puppetserver-ca 0.4.3 → 0.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 9c19462a3167093517421b973f330b005a6776b4
-  data.tar.gz: 5c4dc2716c5063512594005c625ad391ca6ec3f0
+  metadata.gz: 2f958c8e39c9f5a84c417138710b43c09d088189
+  data.tar.gz: 33f332146f6f3c3318dbfe7cc786205d74a3a021
 SHA512:
-  metadata.gz: cac3a5c1d00ddb4e4fc9948fc09c91bc6436e8c245cd17610b971e7dbc74c033ba41c7602d12fdbe11808eb51a0612c5fee71353af4b9956b4ac449fb889ec84
-  data.tar.gz: 8e8ac33850a91d128282572c0ef2f4dd421dd447911e09cc6aa561eae1f6b381c3b06f0e9661581616c2c516da92490ad59d180744737bf6873c049a9d9d673f
+  metadata.gz: 77847b302859de89a4566dff4d4230e049c488f09baeca6b1b9ec86b68c68803942dfb6c187b37b5f9eb80a2ee531f62fe5fd0f4877ffd820cba10ecd672c0a5
+  data.tar.gz: 3234826e83a9a397216cf1133c80572e5ad3f4d8f06f4c0fc5189f1eac048d08e82814be8e54e4bc8008962fbd28c5780406952a64d03ba349aeb7fd90141c63

data/lib/puppetserver/ca/action/create.rb

@@ -134,6 +134,7 @@ BANNER
 
           passed = certnames.map do |certname|
             key, csr = generate_key_csr(certname, settings, digest)
+            return false unless csr
             return false unless ca.submit_certificate_request(certname, csr)
             return false unless ca.sign_certs([certname])
             if result = ca.get_certificate(certname)
@@ -152,9 +153,13 @@ BANNER
           private_key = host.create_private_key(settings[:keylength])
           extensions = []
           if !settings[:subject_alt_names].empty?
-            extensions << host.create_extension("subjectAltName", settings[:subject_alt_names])
+            extensions << OpenSSL::X509::Extension.new("subjectAltName", settings[:subject_alt_names], false)
           end
-          csr = host.create_csr(certname, private_key, extensions)
+          csr = host.create_csr(name: certname,
+                                key: private_key,
+                                cli_extensions: extensions,
+                                csr_attributes_path: settings[:csr_attributes])
+          return if CliParsing.handle_errors(@logger, host.errors)
 
           return private_key, csr
         end

data/lib/puppetserver/ca/action/generate.rb

@@ -78,6 +78,7 @@ BANNER
           root_key, root_cert, root_crl = ca.create_root_cert
           int_key, int_cert, int_crl = ca.create_intermediate_cert(root_key, root_cert)
           master_key, master_cert = ca.create_master_cert(int_key, int_cert)
+          return ca.errors if ca.errors.any?
 
           FileSystem.ensure_dirs([settings[:ssldir],
                                   settings[:cadir],

data/lib/puppetserver/ca/action/import.rb

@@ -74,6 +74,7 @@ BANNER
         def import(loader, settings, signing_digest)
           ca = Puppetserver::Ca::LocalCertificateAuthority.new(signing_digest, settings)
           master_key, master_cert = ca.create_master_cert(loader.key, loader.certs.first)
+          return ca.errors if ca.errors.any?
 
           FileSystem.ensure_dirs([settings[:ssldir],
                                   settings[:cadir],

data/lib/puppetserver/ca/action/list.rb

@@ -111,7 +111,7 @@ Options:
 
         def get_all_certs(settings)
           result = Puppetserver::Ca::CertificateAuthority.new(@logger, settings).get_certificate_statuses
-          JSON.parse(result.body)
+          JSON.parse(result.body) if result
         end
 
         def parse(args)

data/lib/puppetserver/ca/config/puppet.rb

@@ -119,6 +119,7 @@ module Puppetserver
             :cacert => '$cadir/ca_crt.pem',
             :cakey => '$cadir/ca_key.pem',
             :capub => '$cadir/ca_pub.pem',
+            :csr_attributes => '$confdir/csr_attributes.yaml',
             :rootkey => '$cadir/root_key.pem',
             :cacrl => '$cadir/ca_crl.pem',
             :serial => '$cadir/serial',
@@ -130,7 +131,6 @@ module Puppetserver
             :hostcert => '$certdir/$certname.pem',
             :hostprivkey => '$privatekeydir/$certname.pem',
             :hostpubkey => '$publickeydir/$certname.pem',
-            :publickeydir => '$ssldir/public_keys',
             :ca_ttl => '15y',
             :certificate_revocation => 'true',
             :signeddir => '$cadir/signed',

data/lib/puppetserver/ca/host.rb

@@ -1,36 +1,161 @@
 require 'openssl'
+require 'fileutils'
+require 'yaml'
 
 module Puppetserver
   module Ca
     class Host
+      # Exclude OIDs that may conflict with how Puppet creates CSRs.
+      #
+      # We only have nominal support for Microsoft extension requests, but since we
+      # ultimately respect that field when looking for extension requests in a CSR
+      # we need to prevent that field from being written to directly.
+      PRIVATE_CSR_ATTRIBUTES = [
+        'extReq',   '1.2.840.113549.1.9.14',
+        'msExtReq', '1.3.6.1.4.1.311.2.1.14',
+      ]
+
+      PRIVATE_EXTENSIONS = [
+        'subjectAltName', '2.5.29.17',
+      ]
+
+      # A mapping of Puppet extension short names to their OIDs. These appear in
+      # csr_attributes.yaml.
+      PUPPET_SHORT_NAMES =
+      {'pp_uuid' =>             "1.3.6.1.4.1.34380.1.1.1",
+       'pp_instance_id' =>      "1.3.6.1.4.1.34380.1.1.2",
+       'pp_image_name' =>       "1.3.6.1.4.1.34380.1.1.3",
+       'pp_preshared_key'=>    "1.3.6.1.4.1.34380.1.1.4",
+       'pp_cost_center' =>      "1.3.6.1.4.1.34380.1.1.5",
+       'pp_product' =>          "1.3.6.1.4.1.34380.1.1.6",
+       'pp_project' =>          "1.3.6.1.4.1.34380.1.1.7",
+       'pp_application' =>      "1.3.6.1.4.1.34380.1.1.8",
+       'pp_service'=>          "1.3.6.1.4.1.34380.1.1.9",
+       'pp_employee' =>         "1.3.6.1.4.1.34380.1.1.10",
+       'pp_created_by' =>       "1.3.6.1.4.1.34380.1.1.11",
+       'pp_environment' =>      "1.3.6.1.4.1.34380.1.1.12",
+       'pp_role' =>             "1.3.6.1.4.1.34380.1.1.13",
+       'pp_software_version' => "1.3.6.1.4.1.34380.1.1.14",
+       'pp_department' =>       "1.3.6.1.4.1.34380.1.1.15",
+       'pp_cluster' =>          "1.3.6.1.4.1.34380.1.1.16",
+       'pp_provisioner' =>      "1.3.6.1.4.1.34380.1.1.17",
+       'pp_region' =>           "1.3.6.1.4.1.34380.1.1.18",
+       'pp_datacenter' =>       "1.3.6.1.4.1.34380.1.1.19",
+       'pp_zone' =>             "1.3.6.1.4.1.34380.1.1.20",
+       'pp_network' =>          "1.3.6.1.4.1.34380.1.1.21",
+       'pp_securitypolicy' =>   "1.3.6.1.4.1.34380.1.1.22",
+       'pp_cloudplatform' =>    "1.3.6.1.4.1.34380.1.1.23",
+       'pp_apptier' =>          "1.3.6.1.4.1.34380.1.1.24",
+       'pp_hostname' =>         "1.3.6.1.4.1.34380.1.1.25",
+       'pp_authorization' =>    "1.3.6.1.4.1.34380.1.3.1",
+       'pp_auth_role' =>        "1.3.6.1.4.1.34380.1.3.13"}
+
+      attr_reader :errors
 
       def initialize(digest)
         @digest = digest
+        @errors = []
       end
 
       def create_private_key(keylength)
         OpenSSL::PKey::RSA.new(keylength)
       end
 
-      def create_csr(name, key, extensions = [])
+      def create_csr(name:, key:, cli_extensions: [], csr_attributes_path: '')
         csr = OpenSSL::X509::Request.new
         csr.public_key = key.public_key
         csr.subject = OpenSSL::X509::Name.new([["CN", name]])
         csr.version = 2
-        add_csr_extension(csr, extensions) unless extensions.empty?
-        csr.sign(key, @digest)
+
+        custom_attributes = get_custom_attributes(csr_attributes_path)
+        extension_requests = get_extension_requests(csr_attributes_path)
+
+        add_csr_attributes(csr, custom_attributes)
+        add_csr_extensions(csr, extension_requests, cli_extensions)
+
+        csr.sign(key, @digest) if @errors.empty?
 
         csr
       end
 
-      def create_extension(extension_name, extension_value, critical = false)
-        OpenSSL::X509::ExtensionFactory.new.create_extension(extension_name, extension_value, critical)
+      def extension_attribute(extensions)
+        seq = OpenSSL::ASN1::Sequence(extensions)
+        ext_req = OpenSSL::ASN1::Set([seq])
+        OpenSSL::X509::Attribute.new("extReq", ext_req)
+      end
+
+      def get_custom_attributes(attributes_path)
+        if csr_attributes = load_csr_attributes(attributes_path)
+          csr_attributes['custom_attributes']
+        end
+      end
+
+      def get_extension_requests(attributes_path)
+        if csr_attributes = load_csr_attributes(attributes_path)
+          csr_attributes['extension_requests']
+        end
+      end
+
+      # This loads all the custom_attributes and extension requests
+      # from the csr_attributes.yaml
+      def load_csr_attributes(attributes_path)
+        @custom_csr_attributes ||=
+        if File.exist?(attributes_path)
+          yaml = YAML.load_file(attributes_path)
+          if !yaml.is_a?(Hash)
+            @errors << "Invalid CSR attributes, expected instance of Hash, received instance of #{yaml.class}"
+            return
+          end
+          yaml
+        end
+      end
+
+      def add_csr_attributes(csr, csr_attributes)
+        if csr_attributes
+          csr_attributes.each do |oid, value|
+            begin
+              if PRIVATE_CSR_ATTRIBUTES.include? oid
+                @errors << "Cannot specify CSR attribute #{oid}: conflicts with internally used CSR attribute"
+              end
+              oid = PUPPET_SHORT_NAMES[oid] || oid
+              encoded = OpenSSL::ASN1::PrintableString.new(value.to_s)
+              attr_set = OpenSSL::ASN1::Set.new([encoded])
+
+              csr.add_attribute(OpenSSL::X509::Attribute.new(oid, attr_set))
+            rescue OpenSSL::X509::AttributeError => e
+              @errors << "Cannot create CSR with attribute #{oid}: #{e.message}"
+            end
+          end
+        end
+      end
+
+      def add_csr_extensions(csr, extension_requests, cli_extensions)
+        if extension_requests || cli_extensions.any?
+          extensions =
+            if extension_requests
+              validated_extensions(extension_requests) + cli_extensions
+            else
+              cli_extensions
+            end
+          csr.add_attribute(extension_attribute(extensions))
+        end
       end
 
-      def add_csr_extension(csr, extensions)
-        attribute_values = OpenSSL::ASN1::Set [OpenSSL::ASN1::Sequence(extensions)]
-        att = OpenSSL::X509::Attribute.new('extReq', attribute_values)
-        csr.add_attribute(att)
+      def validated_extensions(extension_requests)
+        extensions = []
+        extension_requests.each do |oid, value|
+          begin
+            if PRIVATE_EXTENSIONS.include? oid
+              @errors << "Cannot specify CSR extension request #{oid}: conflicts with internally used extension request"
+            end
+            oid = PUPPET_SHORT_NAMES[oid] || oid
+            ext = OpenSSL::X509::Extension.new(oid, OpenSSL::ASN1::UTF8String.new(value.to_s).to_der, false)
+            extensions << ext
+          rescue OpenSSL::X509::ExtensionError => e
+            @errors << "Cannot create CSR with extension request #{oid}: #{e.message}"
+          end
+        end
+        extensions
       end
     end
   end

data/lib/puppetserver/ca/local_certificate_authority.rb

@@ -16,6 +16,8 @@ module Puppetserver
       SSL_SERVER_CERT = "1.3.6.1.5.5.7.3.1"
       SSL_CLIENT_CERT = "1.3.6.1.5.5.7.3.2"
 
+      CLI_AUTH_EXT_OID = "1.3.6.1.4.1.34380.1.3.39"
+
       MASTER_EXTENSIONS = [
         ["basicConstraints", "CA:FALSE", true],
         ["nsComment", "Puppet Server Internal Certificate", false],
@@ -39,6 +41,10 @@ module Puppetserver
         @settings = settings
       end
 
+      def errors
+        @host.errors
+      end
+
       def valid_until
         Time.now + @settings[:ca_ttl]
       end
@@ -62,7 +68,7 @@ module Puppetserver
 
       def create_master_cert(ca_key, ca_cert)
         master_key = @host.create_private_key(@settings[:keylength])
-        master_csr = @host.create_csr(@settings[:certname], master_key)
+        master_csr = @host.create_csr(name: @settings[:certname], key: master_key)
         master_cert = sign_master_cert(ca_key, ca_cert, master_csr)
         return master_key, master_cert
       end
@@ -77,11 +83,28 @@ module Puppetserver
         cert.not_before = CERT_VALID_FROM
         cert.not_after = valid_until
 
+        return unless add_custom_extensions(cert)
+
         ef = extension_factory_for(int_cert, cert)
+        add_master_extensions(cert, ef)
+        add_subject_alt_names_extension(cert, ef)
+        cert.sign(int_key, @digest)
+
+        cert
+      end
+
+      def add_master_extensions(cert, ef)
         MASTER_EXTENSIONS.each do |ext|
           extension = ef.create_extension(*ext)
           cert.add_extension(extension)
         end
+
+        # Status API access for the CA CLI
+        cli_auth_ext = OpenSSL::X509::Extension.new(CLI_AUTH_EXT_OID, OpenSSL::ASN1::UTF8String.new("true").to_der, false)
+        cert.add_extension(cli_auth_ext)
+      end
+
+      def add_subject_alt_names_extension(cert, ef)
         sans =
           if @settings[:subject_alt_names].empty?
             "DNS:puppet, DNS:#{@settings[:certname]}"
@@ -90,9 +113,21 @@ module Puppetserver
           end
         alt_names_ext = ef.create_extension("subjectAltName", sans, false)
         cert.add_extension(alt_names_ext)
+      end
 
-        cert.sign(int_key, @digest)
-        cert
+      # This takes all the extension requests from csr_attributes.yaml and
+      # adds those to the cert
+      def add_custom_extensions(cert)
+        extension_requests = @host.get_extension_requests(@settings[:csr_attributes])
+
+        if extension_requests
+          extensions = @host.validated_extensions(extension_requests)
+          extensions.each do |ext|
+            cert.add_extension(ext)
+          end
+        end
+
+        @host.errors.empty?
       end
 
       def create_root_cert
@@ -146,7 +181,7 @@ module Puppetserver
 
       def create_intermediate_cert(root_key, root_cert)
         int_key = @host.create_private_key(@settings[:keylength])
-        int_csr = @host.create_csr(@settings[:ca_name], int_key)
+        int_csr = @host.create_csr(name: @settings[:ca_name], key: int_key)
         int_cert = sign_intermediate(root_key, root_cert, int_csr)
         int_crl = create_crl_for(int_cert, int_key)
 

data/lib/puppetserver/ca/version.rb

@@ -1,5 +1,5 @@
 module Puppetserver
   module Ca
-    VERSION = "0.4.3"
+    VERSION = "0.5.0"
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: puppetserver-ca
 version: !ruby/object:Gem::Version
-  version: 0.4.3
+  version: 0.5.0
 platform: ruby
 authors:
 - Puppet, Inc.
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2018-08-29 00:00:00.000000000 Z
+date: 2018-08-31 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: facter