_key_file [-host hostname_override] CSRJSON
        cfssl gencsr -key private_key_file [-host hostname_override] -cert certificate_file

Arguments:
        CSRJSON:    JSON file containing the request, use '-' for reading JSON from stdin

Notice the output of genkey in the output above. I have not yet looked at the code yet whether gencsr is wrapping genkey's functionality, which could explain the behaviour I write about above.

ashemedai commented 2 years ago

Closing this, since it seems Cloudflare doesn't pay attention to this repository. And I can do without all these multi-year issues in my issues overview.