RubyGems - puppetserver-ca - Versions diffs - 0.4.3 → 0.5.0 - Mend

puppetserver-ca 0.4.3 → 0.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

checksums.yaml +4 -4
data/lib/puppetserver/ca/action/create.rb +7 -2
data/lib/puppetserver/ca/action/generate.rb +1 -0
data/lib/puppetserver/ca/action/import.rb +1 -0
data/lib/puppetserver/ca/action/list.rb +1 -1
data/lib/puppetserver/ca/config/puppet.rb +1 -1
data/lib/puppetserver/ca/host.rb +134 -9
data/lib/puppetserver/ca/local_certificate_authority.rb +39 -4
data/lib/puppetserver/ca/version.rb +1 -1
metadata +2 -2

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 9c19462a3167093517421b973f330b005a6776b4
-  data.tar.gz: 5c4dc2716c5063512594005c625ad391ca6ec3f0
+  metadata.gz: 2f958c8e39c9f5a84c417138710b43c09d088189
+  data.tar.gz: 33f332146f6f3c3318dbfe7cc786205d74a3a021
 SHA512:
-  metadata.gz: cac3a5c1d00ddb4e4fc9948fc09c91bc6436e8c245cd17610b971e7dbc74c033ba41c7602d12fdbe11808eb51a0612c5fee71353af4b9956b4ac449fb889ec84
-  data.tar.gz: 8e8ac33850a91d128282572c0ef2f4dd421dd447911e09cc6aa561eae1f6b381c3b06f0e9661581616c2c516da92490ad59d180744737bf6873c049a9d9d673f
+  metadata.gz: 77847b302859de89a4566dff4d4230e049c488f09baeca6b1b9ec86b68c68803942dfb6c187b37b5f9eb80a2ee531f62fe5fd0f4877ffd820cba10ecd672c0a5
+  data.tar.gz: 3234826e83a9a397216cf1133c80572e5ad3f4d8f06f4c0fc5189f1eac048d08e82814be8e54e4bc8008962fbd28c5780406952a64d03ba349aeb7fd90141c63

data/lib/puppetserver/ca/action/create.rb CHANGED

@@ -134,6 +134,7 @@ BANNER
           passed = certnames.map do |certname|
             key, csr = generate_key_csr(certname, settings, digest)
+            return false unless csr
             return false unless ca.submit_certificate_request(certname, csr)
             return false unless ca.sign_certs([certname])
             if result = ca.get_certificate(certname)
@@ -152,9 +153,13 @@ BANNER
           private_key = host.create_private_key(settings[:keylength])
           extensions = []
           if !settings[:subject_alt_names].empty?
-            extensions << host.create_extension("subjectAltName", settings[:subject_alt_names])
+            extensions << OpenSSL::X509::Extension.new("subjectAltName", settings[:subject_alt_names], false)
           end
-          csr = host.create_csr(certname, private_key, extensions)
+          csr = host.create_csr(name: certname,
+                                key: private_key,
+                                cli_extensions: extensions,
+                                csr_attributes_path: settings[:csr_attributes])
+          return if CliParsing.handle_errors(@logger, host.errors)
           return private_key, csr
         end

data/lib/puppetserver/ca/action/generate.rb CHANGED

@@ -78,6 +78,7 @@ BANNER
           root_key, root_cert, root_crl = ca.create_root_cert
           int_key, int_cert, int_crl = ca.create_intermediate_cert(root_key, root_cert)
           master_key, master_cert = ca.create_master_cert(int_key, int_cert)
+          return ca.errors if ca.errors.any?
           FileSystem.ensure_dirs([settings[:ssldir],
                                   settings[:cadir],

data/lib/puppetserver/ca/action/import.rb CHANGED

@@ -74,6 +74,7 @@ BANNER
         def import(loader, settings, signing_digest)
           ca = Puppetserver::Ca::LocalCertificateAuthority.new(signing_digest, settings)
           master_key, master_cert = ca.create_master_cert(loader.key, loader.certs.first)
+          return ca.errors if ca.errors.any?
           FileSystem.ensure_dirs([settings[:ssldir],
                                   settings[:cadir],

data/lib/puppetserver/ca/action/list.rb CHANGED

@@ -111,7 +111,7 @@ Options:
         def get_all_certs(settings)
           result = Puppetserver::Ca::CertificateAuthority.new(@logger, settings).get_certificate_statuses
-          JSON.parse(result.body)
+          JSON.parse(result.body) if result
         end
         def parse(args)

data/lib/puppetserver/ca/config/puppet.rb CHANGED

@@ -119,6 +119,7 @@ module Puppetserver
             :cacert => '$cadir/ca_crt.pem',
             :cakey => '$cadir/ca_key.pem',
             :capub => '$cadir/ca_pub.pem',
+            :csr_attributes => '$confdir/csr_attributes.yaml',
             :rootkey => '$cadir/root_key.pem',
             :cacrl => '$cadir/ca_crl.pem',
             :serial => '$cadir/serial',
@@ -130,7 +131,6 @@ module Puppetserver
             :hostcert => '$certdir/$certname.pem',
             :hostprivkey => '$privatekeydir/$certname.pem',
             :hostpubkey => '$publickeydir/$certname.pem',
-            :publickeydir => '$ssldir/public_keys',
             :ca_ttl => '15y',
             :certificate_revocation => 'true',
             :signeddir => '$cadir/signed',

data/lib/puppetserver/ca/host.rb CHANGED

@@ -1,36 +1,161 @@
 require 'openssl'
+require 'fileutils'
+require 'yaml'
 module Puppetserver
   module Ca
     class Host
+      # Exclude OIDs that may conflict with how Puppet creates CSRs.
+      #
+      # We only have nominal support for Microsoft extension requests, but since we
+      # ultimately respect that field when looking for extension requests in a CSR
+      # we need to prevent that field from being written to directly.
+      PRIVATE_CSR_ATTRIBUTES = [
+        'extReq',   '1.2.840.113549.1.9.14',
+        'msExtReq', '1.3.6.1.4.1.311.2.1.14',
+      ]
+      PRIVATE_EXTENSIONS = [
+        'subjectAltName', '2.5.29.17',
+      ]
+      # A mapping of Puppet extension short names to their OIDs. These appear in
+      # csr_attributes.yaml.
+      PUPPET_SHORT_NAMES =
+      {'pp_uuid' =>             "1.3.6.1.4.1.34380.1.1.1",
+       'pp_instance_id' =>      "1.3.6.1.4.1.34380.1.1.2",
+       'pp_image_name' =>       "1.3.6.1.4.1.34380.1.1.3",
+       'pp_preshared_key'=>    "1.3.6.1.4.1.34380.1.1.4",
+       'pp_cost_center' =>      "1.3.6.1.4.1.34380.1.1.5",
+       'pp_product' =>          "1.3.6.1.4.1.34380.1.1.6",
+       'pp_project' =>          "1.3.6.1.4.1.34380.1.1.7",
+       'pp_application' =>      "1.3.6.1.4.1.34380.1.1.8",
+       'pp_service'=>          "1.3.6.1.4.1.34380.1.1.9",
+       'pp_employee' =>         "1.3.6.1.4.1.34380.1.1.10",
+       'pp_created_by' =>       "1.3.6.1.4.1.34380.1.1.11",
+       'pp_environment' =>      "1.3.6.1.4.1.34380.1.1.12",
+       'pp_role' =>             "1.3.6.1.4.1.34380.1.1.13",
+       'pp_software_version' => "1.3.6.1.4.1.34380.1.1.14",
+       'pp_department' =>       "1.3.6.1.4.1.34380.1.1.15",
+       'pp_cluster' =>          "1.3.6.1.4.1.34380.1.1.16",
+       'pp_provisioner' =>      "1.3.6.1.4.1.34380.1.1.17",
+       'pp_region' =>           "1.3.6.1.4.1.34380.1.1.18",
+       'pp_datacenter' =>       "1.3.6.1.4.1.34380.1.1.19",
+       'pp_zone' =>             "1.3.6.1.4.1.34380.1.1.20",
+       'pp_network' =>          "1.3.6.1.4.1.34380.1.1.21",
+       'pp_securitypolicy' =>   "1.3.6.1.4.1.34380.1.1.22",
+       'pp_cloudplatform' =>    "1.3.6.1.4.1.34380.1.1.23",
+       'pp_apptier' =>          "1.3.6.1.4.1.34380.1.1.24",
+       'pp_hostname' =>         "1.3.6.1.4.1.34380.1.1.25",
+       'pp_authorization' =>    "1.3.6.1.4.1.34380.1.3.1",
+       'pp_auth_role' =>        "1.3.6.1.4.1.34380.1.3.13"}
+      attr_reader :errors
       def initialize(digest)
         @digest = digest
+        @errors = []
       end
       def create_private_key(keylength)
         OpenSSL::PKey::RSA.new(keylength)
       end
-      def create_csr(name, key, extensions = [])
+      def create_csr(name:, key:, cli_extensions: [], csr_attributes_path: '')
         csr = OpenSSL::X509::Request.new
         csr.public_key = key.public_key
         csr.subject = OpenSSL::X509::Name.new([["CN", name]])
         csr.version = 2
-        add_csr_extension(csr, extensions) unless extensions.empty?
-        csr.sign(key, @digest)
+        custom_attributes = get_custom_attributes(csr_attributes_path)
+        extension_requests = get_extension_requests(csr_attributes_path)
+        add_csr_attributes(csr, custom_attributes)
+        add_csr_extensions(csr, extension_requests, cli_extensions)
+        csr.sign(key, @digest) if @errors.empty?
         csr
       end
-      def create_extension(extension_name, extension_value, critical = false)
-        OpenSSL::X509::ExtensionFactory.new.create_extension(extension_name, extension_value, critical)
+      def extension_attribute(extensions)
+        seq = OpenSSL::ASN1::Sequence(extensions)
+        ext_req = OpenSSL::ASN1::Set([seq])
+        OpenSSL::X509::Attribute.new("extReq", ext_req)
+      end
+      def get_custom_attributes(attributes_path)
+        if csr_attributes = load_csr_attributes(attributes_path)
+          csr_attributes['custom_attributes']
+        end
+      end
+      def get_extension_requests(attributes_path)
+        if csr_attributes = load_csr_attributes(attributes_path)
+          csr_attributes['extension_requests']
+        end
+      end
+      # This loads all the custom_attributes and extension requests
+      # from the csr_attributes.yaml
+      def load_csr_attributes(attributes_path)
+        @custom_csr_attributes ||=
+        if File.exist?(attributes_path)
+          yaml = YAML.load_file(attributes_path)
+          if !yaml.is_a?(Hash)
+            @errors << "Invalid CSR attributes, expected instance of Hash, received instance of #{yaml.class}"
+            return
+          end
+          yaml
+        end
+      end
+      def add_csr_attributes(csr, csr_attributes)
+        if csr_attributes
+          csr_attributes.each do |oid, value|
+            begin
+              if PRIVATE_CSR_ATTRIBUTES.include? oid
+                @errors << "Cannot specify CSR attribute #{oid}: conflicts with internally used CSR attribute"
+              end
+              oid = PUPPET_SHORT_NAMES[oid] || oid
+              encoded = OpenSSL::ASN1::PrintableString.new(value.to_s)
+              attr_set = OpenSSL::ASN1::Set.new([encoded])
+              csr.add_attribute(OpenSSL::X509::Attribute.new(oid, attr_set))
+            rescue OpenSSL::X509::AttributeError => e
+              @errors << "Cannot create CSR with attribute #{oid}: #{e.message}"
+            end
+          end
+        end
+      end
+      def add_csr_extensions(csr, extension_requests, cli_extensions)
+        if extension_requests || cli_extensions.any?
+          extensions =
+            if extension_requests
+              validated_extensions(extension_requests) + cli_extensions
+            else
+              cli_extensions
+            end
+          csr.add_attribute(extension_attribute(extensions))
+        end
       end
-      def add_csr_extension(csr, extensions)
-        attribute_values = OpenSSL::ASN1::Set [OpenSSL::ASN1::Sequence(extensions)]
-        att = OpenSSL::X509::Attribute.new('extReq', attribute_values)
-        csr.add_attribute(att)
+      def validated_extensions(extension_requests)
+        extensions = []
+        extension_requests.each do |oid, value|
+          begin
+            if PRIVATE_EXTENSIONS.include? oid
+              @errors << "Cannot specify CSR extension request #{oid}: conflicts with internally used extension request"
+            end
+            oid = PUPPET_SHORT_NAMES[oid] || oid
+            ext = OpenSSL::X509::Extension.new(oid, OpenSSL::ASN1::UTF8String.new(value.to_s).to_der, false)
+            extensions << ext
+          rescue OpenSSL::X509::ExtensionError => e
+            @errors << "Cannot create CSR with extension request #{oid}: #{e.message}"
+          end
+        end
+        extensions
       end
     end
   end

data/lib/puppetserver/ca/local_certificate_authority.rb CHANGED

@@ -16,6 +16,8 @@ module Puppetserver
       SSL_SERVER_CERT = "1.3.6.1.5.5.7.3.1"
       SSL_CLIENT_CERT = "1.3.6.1.5.5.7.3.2"
+      CLI_AUTH_EXT_OID = "1.3.6.1.4.1.34380.1.3.39"
       MASTER_EXTENSIONS = [
         ["basicConstraints", "CA:FALSE", true],
         ["nsComment", "Puppet Server Internal Certificate", false],
@@ -39,6 +41,10 @@ module Puppetserver
         @settings = settings
       end
+      def errors
+        @host.errors
+      end
       def valid_until
         Time.now + @settings[:ca_ttl]
       end
@@ -62,7 +68,7 @@ module Puppetserver
       def create_master_cert(ca_key, ca_cert)
         master_key = @host.create_private_key(@settings[:keylength])
-        master_csr = @host.create_csr(@settings[:certname], master_key)
+        master_csr = @host.create_csr(name: @settings[:certname], key: master_key)
         master_cert = sign_master_cert(ca_key, ca_cert, master_csr)
         return master_key, master_cert
       end
@@ -77,11 +83,28 @@ module Puppetserver
         cert.not_before = CERT_VALID_FROM
         cert.not_after = valid_until
+        return unless add_custom_extensions(cert)
         ef = extension_factory_for(int_cert, cert)
+        add_master_extensions(cert, ef)
+        add_subject_alt_names_extension(cert, ef)
+        cert.sign(int_key, @digest)
+        cert
+      end
+      def add_master_extensions(cert, ef)
         MASTER_EXTENSIONS.each do |ext|
           extension = ef.create_extension(*ext)
           cert.add_extension(extension)
         end
+        # Status API access for the CA CLI
+        cli_auth_ext = OpenSSL::X509::Extension.new(CLI_AUTH_EXT_OID, OpenSSL::ASN1::UTF8String.new("true").to_der, false)
+        cert.add_extension(cli_auth_ext)
+      end
+      def add_subject_alt_names_extension(cert, ef)
         sans =
           if @settings[:subject_alt_names].empty?
             "DNS:puppet, DNS:#{@settings[:certname]}"
@@ -90,9 +113,21 @@ module Puppetserver
           end
         alt_names_ext = ef.create_extension("subjectAltName", sans, false)
         cert.add_extension(alt_names_ext)
+      end
-        cert.sign(int_key, @digest)
-        cert
+      # This takes all the extension requests from csr_attributes.yaml and
+      # adds those to the cert
+      def add_custom_extensions(cert)
+        extension_requests = @host.get_extension_requests(@settings[:csr_attributes])
+        if extension_requests
+          extensions = @host.validated_extensions(extension_requests)
+          extensions.each do |ext|
+            cert.add_extension(ext)
+          end
+        end
+        @host.errors.empty?
       end
       def create_root_cert
@@ -146,7 +181,7 @@ module Puppetserver
       def create_intermediate_cert(root_key, root_cert)
         int_key = @host.create_private_key(@settings[:keylength])
-        int_csr = @host.create_csr(@settings[:ca_name], int_key)
+        int_csr = @host.create_csr(name: @settings[:ca_name], key: int_key)
         int_cert = sign_intermediate(root_key, root_cert, int_csr)
         int_crl = create_crl_for(int_cert, int_key)

data/lib/puppetserver/ca/version.rb CHANGED

@@ -1,5 +1,5 @@
 module Puppetserver
   module Ca
-    VERSION = "0.4.3"
+    VERSION = "0.5.0"
   end
 end

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: puppetserver-ca
 version: !ruby/object:Gem::Version
-  version: 0.4.3
+  version: 0.5.0
 platform: ruby
 authors:
 - Puppet, Inc.
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2018-08-29 00:00:00.000000000 Z
+date: 2018-08-31 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: facter