puppetserver-ca 1.3.2 → 1.4.0
Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: e7759fd051a92708f8ac8aad4b8e89a636472b05
|
4
|
+
data.tar.gz: f3cfd8de0bbdd17fd5c0f13656486dbbdbc243f1
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: bbaac0d6e00a9ed1d30dfb5f0ccc1d92e459fc07aaecb0fa2e8cdf61a320d3baf63d3752bf3adf1f4dacf9f25d051f4f239139bf45c4842975448e154e9353d0
|
7
|
+
data.tar.gz: 1de3171122351341e0eb50ac675c6f168a8b6df37209f6e50723528485a120cf3fbdef023d28c066a80fd64b1a8f125930d81a620e4966e22bdb7468000fd0a1
|
@@ -71,7 +71,7 @@ BANNER
|
|
71
71
|
|
72
72
|
def import(loader, settings, signing_digest)
|
73
73
|
ca = Puppetserver::Ca::LocalCertificateAuthority.new(signing_digest, settings)
|
74
|
-
ca.
|
74
|
+
ca.initialize_ssl_components(loader)
|
75
75
|
master_key, master_cert = ca.create_master_cert
|
76
76
|
return ca.errors if ca.errors.any?
|
77
77
|
|
@@ -70,6 +70,35 @@ module Puppetserver
|
|
70
70
|
@crl = loader.crl
|
71
71
|
end
|
72
72
|
|
73
|
+
# Initialize SSL state
|
74
|
+
#
|
75
|
+
# This method is similar to {#load_ssl_components}, but has extra
|
76
|
+
# logic for initializing components that may not be present when
|
77
|
+
# the CA is set up for the first time. For example, SSL components
|
78
|
+
# provided by an external CA will often not include a pre-generated
|
79
|
+
# leaf CRL.
|
80
|
+
#
|
81
|
+
# @note Check {#errors} after calling this method for issues that
|
82
|
+
# may have occurred during initialization.
|
83
|
+
#
|
84
|
+
# @param loader [Puppetserver::Ca::X509Loader]
|
85
|
+
# @return [void]
|
86
|
+
def initialize_ssl_components(loader)
|
87
|
+
@cert_bundle = loader.certs
|
88
|
+
@key = loader.key
|
89
|
+
@cert = loader.cert
|
90
|
+
|
91
|
+
if loader.crl.nil?
|
92
|
+
loader.crl = create_crl_for(@cert, @key)
|
93
|
+
|
94
|
+
loader.validate_full_chain(@cert_bundle, loader.crls)
|
95
|
+
@errors += loader.errors
|
96
|
+
end
|
97
|
+
|
98
|
+
@crl_chain = loader.crls
|
99
|
+
@crl = loader.crl
|
100
|
+
end
|
101
|
+
|
73
102
|
def errors
|
74
103
|
@errors += @host.errors
|
75
104
|
end
|
@@ -93,7 +122,7 @@ module Puppetserver
|
|
93
122
|
|
94
123
|
def next_serial(serial_file)
|
95
124
|
if File.exist?(serial_file)
|
96
|
-
File.read(serial_file).to_i
|
125
|
+
File.read(serial_file).to_i(16)
|
97
126
|
else
|
98
127
|
1
|
99
128
|
end
|
@@ -259,7 +288,7 @@ module Puppetserver
|
|
259
288
|
end
|
260
289
|
|
261
290
|
def update_serial_file(serial)
|
262
|
-
Puppetserver::Ca::Utils::FileSystem.write_file(@settings[:serial], serial, 0644)
|
291
|
+
Puppetserver::Ca::Utils::FileSystem.write_file(@settings[:serial], serial.to_s(16), 0644)
|
263
292
|
end
|
264
293
|
end
|
265
294
|
end
|
@@ -33,6 +33,10 @@ module Puppetserver
|
|
33
33
|
signing_cert
|
34
34
|
end
|
35
35
|
|
36
|
+
# Find a CRL in the chain issued by the signing cert
|
37
|
+
#
|
38
|
+
# @return [OpenSSL::X509::CRL] If a CRL is found.
|
39
|
+
# @return [nil] If no CRL is found.
|
36
40
|
def find_leaf_crl
|
37
41
|
return if @crls.empty? || @cert.nil?
|
38
42
|
|
@@ -40,10 +44,6 @@ module Puppetserver
|
|
40
44
|
crl.issuer == @cert.subject
|
41
45
|
end
|
42
46
|
|
43
|
-
if leaf_crl.nil?
|
44
|
-
@errors << 'Could not find CRL issued by CA certificate'
|
45
|
-
end
|
46
|
-
|
47
47
|
leaf_crl
|
48
48
|
end
|
49
49
|
|
@@ -59,7 +59,7 @@ module Puppetserver
|
|
59
59
|
validate_cert_and_key(pkey, @cert)
|
60
60
|
end
|
61
61
|
|
62
|
-
unless bundle.empty? || @cert.nil?
|
62
|
+
unless bundle.empty? || @cert.nil? || @crl.nil?
|
63
63
|
validate_full_chain(bundle, chain)
|
64
64
|
end
|
65
65
|
end
|
@@ -124,6 +124,15 @@ module Puppetserver
|
|
124
124
|
return crls
|
125
125
|
end
|
126
126
|
|
127
|
+
# Replace the CRL for the signing cert of this loader
|
128
|
+
#
|
129
|
+
# @param new_crl [OpenSSL::X509::CRL]
|
130
|
+
# @return [void]
|
131
|
+
def crl=(new_crl)
|
132
|
+
@crl = new_crl
|
133
|
+
@crls = [new_crl] + @crls.reject {|c| c.issuer == new_crl.issuer }
|
134
|
+
end
|
135
|
+
|
127
136
|
def validate_cert_and_key(key, cert)
|
128
137
|
unless cert.check_private_key(key)
|
129
138
|
@errors << 'Private key and certificate do not match'
|
data/puppetserver-ca.gemspec
CHANGED
@@ -16,11 +16,13 @@ Gem::Specification.new do |spec|
|
|
16
16
|
spec.files = `git ls-files -z`.split("\x0").reject do |f|
|
17
17
|
f.match(%r{^(test|spec|features)/})
|
18
18
|
end
|
19
|
+
spec.bindir = "exe"
|
20
|
+
spec.executables = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
|
19
21
|
spec.require_paths = ["lib"]
|
20
22
|
|
21
23
|
spec.add_runtime_dependency "facter", [">= 2.0.1", "< 4"]
|
22
24
|
|
23
|
-
spec.add_development_dependency "bundler", "
|
25
|
+
spec.add_development_dependency "bundler", ">= 1.16"
|
24
26
|
spec.add_development_dependency "rake", "~> 10.0"
|
25
27
|
spec.add_development_dependency "rspec", "~> 3.0"
|
26
28
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: puppetserver-ca
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.
|
4
|
+
version: 1.4.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Puppet, Inc.
|
8
8
|
autorequire:
|
9
|
-
bindir:
|
9
|
+
bindir: exe
|
10
10
|
cert_chain: []
|
11
|
-
date: 2019-
|
11
|
+
date: 2019-08-15 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: facter
|
@@ -34,14 +34,14 @@ dependencies:
|
|
34
34
|
name: bundler
|
35
35
|
requirement: !ruby/object:Gem::Requirement
|
36
36
|
requirements:
|
37
|
-
- - "
|
37
|
+
- - ">="
|
38
38
|
- !ruby/object:Gem::Version
|
39
39
|
version: '1.16'
|
40
40
|
type: :development
|
41
41
|
prerelease: false
|
42
42
|
version_requirements: !ruby/object:Gem::Requirement
|
43
43
|
requirements:
|
44
|
-
- - "
|
44
|
+
- - ">="
|
45
45
|
- !ruby/object:Gem::Version
|
46
46
|
version: '1.16'
|
47
47
|
- !ruby/object:Gem::Dependency
|
@@ -75,7 +75,8 @@ dependencies:
|
|
75
75
|
description:
|
76
76
|
email:
|
77
77
|
- release@puppet.com
|
78
|
-
executables:
|
78
|
+
executables:
|
79
|
+
- puppetserver-ca
|
79
80
|
extensions: []
|
80
81
|
extra_rdoc_files: []
|
81
82
|
files:
|