puppet 6.3.0-universal-darwin → 6.4.0-universal-darwin

data/lib/puppet/ssl/host.rb

@@ -3,9 +3,10 @@ require 'puppet/ssl/key'
 require 'puppet/ssl/certificate'
 require 'puppet/ssl/certificate_request'
 require 'puppet/ssl/certificate_request_attributes'
+require 'puppet/ssl/state_machine'
 require 'puppet/rest/errors'
 require 'puppet/rest/routes'
-require 'puppet/rest/ssl_context'
+
 begin
   # This may fail when being loaded from Puppet Server. However loading the
   # client monkey patches the SSL Store and we need to have those monkey
@@ -131,11 +132,9 @@ class Puppet::SSL::Host
     unless @certificate
       generate_key unless key
 
-      # get the CA cert first, since it's required for the normal cert
-      # to be of any use. If we can't get it, quit.
-      if !ensure_ca_certificate
-        return nil
-      end
+      # get CA and optional CRL
+      sm = Puppet::SSL::StateMachine.new
+      sm.ensure_ca_certificates
 
       cert = get_host_certificate
       return nil unless cert
@@ -372,7 +371,7 @@ ERROR_STRING
   def download_csr_from_ca
     begin
       body = Puppet::Rest::Routes.get_certificate_request(
-                    name, Puppet::Rest::SSLContext.new(OpenSSL::SSL::VERIFY_PEER, ssl_store))
+                    name, Puppet::SSL::SSLContext.new(store: ssl_store))
       begin
         Puppet::SSL::CertificateRequest.from_s(body)
       rescue OpenSSL::X509::RequestError => e
@@ -390,7 +389,7 @@ ERROR_STRING
   # @param [Puppet::SSL::CertificateRequest] csr the request to submit
   def submit_certificate_request(csr)
     Puppet::Rest::Routes.put_certificate_request(
-                  csr.render, name, Puppet::Rest::SSLContext.new(OpenSSL::SSL::VERIFY_PEER, ssl_store))
+                  csr.render, name, Puppet::SSL::SSLContext.new(store: ssl_store))
   end
 
   def save_certificate_request(csr)
@@ -423,56 +422,6 @@ ERROR_STRING
     process_crl_string(crls_pems)
   end
 
-  # Ensures that the CA certificate is available for either generating or
-  # validating the host's cert.
-  # It will first check on disk, then try to download it.
-  # @raise [Puppet::Error] if text form of found certificate bundle is invalid
-  #                        and cannot be loaded into cert objects
-  # @return [Boolean] true if the CA certificate was found, false otherwise
-  def ensure_ca_certificate
-    file_path = certificate_location(CA_NAME)
-    if Puppet::FileSystem.exist?(file_path)
-      begin
-        # This load ensures that the file contents is a valid cert bundle.
-        # If the text is malformed, load_certificate_bundle will raise.
-        load_certificate_bundle(Puppet::FileSystem.read(file_path))
-      rescue Puppet::Error => e
-        raise Puppet::Error, _("The CA certificate at %{file_path} is invalid: %{message}") % { file_path: file_path, message: e.message }
-      end
-    else
-      bundle = download_ca_certificate_bundle
-      if bundle
-        save_bundle(bundle, certificate_location(CA_NAME))
-        true
-      else
-        false
-      end
-    end
-  end
-  public :ensure_ca_certificate
-
-  # Creates an arry of SSL Certificate objects from a PEM-encoding string
-  # of one or more certs.
-  # @param [String] bundle_string PEM-encoded string of certs
-  # @return [[OpenSSL::X509::Certificate], nil] the certs loaded from the
-  #         input string, or nil if none could be loaded
-  def load_certificate_bundle(bundle_string)
-    delimiters = /-----BEGIN CERTIFICATE-----.*?-----END CERTIFICATE-----/m
-    certs = bundle_string.scan(delimiters)
-
-    if certs.empty?
-      raise Puppet::Error, _("No valid PEM-encoded certificates.")
-    end
-
-    certs.map do |cert|
-      begin
-        OpenSSL::X509::Certificate.new(cert)
-      rescue OpenSSL::X509::CertificateError => e
-        raise Puppet::Error, _("Could not parse certificate: %{message}") % { message: e.message }
-      end
-    end
-  end
-
   # Fetches and saves the crl bundle from the CA server without validating
   # its contents. Takes an optional store to use with the http_client,
   # necessary for initial download of the CRL because `build_ssl_store`
@@ -487,7 +436,7 @@ ERROR_STRING
       # If no SSL store was supplied, use this host's SSL store
       store ||= ssl_store
       Puppet::Util.replace_file(crl_path, 0644) do |file|
-        result = Puppet::Rest::Routes.get_crls(CA_NAME, Puppet::Rest::SSLContext.new(OpenSSL::SSL::VERIFY_PEER, store))
+        result = Puppet::Rest::Routes.get_crls(CA_NAME, Puppet::SSL::SSLContext.new(store: store))
         file.write(result)
       end
     rescue Puppet::Rest::ResponseError => e
@@ -495,38 +444,6 @@ ERROR_STRING
     end
   end
 
-  # Fetches the CA certificate bundle from the CA server
-  # @raise [Puppet::Error] if response from the server is not a valid certificate
-  #                        bundle
-  # @return [[OpenSSL::X509::Certificate]] the certs loaded from the response
-  def download_ca_certificate_bundle
-    begin
-      cert_bundle = Puppet::Rest::Routes.get_certificate(
-        CA_NAME,
-        Puppet::Rest::SSLContext.new(OpenSSL::SSL::VERIFY_NONE)
-      )
-      # This load ensures that the response body is a valid cert bundle.
-      # If the text is malformed, load_certificate_bundle will raise.
-      begin
-        load_certificate_bundle(cert_bundle)
-      rescue Puppet::Error => e
-        raise Puppet::Error, _("Response from the CA did not contain a valid CA certificate: %{message}") % { message: e.message }
-      end
-    rescue Puppet::Rest::ResponseError => e
-      raise Puppet::Error, _('Could not download CA certificate: %{message}') % { message: e.message }
-    end
-  end
-
-  # Saves the given bundle to disk to a specified file path.
-  # @param bundle [[OpenSSL::X509::Certificate/CRL]] the certs to save
-  # @param location [String] place on disk to save bundle
-  def save_bundle(cert_bundle, location)
-    Puppet::Util.replace_file(location, 0644) do |f|
-      bundle_string = cert_bundle.map(&:to_pem).join("\n")
-      f.write(bundle_string)
-    end
-  end
-
   # Attempts to load or fetch this host's certificate. Returns nil if
   # no certificate could be found.
   # @return [Puppet::SSL::Certificate, nil]
@@ -569,7 +486,7 @@ ERROR_STRING
     begin
       cert = Puppet::Rest::Routes.get_certificate(
         cert_name,
-        Puppet::Rest::SSLContext.new(OpenSSL::SSL::VERIFY_PEER, ssl_store)
+        Puppet::SSL::SSLContext.new(store: ssl_store)
       )
       begin
         Puppet::SSL::Certificate.from_s(cert)

data/lib/puppet/ssl/ssl_context.rb

@@ -0,0 +1,30 @@
+require 'puppet/ssl'
+
+module Puppet::SSL
+  SSLContext = Struct.new(
+    :store,
+    :cacerts,
+    :crls,
+    :private_key,
+    :client_cert,
+    :client_chain,
+    :revocation,
+    :verify_peer
+  ) do
+    DEFAULTS = {
+      cacerts: [],
+      crls: [],
+      client_chain: [],
+      revocation: true,
+      verify_peer: true
+    }.freeze
+
+    # This is an idiom to initialize a Struct from keyword
+    # arguments. Ruby 2.5 introduced `keyword_init: true` for
+    # that purpose, but we need to support older versions.
+    def initialize(**kwargs)
+      super({})
+      DEFAULTS.merge(kwargs).each { |k,v| self[k] = v }
+    end
+  end
+end

data/lib/puppet/ssl/ssl_provider.rb

@@ -0,0 +1,232 @@
+require 'puppet/ssl'
+
+# SSL Provider creates `SSLContext` objects that can be used to create
+# secure connections.
+#
+# @api private
+class Puppet::SSL::SSLProvider
+  # Create an insecure `SSLContext`. Connections made from the returned context
+  # will not authenticate the server, i.e. `VERIFY_NONE`, and are vulnerable to
+  # MITM. Do not call this method.
+  #
+  # @return [Puppet::SSL::SSLContext] A context to use to create connections
+  # @api private
+  def create_insecure_context
+    store = create_x509_store([], [], false)
+
+    Puppet::SSL::SSLContext.new(store: store, verify_peer: false).freeze
+  end
+
+  # Create an `SSLContext` using the trusted `cacerts` and optional `crls`.
+  # Connections made from the returned context will authenticate the server,
+  # i.e. `VERIFY_PEER`, but will not use a client certificate.
+  #
+  # The `crls` parameter must contain CRLs corresponding to each CA in `cacerts`
+  # depending on the `revocation` mode. See {#create_context}.
+  #
+  # @param cacerts [Array<OpenSSL::X509::Certificate>] Array of trusted CA certs
+  # @param crls [Array<OpenSSL::X509::CRL>] Array of CRLs
+  # @param revocation [:chain, :leaf, false] revocation mode
+  # @return [Puppet::SSL::SSLContext] A context to use to create connections
+  # @raise (see #create_context)
+  # @api private
+  def create_root_context(cacerts:, crls: [], revocation: Puppet[:certificate_revocation])
+    store = create_x509_store(cacerts, crls, revocation)
+
+    Puppet::SSL::SSLContext.new(store: store, cacerts: cacerts, crls: crls, revocation: revocation).freeze
+  end
+
+  # Create an `SSLContext` using the trusted `cacerts`, `crls`, `private_key`,
+  # `client_cert`, and `revocation` mode. Connections made from the returned
+  # context will be mutually authenticated.
+  #
+  # The `crls` parameter must contain CRLs corresponding to each CA in `cacerts`
+  # depending on the `revocation` mode:
+  #
+  # * `:chain` - `crls` must contain a CRL for every CA in `cacerts`
+  # * `:leaf` - `crls` must contain (at least) the CRL for the leaf CA in `cacerts`
+  # * `false` - `crls` can be empty
+  #
+  # The `private_key` and public key from the `client_cert` must match.
+  #
+  # @param cacerts [Array<OpenSSL::X509::Certificate>] Array of trusted CA certs
+  # @param crls [Array<OpenSSL::X509::CRL>] Array of CRLs
+  # @param private_key [OpenSSL::PKey::RSA] client's private key
+  # @param client_cert [OpenSSL::X509::Certificate] client's cert whose public
+  #   key matches the `private_key`
+  # @param revocation [:chain, :leaf, false] revocation mode
+  # @return [Puppet::SSL::SSLContext] A context to use to create connections
+  # @raise [Puppet::SSL::CertVerifyError] There was an issue with
+  #   one of the certs or CRLs.
+  # @raise [Puppet::SSL::SSLError] There was an issue with the
+  #   `private_key`.
+  # @api private
+  def create_context(cacerts:, crls:, private_key:, client_cert:, revocation: Puppet[:certificate_revocation])
+    raise ArgumentError, _("CA certs are missing") unless cacerts
+    raise ArgumentError, _("CRLs are missing") unless crls
+    raise ArgumentError, _("Private key is missing") unless private_key
+    raise ArgumentError, _("Client cert is missing") unless client_cert
+
+    store = create_x509_store(cacerts, crls, revocation)
+    client_chain = verify_cert_with_store(store, client_cert)
+
+    unless private_key.is_a?(OpenSSL::PKey::RSA)
+      raise Puppet::SSL::SSLError, _("Unsupported key '%{type}'") % { type: private_key.class.name }
+    end
+
+    unless client_cert.check_private_key(private_key)
+      raise Puppet::SSL::SSLError, _("The certificate for '%{name}' does not match its private key") % { name: subject(client_cert) }
+    end
+
+    Puppet::SSL::SSLContext.new(
+      store: store, cacerts: cacerts, crls: crls,
+      private_key: private_key, client_cert: client_cert, client_chain: client_chain,
+      revocation: revocation
+    ).freeze
+  end
+
+  # Load an `SSLContext` using available certs and keys. An exception is raised
+  # if any component is missing or is invalid, such as a mismatched client cert
+  # and private key. Connections made from the returned context will be mutually
+  # authenticated.
+  #
+  # @param revocation [:chain, :leaf, false] revocation mode
+  # @return [Puppet::SSL::SSLContext] A context to use to create connections
+  # @raise [Puppet::SSL::CertVerifyError] There was an issue with
+  #   one of the certs or CRLs.
+  # @raise [Puppet::Error] There was an issue with one of the required components.
+  # @api private
+  def load_context(certname: Puppet[:certname], revocation: Puppet[:certificate_revocation])
+    cert = Puppet::X509::CertProvider.new
+    cacerts = cert.load_cacerts(required: true)
+    crls = case revocation
+           when :chain, :leaf
+             cert.load_crls(required: true)
+           else
+             []
+           end
+    private_key = cert.load_private_key(certname, required: true)
+    client_cert = cert.load_client_cert(certname, required: true)
+
+    create_context(cacerts: cacerts, crls: crls,  private_key: private_key, client_cert: client_cert, revocation: revocation)
+  end
+
+  # Verify the `csr` was signed with a private key corresponding to the
+  # `public_key`. This ensures the CSR was signed by someone in possession
+  # of the private key, and that it hasn't been tampered with since.
+  #
+  # @param csr [OpenSSL::X509::Request] certificate signing request
+  # @param public_key [OpenSSL::PKey::RSA] public key
+  # @raise [Puppet::SSL:SSLError] The private_key for the given `public_key` was
+  #   not used to sign the CSR.
+  # @api private
+  def verify_request(csr, public_key)
+    unless csr.verify(public_key)
+      raise Puppet::SSL::SSLError, _("The CSR for host '%{name}' does not match the public key") % { name: subject(csr) }
+    end
+
+    csr
+  end
+
+  private
+
+  def default_flags
+    # checking the signature of the self-signed cert doesn't add any security,
+    # but it's a sanity check to make sure the cert isn't corrupt. This option
+    # is only available in openssl 1.1+
+    if defined?(OpenSSL::X509::V_FLAG_CHECK_SS_SIGNATURE)
+      OpenSSL::X509::V_FLAG_CHECK_SS_SIGNATURE
+    else
+      0
+    end
+  end
+
+  def create_x509_store(roots, crls, revocation)
+    store = OpenSSL::X509::Store.new
+    store.purpose = OpenSSL::X509::PURPOSE_ANY
+    store.flags = default_flags | revocation_mode(revocation)
+
+    roots.each { |cert| store.add_cert(cert) }
+    crls.each { |crl| store.add_crl(crl) }
+
+    store
+  end
+
+  def subject(x509)
+    x509.subject.to_s
+  end
+
+  def issuer(x509)
+    x509.issuer.to_s
+  end
+
+  def revocation_mode(mode)
+    case mode
+    when false
+      0
+    when :leaf
+      OpenSSL::X509::V_FLAG_CRL_CHECK
+    else
+      # :chain is the default
+      OpenSSL::X509::V_FLAG_CRL_CHECK | OpenSSL::X509::V_FLAG_CRL_CHECK_ALL
+    end
+  end
+
+  def verify_cert_with_store(store, cert)
+    # StoreContext#initialize accepts a chain argument, but it's set to [] because
+    # puppet requires any intermediate CA certs needed to complete the client's
+    # chain to be in the CA bundle that we downloaded from the server, and
+    # they've already been added to the store. See PUP-9500.
+
+    store_context = OpenSSL::X509::StoreContext.new(store, cert, [])
+    unless store_context.verify
+      current_cert = store_context.current_cert
+
+      # If the client cert's intermediate CA is not in the CA bundle, then warn,
+      # but don't error, because SSL allows the client to send an incomplete
+      # chain, and have the server resolve it.
+      if store_context.error == OpenSSL::X509::V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
+        Puppet.warning _("The issuer '%{issuer}' of certificate '%{subject}' cannot be found locally") % {
+          issuer: issuer(current_cert), subject: subject(current_cert)
+        }
+      else
+        raise_cert_verify_error(store_context, current_cert)
+      end
+    end
+
+    # resolved chain from leaf to root
+    store_context.chain
+  end
+
+  def raise_cert_verify_error(store_context, current_cert)
+    message =
+      case store_context.error
+      when OpenSSL::X509::V_ERR_CERT_NOT_YET_VALID
+        _("The certificate '%{subject}' is not yet valid, verify time is synchronized") % { subject: subject(current_cert) }
+      when OpenSSL::X509::V_ERR_CERT_HAS_EXPIRED
+        _("The certificate '%{subject}' has expired, verify time is synchronized") %  { subject: subject(current_cert) }
+      when OpenSSL::X509::V_ERR_CRL_NOT_YET_VALID
+        _("The CRL issued by '%{issuer}' is not yet valid, verify time is synchronized") % { issuer: issuer(current_cert) }
+      when OpenSSL::X509::V_ERR_CRL_HAS_EXPIRED
+        _("The CRL issued by '%{issuer}' has expired, verify time is synchronized") % { issuer: issuer(current_cert) }
+      when OpenSSL::X509::V_ERR_CERT_SIGNATURE_FAILURE
+        _("Invalid signature for certificate '%{subject}'") % { subject: subject(current_cert) }
+      when OpenSSL::X509::V_ERR_CRL_SIGNATURE_FAILURE
+        _("Invalid signature for CRL issued by '%{issuer}'") % { issuer: issuer(current_cert) }
+      when OpenSSL::X509::V_ERR_UNABLE_TO_GET_ISSUER_CERT
+        _("The issuer '%{issuer}' of certificate '%{subject}' is missing") % {
+          issuer: issuer(current_cert), subject: subject(current_cert) }
+      when OpenSSL::X509::V_ERR_UNABLE_TO_GET_CRL
+        _("The CRL issued by '%{issuer}' is missing") % { issuer: issuer(current_cert) }
+      when OpenSSL::X509::V_ERR_CERT_REVOKED
+        _("Certificate '%{subject}' is revoked") % { subject: subject(current_cert) }
+      else
+        # error_string is labeled ASCII-8BIT, but is encoded based on Encoding.default_external
+        err_utf8 = Puppet::Util::CharacterEncoding.convert_to_utf_8(store_context.error_string)
+        _("Certificate '%{subject}' failed verification (%{err}): %{err_utf8}") % {
+          subject: subject(current_cert), err: store_context.error, err_utf8: err_utf8 }
+      end
+
+    raise Puppet::SSL::CertVerifyError.new(message, store_context.error, current_cert)
+  end
+end

data/lib/puppet/ssl/state_machine.rb

@@ -0,0 +1,261 @@
+require 'puppet/ssl'
+
+# This class implements a state machine for bootstrapping a host's CA and CRL
+# bundles, private key and signed client certificate. Each state has a frozen
+# SSLContext that it uses to make network connections. If a state makes progress
+# bootstrapping the host, then the state will generate a new frozen SSLContext
+# and pass that to the next state. For example, the NeedCACerts state will load
+# or download a CA bundle, and generate a new SSLContext containing those CA
+# certs. This way we're sure about which SSLContext is being used during any
+# phase of the bootstrapping process.
+#
+# @private
+class Puppet::SSL::StateMachine
+  CA_NAME = 'ca'.freeze
+
+  class SSLState
+    attr_reader :ssl_context
+
+    def initialize(machine, ssl_context)
+      @machine = machine
+      @ssl_context = ssl_context
+      @cert_provider = Puppet::X509::CertProvider.new
+      @ssl_provider = Puppet::SSL::SSLProvider.new
+    end
+  end
+
+  # Load existing CA certs or download them. Transition to NeedCRLs.
+  #
+  class NeedCACerts < SSLState
+    def initialize(machine)
+      super(machine, nil)
+      @ssl_context = @ssl_provider.create_insecure_context
+    end
+
+    def next_state
+      Puppet.debug("Loading CA certs")
+
+      cacerts = @cert_provider.load_cacerts
+      if cacerts
+        next_ctx = @ssl_provider.create_root_context(cacerts: cacerts, revocation: false)
+      else
+        pem = Puppet::Rest::Routes.get_certificate(CA_NAME, @ssl_context)
+        cacerts = @cert_provider.load_cacerts_from_pem(pem)
+        # verify cacerts before saving
+        next_ctx = @ssl_provider.create_root_context(cacerts: cacerts, revocation: false)
+        @cert_provider.save_cacerts(cacerts)
+      end
+
+      NeedCRLs.new(@machine, next_ctx)
+    rescue Puppet::Rest::ResponseError => e
+      if e.response.code.to_i == 404
+        raise Puppet::Error.new(_('CA certificate is missing from the server'))
+      else
+        raise Puppet::Error.new(_('Could not download CA certificate: %{message}') % { message: e.message }, e)
+      end
+    end
+  end
+
+  # If revocation is enabled, load CRLs or download them, using the CA bundle
+  # from the previous state. Transition to NeedKey. Even if Puppet[:certificate_revocation]
+  # is leaf or chain, disable revocation when downloading the CRL, since 1) we may
+  # not have one yet or 2) the connection will fail if NeedCACerts downloaded a new CA
+  # for which we don't have a CRL
+  #
+  class NeedCRLs < SSLState
+    def next_state
+      Puppet.debug("Loading CRLs")
+
+      case Puppet[:certificate_revocation]
+      when :chain, :leaf
+        crls = @cert_provider.load_crls
+        if crls
+          next_ctx = @ssl_provider.create_root_context(cacerts: ssl_context[:cacerts], crls: crls)
+        else
+          pem = Puppet::Rest::Routes.get_crls(CA_NAME, @ssl_context)
+          crls = @cert_provider.load_crls_from_pem(pem)
+          # verify crls before saving
+          next_ctx = @ssl_provider.create_root_context(cacerts: ssl_context[:cacerts], crls: crls)
+          @cert_provider.save_crls(crls)
+        end
+      else
+        Puppet.info("Certificate revocation is disabled, skipping CRL download")
+        next_ctx = @ssl_provider.create_root_context(cacerts: ssl_context[:cacerts], crls: [])
+      end
+
+      NeedKey.new(@machine, next_ctx)
+    rescue Puppet::Rest::ResponseError => e
+      if e.response.code.to_i == 404
+        raise Puppet::Error.new(_('CRL is missing from the server'))
+      else
+        raise Puppet::Error.new(_('Could not download CRLs: %{message}') % { message: e.message }, e)
+      end
+    end
+  end
+
+  # Load or generate a private key. If the key exists, try to load the client cert
+  # and transition to Done. If the cert is mismatched or otherwise fails valiation,
+  # raise an error. If the key doesn't exist yet, generate one, and save it. If the
+  # cert doesn't exist yet, transition to NeedSubmitCSR.
+  #
+  class NeedKey < SSLState
+    def next_state
+      key = @cert_provider.load_private_key(Puppet[:certname])
+      if key
+        cert = @cert_provider.load_client_cert(Puppet[:certname])
+        if cert
+          next_ctx = @ssl_provider.create_context(
+            cacerts: @ssl_context.cacerts, crls: @ssl_context.crls, private_key: key, client_cert: cert
+          )
+          return Done.new(@machine, next_ctx)
+        end
+      else
+        Puppet.info _("Creating a new SSL key for %{name}") % { name: Puppet[:certname] }
+        key = OpenSSL::PKey::RSA.new(Puppet[:keylength].to_i)
+        @cert_provider.save_private_key(Puppet[:certname], key)
+      end
+
+      NeedSubmitCSR.new(@machine, @ssl_context, key)
+    end
+  end
+
+  # Base class for states with a private key.
+  #
+  class KeySSLState < SSLState
+    attr_reader :private_key
+
+    def initialize(machine, ssl_context, private_key)
+      super(machine, ssl_context)
+      @private_key = private_key
+    end
+  end
+
+  # Generate and submit a CSR using the CA cert bundle and optional CRL bundle
+  # from earlier states. If the request is submitted, proceed to NeedCert,
+  # otherwise Wait. This could be due to the server already having a CSR
+  # for this host (either the same or different CSR content), having a
+  # signed certificate, or a revoked certificate.
+  #
+  class NeedSubmitCSR < KeySSLState
+    def next_state
+      csr = @cert_provider.create_request(Puppet[:certname], @private_key)
+      Puppet::Rest::Routes.put_certificate_request(csr.to_pem, Puppet[:certname], @ssl_context)
+      @cert_provider.save_request(Puppet[:certname], csr)
+      NeedCert.new(@machine, @ssl_context, @private_key)
+    rescue Puppet::Rest::ResponseError => e
+      if e.response.code.to_i != 400
+        raise Puppet::SSL::SSLError.new(_("Failed to submit the CSR, HTTP response was %{code}") % { code: e.response.code }, e)
+      end
+
+      NeedCert.new(@machine, @ssl_context, @private_key)
+    end
+  end
+
+  # Attempt to load or retrieve our signed cert.
+  #
+  class NeedCert < KeySSLState
+    def next_state
+      cert = OpenSSL::X509::Certificate.new(
+        Puppet::Rest::Routes.get_certificate(Puppet[:certname], @ssl_context)
+      )
+      # verify client cert before saving
+      next_ctx = @ssl_provider.create_context(
+        cacerts: @ssl_context.cacerts, crls: @ssl_context.crls, private_key: @private_key, client_cert: cert
+      )
+      @cert_provider.save_client_cert(Puppet[:certname], cert)
+      @cert_provider.delete_request(Puppet[:certname])
+      Done.new(@machine, next_ctx)
+    rescue Puppet::SSL::SSLError => e
+      Puppet.log_exception(e)
+      Wait.new(@machine, @ssl_context)
+    rescue OpenSSL::X509::CertificateError => e
+      Puppet.log_exception(e, _("Failed to parse certificate: %{message}") % {message: e.message})
+      Wait.new(@machine, @ssl_context)
+    rescue Puppet::Rest::ResponseError => e
+      if e.response.code.to_i == 404
+        Puppet.info(_("Certificate for %{certname} has not been signed yet") % {certname: Puppet[:certname]})
+      else
+        Puppet.log_exception(e, _("Failed to retrieve certificate for %{certname}: %{message}") %
+                             {certname: Puppet[:certname], message: e.response.message})
+      end
+      Wait.new(@machine, @ssl_context)
+    end
+  end
+
+  # We cannot make progress, so wait if allowed to do so, or error.
+  #
+  class Wait < SSLState
+    def next_state
+      time = @machine.onetime ? 0 : @machine.waitforcert
+      if time < 1
+        puts _("Exiting; no certificate found and waitforcert is disabled")
+        exit(1)
+      else
+        sleep(time)
+
+        # our ssl directory may have been cleaned while we were
+        # sleeping, start over from the top
+        NeedCACerts.new(@machine)
+      end
+    end
+  end
+
+  # We have a CA bundle, optional CRL bundle, a private key and matching cert
+  # that chains to one of the root certs in our bundle.
+  #
+  class Done < SSLState; end
+
+  attr_reader :onetime, :waitforcert
+
+  def initialize(onetime: Puppet[:onetime], waitforcert: Puppet[:waitforcert])
+    @onetime = onetime
+    @waitforcert = waitforcert
+  end
+
+  # Run the state machine for CA certs and CRLs
+  #
+  # @return [Puppet::SSL::SSLContext] initialized SSLContext
+  def ensure_ca_certificates
+    final_state = run_machine(NeedCACerts.new(self), NeedKey)
+    final_state.ssl_context
+  end
+
+  # Run the state machine for CA certs and CRLs
+  #
+  # @return [Puppet::SSL::SSLContext] initialized SSLContext
+  def ensure_client_certificate
+    final_state = run_machine(NeedCACerts.new(self), Done)
+    ssl_context = final_state.ssl_context
+
+    if Puppet::Util::Log.sendlevel?(:debug)
+      chain = ssl_context.client_chain
+      # print from root to client
+      chain.reverse.each_with_index do |cert, i|
+        digest = Puppet::SSL::Digest.new('SHA256', cert.to_der)
+        if i == chain.length - 1
+          Puppet.debug(_("Verified client certificate '%{subject}' fingerprint %{digest}") % {subject: cert.subject.to_s, digest: digest})
+        else
+          Puppet.debug(_("Verified CA certificate '%{subject}' fingerprint %{digest}") % {subject: cert.subject.to_s, digest: digest})
+        end
+      end
+    end
+
+    ssl_context
+  end
+
+  private
+
+  def run_machine(state, stop)
+    loop do
+      Puppet.debug("Current SSL state #{state_name(state)}")
+
+      state = state.next_state
+
+      return state if state.is_a?(stop)
+    end
+  end
+
+  def state_name(state)
+    state.class.to_s.split('::').last
+  end
+end