Closed atheriel closed 2 years ago
Adding API to test if FIPS is enabled: https://github.com/jeroen/openssl/commit/bcdf9dd2a70e1baf42cc1414e074426abb44b8c6
This is how chrome shows fingerprints. SHA1 + SHA256...
Thank you for your patience. I changed my mind and merged your initial pull request. It seems impossible to make it work on a FIPS system without breaking compatibility.
As you noted, all other software has also stopped using md5 signatures. I just hope it won't break too many R packages that were identifying a key using it's md5 fingerprint.
Great, thanks for your careful consideration!
This aims to replace #93 with an approach that does not require any breaking changes.
Currently public keys cannot be generated or even printed on FIPS-compliant systems because these systems do not permit use of the MD5 algorithm:
This PR allows passing a new
hashfun
argument to theas.list()
andprint()
methods for keys and public keys, which are in turn passed through to the underlying call tofingerprint()
. This enables the following workarounds on FIPS systems:In order to preserve backwards compatibility, the hash function still defaults to MD5, but this could probably be changed in the future. Recent versions of OpenSSL's command-line tools, for example, have switched to SHA-256.
Some new unit tests have been added to test these features.
Side note: again, this originally surfaced in https://github.com/rstudio/rsconnect/issues/452.