node-acme-client icon indicating copy to clipboard operation
node-acme-client copied to clipboard
verified publisher icon publishlab

[NOTICE] node-acme-client < v4.2.4 will break on September 15, 2022

Open jsha opened this issue 3 years ago • 3 comments

At Let's Encrypt, we're planning to stop supporting SHA-1 self-signatures on CSRs (in part because Go is removing support for those). In a review of our logs, node-acme-client showed up as a popular client that was sending CSRs with SHA-1 self-signatures. It looks like the problem is here:

https://github.com/publishlab/node-acme-client/blob/6d5ce60c59914f8830985495adeb2caf480ee148/src/crypto/forge.js#L439-L440

You don't set a specific signature algorithm, so node-forge defaults to SHA-1:

https://github.com/digitalbazaar/forge/blob/cbf0bd590d47fe3120a57e7c36f2f4e64381ad81/lib/x509.js#L1128-L1130

I recommend adding a second argument containing the appropriate OID for sha256WithRSAEncryption.

jsha avatar Mar 18 '22 21:03 jsha

Hi @jsha and thanks for reporting this,

CSR signing using SHA-256 should be fixed in 64b7340b82b70dd4108fef3c854806ad8d5de712 and has been published with [email protected]. The fix has also been backported to [email protected] as v3.x still sees a few downloads from NPM.

nmorsman avatar Mar 19 '22 03:03 nmorsman

Excellent, thanks for the quick turnaround!

jsha avatar Mar 19 '22 04:03 jsha

Added an upgrade notice with some details to the README and CHANGELOG in case this goes by unnoticed.

nmorsman avatar Apr 30 '22 13:04 nmorsman