puppetserver-ca 0.4.2 → 0.4.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (8) hide show
  1. checksums.yaml +4 -4
  2. data/lib/puppetserver/ca/action/create.rb +17 -2
  3. data/lib/puppetserver/ca/action/import.rb +1 -1
  4. data/lib/puppetserver/ca/config/puppet.rb +4 -1
  5. data/lib/puppetserver/ca/host.rb +12 -1
  6. data/lib/puppetserver/ca/local_certificate_authority.rb +8 -5
  7. data/lib/puppetserver/ca/version.rb +1 -1
  8. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 675bbbde6ef2920bff8139cd7cbed1da317a26e4
4
- data.tar.gz: 59856cf44f1a0f8629faadb2b69a4a9a66722225
3
+ metadata.gz: 9c19462a3167093517421b973f330b005a6776b4
4
+ data.tar.gz: 5c4dc2716c5063512594005c625ad391ca6ec3f0
5
5
  SHA512:
6
- metadata.gz: a4ffd3cbedefabf0ae8c5e33eb173addfea289fd984e9252ecc971d6eea1775a5d8bcfdf6446b1d1aaa1d8d69bb0d6c802afb1e797e50f7ace7304c26794f48f
7
- data.tar.gz: 02ae98ec500429f7c4d589c5a2e0d975cb06bce415c09f27caf4f24d0b9cab707bc1bc40bca9ed33596229ea75fc0749252e77bc33e683e3054e32d1b30a28bb
6
+ metadata.gz: cac3a5c1d00ddb4e4fc9948fc09c91bc6436e8c245cd17610b971e7dbc74c033ba41c7602d12fdbe11808eb51a0612c5fee71353af4b9956b4ac449fb889ec84
7
+ data.tar.gz: 8e8ac33850a91d128282572c0ef2f4dd421dd447911e09cc6aa561eae1f6b381c3b06f0e9661581616c2c516da92490ad59d180744737bf6873c049a9d9d673f
data/lib/puppetserver/ca/action/create.rb CHANGED
@@ -21,6 +21,7 @@ module Puppetserver
21
21
  Usage:
22
22
  puppetserver ca create [--help]
23
23
  puppetserver ca create [--config PATH] [--certname CERTNAME[,ADDLCERTNAME]]
24
+ [--subject-alt-names ALTNAME1[,ALTNAME2...]]
24
25
 
25
26
  Description:
26
27
  Creates a new certificate signed by the intermediate CA
@@ -38,6 +39,7 @@ BANNER
38
39
 
39
40
  def self.parser(parsed = {})
40
41
  parsed['certnames'] = []
42
+ parsed['subject-alt-names'] = ''
41
43
  OptionParser.new do |opts|
42
44
  opts.banner = BANNER
43
45
  opts.on('--certname FOO,BAR', Array,
@@ -50,6 +52,10 @@ BANNER
50
52
  opts.on('--config CONF', 'Path to puppet.conf') do |conf|
51
53
  parsed['config'] = conf
52
54
  end
55
+ opts.on('--subject-alt-names NAME1[,NAME2]',
56
+ 'Subject alternative names for the generated cert') do |sans|
57
+ parsed['subject-alt-names'] = sans
58
+ end
53
59
  end
54
60
  end
55
61
 
@@ -96,7 +102,12 @@ BANNER
96
102
  end
97
103
 
98
104
  # Load, resolve, and validate puppet config settings
99
- puppet = Config::Puppet.parse(config_path)
105
+ settings_overrides = {}
106
+ # Since puppet expects the key to be called 'dns_alt_names', we need to use that here
107
+ # to ensure that the overriding works correctly.
108
+ settings_overrides[:dns_alt_names] = input['subject-alt-names'] unless input['subject-alt-names'].empty?
109
+ puppet = Config::Puppet.new(config_path)
110
+ puppet.load(settings_overrides)
100
111
  return 1 if CliParsing.handle_errors(@logger, puppet.errors)
101
112
 
102
113
  # Load most secure signing digest we can for csr signing.
@@ -139,7 +150,11 @@ BANNER
139
150
  def generate_key_csr(certname, settings, digest)
140
151
  host = Puppetserver::Ca::Host.new(digest)
141
152
  private_key = host.create_private_key(settings[:keylength])
142
- csr = host.create_csr(certname, private_key)
153
+ extensions = []
154
+ if !settings[:subject_alt_names].empty?
155
+ extensions << host.create_extension("subjectAltName", settings[:subject_alt_names])
156
+ end
157
+ csr = host.create_csr(certname, private_key, extensions)
143
158
 
144
159
  return private_key, csr
145
160
  end
data/lib/puppetserver/ca/action/import.rb CHANGED
@@ -90,7 +90,7 @@ BANNER
90
90
  [settings[:hostpubkey], master_key.public_key],
91
91
  [settings[:hostcert], master_cert],
92
92
  [settings[:cert_inventory], ca.inventory_entry(master_cert)],
93
- [settings[:serial], "0x0002"],
93
+ [settings[:serial], "002"],
94
94
  [File.join(settings[:signeddir], "#{settings[:certname]}.pem"), master_cert]
95
95
  ]
96
96
 
data/lib/puppetserver/ca/config/puppet.rb CHANGED
@@ -152,8 +152,11 @@ module Puppetserver
152
152
  settings[setting_name] = setting_value
153
153
  end
154
154
 
155
+ # If subject-alt-names are provided, we need to add the certname in addition
156
+ overrides[:dns_alt_names] << ',$certname' if overrides[:dns_alt_names]
157
+
155
158
  # rename dns_alt_names to subject_alt_names now that we support IP alt names
156
- settings[:subject_alt_names] = overrides.fetch(:dns_alt_names, "puppet,$certname")
159
+ settings[:subject_alt_names] = overrides.fetch(:dns_alt_names, "")
157
160
 
158
161
  # Some special cases where we need to manipulate config settings:
159
162
  settings[:ca_ttl] = munge_ttl_setting(settings[:ca_ttl])
data/lib/puppetserver/ca/host.rb CHANGED
@@ -12,15 +12,26 @@ module Puppetserver
12
12
  OpenSSL::PKey::RSA.new(keylength)
13
13
  end
14
14
 
15
- def create_csr(name, key)
15
+ def create_csr(name, key, extensions = [])
16
16
  csr = OpenSSL::X509::Request.new
17
17
  csr.public_key = key.public_key
18
18
  csr.subject = OpenSSL::X509::Name.new([["CN", name]])
19
19
  csr.version = 2
20
+ add_csr_extension(csr, extensions) unless extensions.empty?
20
21
  csr.sign(key, @digest)
21
22
 
22
23
  csr
23
24
  end
25
+
26
+ def create_extension(extension_name, extension_value, critical = false)
27
+ OpenSSL::X509::ExtensionFactory.new.create_extension(extension_name, extension_value, critical)
28
+ end
29
+
30
+ def add_csr_extension(csr, extensions)
31
+ attribute_values = OpenSSL::ASN1::Set [OpenSSL::ASN1::Sequence(extensions)]
32
+ att = OpenSSL::X509::Attribute.new('extReq', attribute_values)
33
+ csr.add_attribute(att)
34
+ end
24
35
  end
25
36
  end
26
37
  end
data/lib/puppetserver/ca/local_certificate_authority.rb CHANGED
@@ -82,11 +82,14 @@ module Puppetserver
82
82
  extension = ef.create_extension(*ext)
83
83
  cert.add_extension(extension)
84
84
  end
85
-
86
- if !@settings[:subject_alt_names].empty?
87
- alt_names_ext = ef.create_extension("subjectAltName", @settings[:subject_alt_names], false)
88
- cert.add_extension(alt_names_ext)
89
- end
85
+ sans =
86
+ if @settings[:subject_alt_names].empty?
87
+ "DNS:puppet, DNS:#{@settings[:certname]}"
88
+ else
89
+ @settings[:subject_alt_names]
90
+ end
91
+ alt_names_ext = ef.create_extension("subjectAltName", sans, false)
92
+ cert.add_extension(alt_names_ext)
90
93
 
91
94
  cert.sign(int_key, @digest)
92
95
  cert
data/lib/puppetserver/ca/version.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  module Puppetserver
2
2
  module Ca
3
- VERSION = "0.4.2"
3
+ VERSION = "0.4.3"
4
4
  end
5
5
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: puppetserver-ca
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.4.2
4
+ version: 0.4.3
5
5
  platform: ruby
6
6
  authors:
7
7
  - Puppet, Inc.
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2018-08-28 00:00:00.000000000 Z
11
+ date: 2018-08-29 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: facter