puppetserver-ca 1.1.2 → 1.1.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 8ef4177b1921aaa80d30844823c81a28b3465c65
-  data.tar.gz: e7e494cf9f9f93127cf0b693afeba8cedfcb8659
+  metadata.gz: 0a642b5be01fd4809412f6c70928f1764a8ed294
+  data.tar.gz: edb6b327dc31c877cc69fce0cd9382e73082409d
 SHA512:
-  metadata.gz: 95c956f2395ff96c6e6108d3fb67441052fb7de89581427cdeacee0de73415a46633b5dedc113fa56200e84963e6e3255f84fc58c8cd5676044171673e45f5b2
-  data.tar.gz: 66c067a3f40bc1d5c4c096bf5afb5eda563f8caebd431638a913f3ea26f797ecde05547a18864841755a779426d6003dc00f0d412940e53a643a08c21b0412b3
+  metadata.gz: 6a05b9d88d88098766164e3fc834343461de20d81858a65523e8ad53f179c7f56a4d5b5a43ecdae63e59d1d8ba959ff9ea007e58f4ca1d559d758b2786f4db21
+  data.tar.gz: 803bacaad5099f629adeb64cdb86ea711e4a14235714836f9fccd6746fae9d84e66252d51d907d4e15378a5dc6271772b1bc7289e0ce3c996ad9d061cfe9f9cc

data/lib/puppetserver/ca/action/generate.rb

@@ -183,7 +183,6 @@ BANNER
                                   settings[:publickeydir]])
 
           ca = Puppetserver::Ca::LocalCertificateAuthority.new(digest, settings)
-          ca_cert, ca_key = ca.load_ca
           return false if CliParsing.handle_errors(@logger, ca.errors)
 
           passed = certnames.map do |certname|
@@ -197,7 +196,7 @@ BANNER
             key, csr = generate_key_csr(certname, settings, digest)
             next false unless csr
 
-            cert = ca.sign_authorized_cert(ca_key, ca_cert, csr, current_alt_names)
+            cert = ca.sign_authorized_cert(csr, current_alt_names)
             next false unless save_file(cert.to_pem, certname, settings[:certdir], "Certificate")
             next false unless save_file(cert.to_pem, certname, settings[:signeddir], "Certificate")
             next false unless save_keys(certname, settings, key)

data/lib/puppetserver/ca/action/import.rb

@@ -73,7 +73,8 @@ BANNER
 
         def import(loader, settings, signing_digest)
           ca = Puppetserver::Ca::LocalCertificateAuthority.new(signing_digest, settings)
-          master_key, master_cert = ca.create_master_cert(loader.key, loader.certs.first)
+          ca.load_ssl_components(loader)
+          master_key, master_cert = ca.create_master_cert
           return ca.errors if ca.errors.any?
 
           FileSystem.ensure_dirs([settings[:ssldir],

data/lib/puppetserver/ca/action/setup.rb

@@ -77,8 +77,8 @@ BANNER
           ca = Puppetserver::Ca::LocalCertificateAuthority.new(signing_digest, settings)
 
           root_key, root_cert, root_crl = ca.create_root_cert
-          int_key, int_cert, int_crl = ca.create_intermediate_cert(root_key, root_cert)
-          master_key, master_cert = ca.create_master_cert(int_key, int_cert)
+          ca.create_intermediate_cert(root_key, root_cert)
+          master_key, master_cert = ca.create_master_cert
           return ca.errors if ca.errors.any?
 
           FileSystem.ensure_dirs([settings[:ssldir],
@@ -89,14 +89,14 @@ BANNER
                                   settings[:signeddir]])
 
           public_files = [
-            [settings[:cacert], [int_cert, root_cert]],
-            [settings[:cacrl], [int_crl, root_crl]],
-            [settings[:cadir] + '/infra_crl.pem', [int_crl, root_crl]],
+            [settings[:cacert], [ca.cert, root_cert]],
+            [settings[:cacrl], [ca.crl, root_crl]],
+            [settings[:cadir] + '/infra_crl.pem', [ca.crl, root_crl]],
             [settings[:hostcert], master_cert],
-            [settings[:localcacert], [int_cert, root_cert]],
-            [settings[:hostcrl], [int_crl, root_crl]],
+            [settings[:localcacert], [ca.cert, root_cert]],
+            [settings[:hostcrl], [ca.crl, root_crl]],
             [settings[:hostpubkey], master_key.public_key],
-            [settings[:capub], int_key.public_key],
+            [settings[:capub], ca.key.public_key],
             [settings[:cert_inventory], ca.inventory_entry(master_cert)],
             [settings[:cadir] + '/infra_inventory.txt', ''],
             [settings[:cadir] + '/infra_serials', ''],
@@ -107,7 +107,7 @@ BANNER
           private_files = [
             [settings[:hostprivkey], master_key],
             [settings[:rootkey], root_key],
-            [settings[:cakey], int_key],
+            [settings[:cakey], ca.key],
           ]
 
           files_to_check = public_files + private_files

data/lib/puppetserver/ca/config/puppet.rb

@@ -104,7 +104,7 @@ module Puppetserver
             [:cadir, '$ssldir/ca'],
             [:certdir, '$ssldir/certs'],
             [:certname, default_certname],
-            [:server, '$certname'],
+            [:server, 'puppet'],
             [:masterport, '8140'],
             [:privatekeydir, '$ssldir/private_keys'],
             [:publickeydir, '$ssldir/public_keys'],

data/lib/puppetserver/ca/local_certificate_authority.rb

@@ -1,5 +1,6 @@
 require 'puppetserver/ca/host'
 require 'puppetserver/ca/utils/file_system'
+require 'puppetserver/ca/x509_loader'
 
 require 'openssl'
 
@@ -36,11 +37,35 @@ module Puppetserver
         ["authorityKeyIdentifier", "keyid:always", false]
       ].freeze
 
+      attr_reader :cert, :key, :crl
+
       def initialize(digest, settings)
         @digest = digest
         @host = Host.new(digest)
         @settings = settings
         @errors = []
+
+        if ssl_assets_exist?
+          loader = Puppetserver::Ca::X509Loader.new(@settings[:cacert], @settings[:cakey], @settings[:cacrl])
+          if loader.errors.empty?
+            load_ssl_components(loader)
+          else
+            @errors += loader.errors
+            @errors << "CA not initialized. Please set up your CA before attempting to generate certs offline."
+          end
+        end
+      end
+
+      def ssl_assets_exist?
+        File.exist?(@settings[:cacert]) &&
+          File.exist?(@settings[:cakey]) &&
+          File.exist?(@settings[:cacrl])
+      end
+
+      def load_ssl_components(loader)
+          @cert = loader.certs.first
+          @key = loader.key
+          @crl = loader.crls.first
       end
 
       def errors
@@ -76,7 +101,7 @@ module Puppetserver
         time.strftime('%Y-%m-%dT%H:%M:%S%Z')
       end
 
-      def create_master_cert(ca_key, ca_cert)
+      def create_master_cert
         master_cert = nil
         master_key = @host.create_private_key(@settings[:keylength],
                                               @settings[:hostprivkey],
@@ -89,37 +114,17 @@ module Puppetserver
             alt_names = @settings[:subject_alt_names]
           end
 
-          master_cert = sign_authorized_cert(ca_key, ca_cert, master_csr, alt_names)
+          master_cert = sign_authorized_cert(master_csr, alt_names)
         end
 
         return master_key, master_cert
       end
 
-      # Used when generating certificates offline.
-      def load_ca
-        signing_cert = nil
-        key = nil
-
-        if File.exist?(@settings[:cacert]) && File.exist?(@settings[:cakey]) && File.exist?(@settings[:cacrl])
-          loader = Puppetserver::Ca::X509Loader.new(@settings[:cacert], @settings[:cakey], @settings[:cacrl])
-          if loader.errors.empty?
-            signing_cert = loader.certs[0]
-            key = loader.key
-          else
-            @errors += loader.errors
-          end
-        else
-          @errors << "CA not initialized. Please set up your CA before attempting to generate certs offline."
-        end
-
-        return signing_cert, key
-      end
-
-      def sign_authorized_cert(int_key, int_cert, csr, alt_names = '')
+      def sign_authorized_cert(csr, alt_names = '')
         cert = OpenSSL::X509::Certificate.new
         cert.public_key = csr.public_key
         cert.subject = csr.subject
-        cert.issuer = int_cert.subject
+        cert.issuer = @cert.subject
         cert.version = 2
         cert.serial = next_serial(@settings[:serial])
         cert.not_before = CERT_VALID_FROM
@@ -127,14 +132,14 @@ module Puppetserver
 
         return unless add_custom_extensions(cert)
 
-        ef = extension_factory_for(int_cert, cert)
+        ef = extension_factory_for(@cert, cert)
         add_authorized_extensions(cert, ef)
 
         if !alt_names.empty?
           add_subject_alt_names_extension(alt_names, cert, ef)
         end
 
-        cert.sign(int_key, @digest)
+        cert.sign(@key, @digest)
 
         cert
       end
@@ -220,12 +225,12 @@ module Puppetserver
       end
 
       def create_intermediate_cert(root_key, root_cert)
-        int_key = @host.create_private_key(@settings[:keylength])
-        int_csr = @host.create_csr(name: @settings[:ca_name], key: int_key)
-        int_cert = sign_intermediate(root_key, root_cert, int_csr)
-        int_crl = create_crl_for(int_cert, int_key)
+        @key = @host.create_private_key(@settings[:keylength])
+        int_csr = @host.create_csr(name: @settings[:ca_name], key: @key)
+        @cert = sign_intermediate(root_key, root_cert, int_csr)
+        @crl = create_crl_for(@cert, @key)
 
-        return int_key, int_cert, int_crl
+        return nil
       end
 
       def sign_intermediate(ca_key, ca_cert, csr)

data/lib/puppetserver/ca/version.rb

@@ -1,5 +1,5 @@
 module Puppetserver
   module Ca
-    VERSION = "1.1.2"
+    VERSION = "1.1.3"
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: puppetserver-ca
 version: !ruby/object:Gem::Version
-  version: 1.1.2
+  version: 1.1.3
 platform: ruby
 authors:
 - Puppet, Inc.
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-10-18 00:00:00.000000000 Z
+date: 2018-11-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: facter