puppetserver-ca 0.4.2 → 0.4.3

Sign up to get free protection for your applications and to get access to all the features.
Files changed (8) hide show
  1. checksums.yaml +4 -4
  2. data/lib/puppetserver/ca/action/create.rb +17 -2
  3. data/lib/puppetserver/ca/action/import.rb +1 -1
  4. data/lib/puppetserver/ca/config/puppet.rb +4 -1
  5. data/lib/puppetserver/ca/host.rb +12 -1
  6. data/lib/puppetserver/ca/local_certificate_authority.rb +8 -5
  7. data/lib/puppetserver/ca/version.rb +1 -1
  8. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 675bbbde6ef2920bff8139cd7cbed1da317a26e4
4
- data.tar.gz: 59856cf44f1a0f8629faadb2b69a4a9a66722225
3
+ metadata.gz: 9c19462a3167093517421b973f330b005a6776b4
4
+ data.tar.gz: 5c4dc2716c5063512594005c625ad391ca6ec3f0
5
5
  SHA512:
6
- metadata.gz: a4ffd3cbedefabf0ae8c5e33eb173addfea289fd984e9252ecc971d6eea1775a5d8bcfdf6446b1d1aaa1d8d69bb0d6c802afb1e797e50f7ace7304c26794f48f
7
- data.tar.gz: 02ae98ec500429f7c4d589c5a2e0d975cb06bce415c09f27caf4f24d0b9cab707bc1bc40bca9ed33596229ea75fc0749252e77bc33e683e3054e32d1b30a28bb
6
+ metadata.gz: cac3a5c1d00ddb4e4fc9948fc09c91bc6436e8c245cd17610b971e7dbc74c033ba41c7602d12fdbe11808eb51a0612c5fee71353af4b9956b4ac449fb889ec84
7
+ data.tar.gz: 8e8ac33850a91d128282572c0ef2f4dd421dd447911e09cc6aa561eae1f6b381c3b06f0e9661581616c2c516da92490ad59d180744737bf6873c049a9d9d673f
data/lib/puppetserver/ca/action/create.rb CHANGED
@@ -21,6 +21,7 @@ module Puppetserver
21
21
  Usage:
22
22
  puppetserver ca create [--help]
23
23
  puppetserver ca create [--config PATH] [--certname CERTNAME[,ADDLCERTNAME]]
24
+ [--subject-alt-names ALTNAME1[,ALTNAME2...]]
24
25
 
25
26
  Description:
26
27
  Creates a new certificate signed by the intermediate CA
@@ -38,6 +39,7 @@ BANNER
38
39
 
39
40
  def self.parser(parsed = {})
40
41
  parsed['certnames'] = []
42
+ parsed['subject-alt-names'] = ''
41
43
  OptionParser.new do |opts|
42
44
  opts.banner = BANNER
43
45
  opts.on('--certname FOO,BAR', Array,
@@ -50,6 +52,10 @@ BANNER
50
52
  opts.on('--config CONF', 'Path to puppet.conf') do |conf|
51
53
  parsed['config'] = conf
52
54
  end
55
+ opts.on('--subject-alt-names NAME1[,NAME2]',
56
+ 'Subject alternative names for the generated cert') do |sans|
57
+ parsed['subject-alt-names'] = sans
58
+ end
53
59
  end
54
60
  end
55
61
 
@@ -96,7 +102,12 @@ BANNER
96
102
  end
97
103
 
98
104
  # Load, resolve, and validate puppet config settings
99
- puppet = Config::Puppet.parse(config_path)
105
+ settings_overrides = {}
106
+ # Since puppet expects the key to be called 'dns_alt_names', we need to use that here
107
+ # to ensure that the overriding works correctly.
108
+ settings_overrides[:dns_alt_names] = input['subject-alt-names'] unless input['subject-alt-names'].empty?
109
+ puppet = Config::Puppet.new(config_path)
110
+ puppet.load(settings_overrides)
100
111
  return 1 if CliParsing.handle_errors(@logger, puppet.errors)
101
112
 
102
113
  # Load most secure signing digest we can for csr signing.
@@ -139,7 +150,11 @@ BANNER
139
150
  def generate_key_csr(certname, settings, digest)
140
151
  host = Puppetserver::Ca::Host.new(digest)
141
152
  private_key = host.create_private_key(settings[:keylength])
142
- csr = host.create_csr(certname, private_key)
153
+ extensions = []
154
+ if !settings[:subject_alt_names].empty?
155
+ extensions << host.create_extension("subjectAltName", settings[:subject_alt_names])
156
+ end
157
+ csr = host.create_csr(certname, private_key, extensions)
143
158
 
144
159
  return private_key, csr
145
160
  end
data/lib/puppetserver/ca/action/import.rb CHANGED
@@ -90,7 +90,7 @@ BANNER
90
90
  [settings[:hostpubkey], master_key.public_key],
91
91
  [settings[:hostcert], master_cert],
92
92
  [settings[:cert_inventory], ca.inventory_entry(master_cert)],
93
- [settings[:serial], "0x0002"],
93
+ [settings[:serial], "002"],
94
94
  [File.join(settings[:signeddir], "#{settings[:certname]}.pem"), master_cert]
95
95
  ]
96
96
 
data/lib/puppetserver/ca/config/puppet.rb CHANGED
@@ -152,8 +152,11 @@ module Puppetserver
152
152
  settings[setting_name] = setting_value
153
153
  end
154
154
 
155
+ # If subject-alt-names are provided, we need to add the certname in addition
156
+ overrides[:dns_alt_names] << ',$certname' if overrides[:dns_alt_names]
157
+
155
158
  # rename dns_alt_names to subject_alt_names now that we support IP alt names
156
- settings[:subject_alt_names] = overrides.fetch(:dns_alt_names, "puppet,$certname")
159
+ settings[:subject_alt_names] = overrides.fetch(:dns_alt_names, "")
157
160
 
158
161
  # Some special cases where we need to manipulate config settings:
159
162
  settings[:ca_ttl] = munge_ttl_setting(settings[:ca_ttl])
data/lib/puppetserver/ca/host.rb CHANGED
@@ -12,15 +12,26 @@ module Puppetserver
12
12
  OpenSSL::PKey::RSA.new(keylength)
13
13
  end
14
14
 
15
- def create_csr(name, key)
15
+ def create_csr(name, key, extensions = [])
16
16
  csr = OpenSSL::X509::Request.new
17
17
  csr.public_key = key.public_key
18
18
  csr.subject = OpenSSL::X509::Name.new([["CN", name]])
19
19
  csr.version = 2
20
+ add_csr_extension(csr, extensions) unless extensions.empty?
20
21
  csr.sign(key, @digest)
21
22
 
22
23
  csr
23
24
  end
25
+
26
+ def create_extension(extension_name, extension_value, critical = false)
27
+ OpenSSL::X509::ExtensionFactory.new.create_extension(extension_name, extension_value, critical)
28
+ end
29
+
30
+ def add_csr_extension(csr, extensions)
31
+ attribute_values = OpenSSL::ASN1::Set [OpenSSL::ASN1::Sequence(extensions)]
32
+ att = OpenSSL::X509::Attribute.new('extReq', attribute_values)
33
+ csr.add_attribute(att)
34
+ end
24
35
  end
25
36
  end
26
37
  end
data/lib/puppetserver/ca/local_certificate_authority.rb CHANGED
@@ -82,11 +82,14 @@ module Puppetserver
82
82
  extension = ef.create_extension(*ext)
83
83
  cert.add_extension(extension)
84
84
  end
85
-
86
- if !@settings[:subject_alt_names].empty?
87
- alt_names_ext = ef.create_extension("subjectAltName", @settings[:subject_alt_names], false)
88
- cert.add_extension(alt_names_ext)
89
- end
85
+ sans =
86
+ if @settings[:subject_alt_names].empty?
87
+ "DNS:puppet, DNS:#{@settings[:certname]}"
88
+ else
89
+ @settings[:subject_alt_names]
90
+ end
91
+ alt_names_ext = ef.create_extension("subjectAltName", sans, false)
92
+ cert.add_extension(alt_names_ext)
90
93
 
91
94
  cert.sign(int_key, @digest)
92
95
  cert
data/lib/puppetserver/ca/version.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  module Puppetserver
2
2
  module Ca
3
- VERSION = "0.4.2"
3
+ VERSION = "0.4.3"
4
4
  end
5
5
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: puppetserver-ca
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.4.2
4
+ version: 0.4.3
5
5
  platform: ruby
6
6
  authors:
7
7
  - Puppet, Inc.
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2018-08-28 00:00:00.000000000 Z
11
+ date: 2018-08-29 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: facter