puppetserver-ca 1.0.0 → 1.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 4aae686f8f63d4fb8c675758fd9c910f8608187a
-  data.tar.gz: 36404974656f555dbd6253aaa6a5792b9b3b0069
+  metadata.gz: 9e9242f6653c1f428f154759eaeeae5d45860683
+  data.tar.gz: 08769d2347f84fc0c5b29dcc8e8fe4a5272c3674
 SHA512:
-  metadata.gz: 4f43caf76164963786227c950886504fa2d3c7ffa583228cbe82256bca53c8a6867ba7c7cb3278bc604e3730f79dcb934146a22bd209642aa1a347fb5ea86811
-  data.tar.gz: 98b4178cadbc8ec770585a97b5ce9d44a770956d5d85b839cc5553962a1377998853b93a67378519577a13f032cf1ac6bd954641dab013fbeedd480b9e369944
+  metadata.gz: 247107b319de6f2c00a62b0bdb9e03f4c4ff694dca4e319d9c5f88d251c800de91b68b504fb92c4d4fabf7e94110935f2fcc200cde320374bc7bf488f33d37a1
+  data.tar.gz: d3517342dad610a789ef54b26d17812581332abd69a61e70fd9063237820fdc0e69062557649c66ed7d92c0321922d94a28434ede370209c8de3a6285f0a4fca

data/README.md

@@ -13,8 +13,52 @@ You may install it yourself with:
 
 ## Usage
 
-This is still a Work in Progress and is not intended for public usage yet.
-Use at your own risk!
+For initial CA setup, we provide two options. These need to be run before starting
+Puppet Server for the first time.
+
+To set up a default CA, with a self-signed root cert and an intermediate signing cert:
+```
+puppetserver ca setup
+```
+
+To import a custom CA:
+```
+puppetserver ca import --cert-bundle certs.pem --crl-chain crls.pem --private-key ca_key.pem
+```
+
+The remaining actions provided by this gem require a running Puppet Server, since
+it primarily uses the CA's API endpoints to do its work. The following examples
+assume that you are using the gem packaged within Puppet Server.
+
+To sign a pending certificate request:
+```
+puppetserver ca sign --certname foo.example.com
+```
+
+To list certificates and CSRs:
+```
+puppetserver ca list --all
+```
+
+To revoke a signed certificate:
+```
+puppetserver ca revoke --certname foo.example.com
+```
+
+To revoke the cert and clean up all SSL files for a given certname:
+```
+puppetserver ca clean --certname foo.example.com
+```
+
+To create a new keypair and certificate for a certname:
+```
+puppetserver ca generate --certname foo.example.com
+```
+
+For more details, see the help output:
+```
+puppetserver ca --help
+```
 
 This code in this project is licensed under the Apache Software License v2,
 please see the included [License](https://github.com/puppetlabs/puppetserver-ca-cli/blob/master/LICENSE.md)

data/lib/puppetserver/ca/action/generate.rb

@@ -1,9 +1,12 @@
 require 'puppetserver/ca/utils/cli_parsing'
 require 'puppetserver/ca/host'
 require 'puppetserver/ca/certificate_authority'
+require 'puppetserver/ca/local_certificate_authority'
+require 'puppetserver/ca/x509_loader'
 require 'puppetserver/ca/config/puppet'
 require 'puppetserver/ca/utils/file_system'
 require 'puppetserver/ca/utils/signing_digest'
+require 'puppetserver/ca/utils/config'
 
 module Puppetserver
   module Ca
@@ -20,13 +23,27 @@ module Puppetserver
         BANNER = <<-BANNER
 Usage:
   puppetserver ca generate [--help]
-  puppetserver ca generate [--config PATH] [--certname NAME[,NAME]]
+  puppetserver ca generate --certname NAME[,NAME] [--config PATH]
                            [--subject-alt-names NAME[,NAME]]
+                           [--ca-client]
 
 Description:
 Generates a new certificate signed by the intermediate CA
 and stores generated keys and certs on disk.
 
+If the `--ca-client` flag is passed, the cert will be generated
+offline, without using Puppet Server's signing code, and will add
+a special extension authorizing it to talk to the CA API. This can
+be used for regenerating the master's host cert, or for manually
+setting up other nodes to be CA clients. Do not distribute certs
+generated this way to any node that you do not intend to have
+administrative access to the CA (e.g. the ability to sign a cert).
+
+Since the `--ca-client` causes a cert to be generated offline, it
+should ONLY be used when Puppet Server is NOT running, to avoid
+conflicting with the actions of the CA service. This will be
+mandatory in a future release.
+
 To determine the target location, the default puppet.conf
 is consulted for custom values. If using a custom puppet.conf
 provide it with the --config flag
@@ -56,6 +73,11 @@ BANNER
                     'Subject alternative names for the generated cert') do |sans|
               parsed['subject-alt-names'] = sans
             end
+            opts.on('--ca-client',
+                    'Whether this cert will be used to request CA actions.\
+                    Causes the cert to be generated offline.') do |ca_client|
+              parsed['ca-client'] = true
+            end
           end
         end
 
@@ -103,27 +125,66 @@ BANNER
 
           # Load, resolve, and validate puppet config settings
           settings_overrides = {}
-          # Since puppet expects the key to be called 'dns_alt_names', we need to use that here
-          # to ensure that the overriding works correctly.
-          settings_overrides[:dns_alt_names] = input['subject-alt-names'] unless input['subject-alt-names'].empty?
           puppet = Config::Puppet.new(config_path)
           puppet.load(settings_overrides)
           return 1 if CliParsing.handle_errors(@logger, puppet.errors)
 
+          # We don't want generate to respect the alt names setting, since it is usually
+          # used to generate certs for other nodes
+          alt_names = input['subject-alt-names']
+
           # Load most secure signing digest we can for csr signing.
           signer = SigningDigest.new
           return 1 if CliParsing.handle_errors(@logger, signer.errors)
 
           # Generate and save certs and associated keys
-          all_passed = generate_certs(certnames, puppet.settings, signer.digest)
+          if input['ca-client']
+            all_passed = generate_authorized_certs(certnames, alt_names, puppet.settings, signer.digest)
+          else
+            all_passed = generate_certs(certnames, alt_names, puppet.settings, signer.digest)
+          end
           return all_passed ? 0 : 1
         end
 
+        # Certs authorized to talk to the CA API need to be signed offline,
+        # in order to securely add the special auth extension.
+        def generate_authorized_certs(certnames, alt_names, settings, digest)
+          # Make sure we have all the directories where we will be writing files
+          FileSystem.ensure_dirs([settings[:ssldir],
+                                  settings[:certdir],
+                                  settings[:privatekeydir],
+                                  settings[:publickeydir]])
+
+          ca = Puppetserver::Ca::LocalCertificateAuthority.new(digest, settings)
+          ca_cert, ca_key = ca.load_ca
+          return false if CliParsing.handle_errors(@logger, ca.errors)
+
+          passed = certnames.map do |certname|
+            errors = check_for_existing_ssl_files(certname, settings)
+            next false if CliParsing.handle_errors(@logger, errors)
+
+            current_alt_names = process_alt_names(alt_names, certname)
+
+            # For certs signed offline, any alt names are added directly to the cert,
+            # rather than to the CSR.
+            key, csr = generate_key_csr(certname, settings, digest)
+            next false unless csr
+
+            cert = ca.sign_authorized_cert(ca_key, ca_cert, csr, current_alt_names)
+            next false unless save_file(cert.to_pem, certname, settings[:certdir], "Certificate")
+            next false unless save_file(cert.to_pem, certname, settings[:signeddir], "Certificate")
+            next false unless save_keys(certname, settings, key)
+            ca.update_serial_file(cert.serial + 1)
+            true
+          end
+          passed.all?
+        end
+
         # Generate csrs and keys, then submit them to CA, request for the CA to sign
         # them, download the signed certificates from the CA, and finally save
         # the signed certs and associated keys. Returns true if all certs were
         # successfully created and saved.
-        def generate_certs(certnames, settings, digest)
+        def generate_certs(certnames, alt_names, settings, digest)
           # Make sure we have all the directories where we will be writing files
           FileSystem.ensure_dirs([settings[:ssldir],
                                   settings[:certdir],
@@ -133,13 +194,18 @@ BANNER
           ca = Puppetserver::Ca::CertificateAuthority.new(@logger, settings)
 
           passed = certnames.map do |certname|
-            key, csr = generate_key_csr(certname, settings, digest)
-            return false unless csr
-            return false unless ca.submit_certificate_request(certname, csr)
-            return false unless ca.sign_certs([certname])
+            errors = check_for_existing_ssl_files(certname, settings)
+            next false if CliParsing.handle_errors(@logger, errors)
+
+            current_alt_names = process_alt_names(alt_names, certname)
+
+            key, csr = generate_key_csr(certname, settings, digest, current_alt_names)
+            next false unless csr
+            next false unless ca.submit_certificate_request(certname, csr)
+            next false unless ca.sign_certs([certname])
             if result = ca.get_certificate(certname)
-              save_file(result.body, certname, settings[:certdir], "Certificate")
-              save_keys(certname, settings, key)
+              next false unless save_file(result.body, certname, settings[:certdir], "Certificate")
+              next false unless save_keys(certname, settings, key)
               true
             else
               false
@@ -148,14 +214,16 @@ BANNER
           passed.all?
         end
 
-        def generate_key_csr(certname, settings, digest)
+        # For certs signed offline, any alt names are added directly to the cert,
+        # rather than to the CSR.
+        def generate_key_csr(certname, settings, digest, alt_names = '')
           host = Puppetserver::Ca::Host.new(digest)
           private_key = host.create_private_key(settings[:keylength])
           extensions = []
-          if !settings[:subject_alt_names].empty?
+          if !alt_names.empty?
             ef = OpenSSL::X509::ExtensionFactory.new
             extensions << ef.create_extension("subjectAltName",
-                                              settings[:subject_alt_names],
+                                              alt_names,
                                               false)
           end
           csr = host.create_csr(name: certname,
@@ -169,15 +237,44 @@ BANNER
 
         def save_keys(certname, settings, key)
           public_key = key.public_key
-          save_file(key, certname, settings[:privatekeydir], "Private key")
-          save_file(public_key, certname, settings[:publickeydir], "Public key")
+          return false unless save_file(key, certname, settings[:privatekeydir], "Private key")
+          return false unless save_file(public_key, certname, settings[:publickeydir], "Public key")
+          true
         end
 
         def save_file(content, certname, dir, type)
           location = File.join(dir, "#{certname}.pem")
-          @logger.warn "#{type} #{certname}.pem already exists, overwriting" if File.exist?(location)
-          FileSystem.write_file(location, content, 0640)
-          @logger.inform "Successfully saved #{type.downcase} for #{certname} to #{location}"
+          if File.exist?(location)
+            @logger.err "#{type} #{certname}.pem already exists. Please delete it if you really want to regenerate it."
+            false
+          else
+            FileSystem.write_file(location, content, 0640)
+            @logger.inform "Successfully saved #{type.downcase} for #{certname} to #{location}"
+            true
+          end
+        end
+
+        def check_for_existing_ssl_files(certname, settings)
+          files = [ File.join(settings[:certdir], "#{certname}.pem"),
+                    File.join(settings[:privatekeydir], "#{certname}.pem"),
+                    File.join(settings[:publickeydir], "#{certname}.pem"),
+                    File.join(settings[:signeddir], "#{certname}.pem"), ]
+          errors = Puppetserver::Ca::Utils::FileSystem.check_for_existing_files(files)
+          if !errors.empty?
+            errors << "Please delete these files if you really want to generate a new cert for #{certname}."
+          end
+          errors
+        end
+
+        def process_alt_names(alt_names, certname)
+          return '' if alt_names.empty?
+
+          current_alt_names = alt_names.dup
+          # When validating the cert, OpenSSL will ignore the CN field if
+          # altnames are present, so we need to ensure that the certname is
+          # also listed among the alt names.
+          current_alt_names += ",DNS:#{certname}"
+          current_alt_names = Puppetserver::Ca::Utils::Config.munge_alt_names(current_alt_names)
         end
       end
     end

data/lib/puppetserver/ca/action/list.rb

@@ -96,8 +96,12 @@ Options:
           end
 
           certs.each do |cert|
+            # In newer versions of the CA api we return subjcet_alt_names
+            # in addition to dns_alt_names, this field includes DNS alt
+            # names but also IP alt names.
+            alt_names = cert["subject_alt_names"] || cert["dns_alt_names"]
             @logger.inform "    #{cert["name"]}".ljust(padded + 6) + " (SHA256) " + " #{cert["fingerprints"]["SHA256"]}" +
-                               (cert["dns_alt_names"].empty? ? "" : "\talt names: #{cert["dns_alt_names"]}")
+                               (alt_names.empty? ? "" : "\talt names: #{alt_names}")
             end
         end
 

data/lib/puppetserver/ca/config/puppet.rb

@@ -22,8 +22,6 @@ module Puppetserver
         # A regex describing valid formats with groups for capturing the value and units
         TTL_FORMAT = /^(\d+)(y|d|h|m|s)?$/
 
-        include Puppetserver::Ca::Utils::Config
-
         def self.parse(config_path)
           instance = new(config_path)
           instance.load
@@ -49,7 +47,7 @@ module Puppetserver
         # start/stop it you must be root.
         def user_specific_conf_dir
           @user_specific_conf_dir ||=
-            if running_as_root?
+            if Puppetserver::Ca::Utils::Config.running_as_root?
               '/etc/puppetlabs/puppet'
             else
               "#{ENV['HOME']}/.puppetlabs/etc/puppet"
@@ -161,7 +159,7 @@ module Puppetserver
           # Some special cases where we need to manipulate config settings:
           settings[:ca_ttl] = munge_ttl_setting(settings[:ca_ttl])
           settings[:certificate_revocation] = parse_crl_usage(settings[:certificate_revocation])
-          settings[:subject_alt_names] = munge_alt_names(settings[:subject_alt_names])
+          settings[:subject_alt_names] = Puppetserver::Ca::Utils::Config.munge_alt_names(settings[:subject_alt_names])
           settings[:keylength] = settings[:keylength].to_i
 
           settings.each do |key, value|
@@ -231,18 +229,6 @@ module Puppetserver
           end
         end
 
-        def munge_alt_names(names)
-          raw_names = names.split(/\s*,\s*/).map(&:strip)
-          munged_names = raw_names.map do |name|
-            # Prepend the DNS tag if no tag was specified
-            if !name.start_with?("IP:") && !name.start_with?("DNS:")
-              "DNS:#{name}"
-            else
-              name
-            end
-          end.sort.uniq.join(", ")
-        end
-
         def parse_crl_usage(setting)
           case setting.to_s
           when 'true', 'chain'

data/lib/puppetserver/ca/config/puppetserver.rb

@@ -8,8 +8,6 @@ module Puppetserver
       # Puppetserver or any TK config service. Uses the ruby-hocon gem for parsing.
       class PuppetServer
 
-        include Puppetserver::Ca::Utils::Config
-
         def self.parse(config_path = nil)
           instance = new(config_path)
           instance.load
@@ -50,7 +48,7 @@ module Puppetserver
         # Note that Puppet Server runs as the [pe-]puppet user but to
         # start/stop it you must be root.
         def user_specific_ca_dir
-          if running_as_root?
+          if Puppetserver::Ca::Utils::Config.running_as_root?
             '/etc/puppetlabs/puppetserver/ca'
           else
             "#{ENV['HOME']}/.puppetlabs/etc/puppetserver/ca"

data/lib/puppetserver/ca/local_certificate_authority.rb

@@ -1,4 +1,5 @@
 require 'puppetserver/ca/host'
+require 'puppetserver/ca/utils/file_system'
 
 require 'openssl'
 
@@ -39,10 +40,11 @@ module Puppetserver
         @digest = digest
         @host = Host.new(digest)
         @settings = settings
+        @errors = []
       end
 
       def errors
-        @host.errors
+        @errors += @host.errors
       end
 
       def valid_until
@@ -62,6 +64,14 @@ module Puppetserver
                              format_time(cert.not_after), cert.subject]
       end
 
+      def next_serial(serial_file)
+        if File.exist?(serial_file)
+          File.read(serial_file).to_i
+        else
+          1
+        end
+      end
+
       def format_time(time)
         time.strftime('%Y-%m-%dT%H:%M:%S%Z')
       end
@@ -73,33 +83,63 @@ module Puppetserver
                                               @settings[:hostpubkey])
         if master_key
           master_csr = @host.create_csr(name: @settings[:certname], key: master_key)
-          master_cert = sign_master_cert(ca_key, ca_cert, master_csr)
+          if @settings[:subject_alt_names].empty?
+            alt_names = "DNS:puppet, DNS:#{@settings[:certname]}"
+          else
+            alt_names = @settings[:subject_alt_names]
+          end
+
+          master_cert = sign_authorized_cert(ca_key, ca_cert, master_csr, alt_names)
         end
 
         return master_key, master_cert
       end
 
-      def sign_master_cert(int_key, int_cert, csr)
+      # Used when generating certificates offline.
+      def load_ca
+        signing_cert = nil
+        key = nil
+
+        if File.exist?(@settings[:cacert]) && File.exist?(@settings[:cakey]) && File.exist?(@settings[:cacrl])
+          loader = Puppetserver::Ca::X509Loader.new(@settings[:cacert], @settings[:cakey], @settings[:cacrl])
+          if loader.errors.empty?
+            signing_cert = loader.certs[0]
+            key = loader.key
+          else
+            @errors += loader.errors
+          end
+        else
+          @errors << "CA not initialized. Please set up your CA before attempting to generate certs offline."
+        end
+
+        return signing_cert, key
+      end
+
+      def sign_authorized_cert(int_key, int_cert, csr, alt_names = '')
         cert = OpenSSL::X509::Certificate.new
         cert.public_key = csr.public_key
         cert.subject = csr.subject
         cert.issuer = int_cert.subject
         cert.version = 2
-        cert.serial = 1
+        cert.serial = next_serial(@settings[:serial])
         cert.not_before = CERT_VALID_FROM
         cert.not_after = valid_until
 
         return unless add_custom_extensions(cert)
 
         ef = extension_factory_for(int_cert, cert)
-        add_master_extensions(cert, ef)
-        add_subject_alt_names_extension(cert, ef)
+        add_authorized_extensions(cert, ef)
+
+        if !alt_names.empty?
+          add_subject_alt_names_extension(alt_names, cert, ef)
+        end
+
         cert.sign(int_key, @digest)
 
         cert
       end
 
-      def add_master_extensions(cert, ef)
+      def add_authorized_extensions(cert, ef)
         MASTER_EXTENSIONS.each do |ext|
           extension = ef.create_extension(*ext)
           cert.add_extension(extension)
@@ -110,14 +150,8 @@ module Puppetserver
         cert.add_extension(cli_auth_ext)
       end
 
-      def add_subject_alt_names_extension(cert, ef)
-        sans =
-          if @settings[:subject_alt_names].empty?
-            "DNS:puppet, DNS:#{@settings[:certname]}"
-          else
-            @settings[:subject_alt_names]
-          end
-        alt_names_ext = ef.create_extension("subjectAltName", sans, false)
+      def add_subject_alt_names_extension(alt_names, cert, ef)
+        alt_names_ext = ef.create_extension("subjectAltName", alt_names, false)
         cert.add_extension(alt_names_ext)
       end
 
@@ -216,6 +250,10 @@ module Puppetserver
 
         cert
       end
+
+      def update_serial_file(serial)
+        Puppetserver::Ca::Utils::FileSystem.write_file(@settings[:serial], serial, 0644)
+      end
     end
   end
 end

data/lib/puppetserver/ca/utils/config.rb

@@ -3,10 +3,22 @@ module Puppetserver
     module Utils
       module Config
 
-        def running_as_root?
+        def self.running_as_root?
           !Gem.win_platform? && Process::UID.eid == 0
         end
 
+        def self.munge_alt_names(names)
+          raw_names = names.split(/\s*,\s*/).map(&:strip)
+          munged_names = raw_names.map do |name|
+            # Prepend the DNS tag if no tag was specified
+            if !name.start_with?("IP:") && !name.start_with?("DNS:")
+              "DNS:#{name}"
+            else
+              name
+            end
+          end.sort.uniq.join(", ")
+        end
+
       end
     end
   end

data/lib/puppetserver/ca/version.rb

@@ -1,5 +1,5 @@
 module Puppetserver
   module Ca
-    VERSION = "1.0.0"
+    VERSION = "1.1.0"
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: puppetserver-ca
 version: !ruby/object:Gem::Version
-  version: 1.0.0
+  version: 1.1.0
 platform: ruby
 authors:
 - Puppet, Inc.
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-09-13 00:00:00.000000000 Z
+date: 2018-09-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: facter