puppetserver-ca 1.1.2 → 1.1.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/puppetserver/ca/action/generate.rb +1 -2
- data/lib/puppetserver/ca/action/import.rb +2 -1
- data/lib/puppetserver/ca/action/setup.rb +9 -9
- data/lib/puppetserver/ca/config/puppet.rb +1 -1
- data/lib/puppetserver/ca/local_certificate_authority.rb +36 -31
- data/lib/puppetserver/ca/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 0a642b5be01fd4809412f6c70928f1764a8ed294
|
4
|
+
data.tar.gz: edb6b327dc31c877cc69fce0cd9382e73082409d
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 6a05b9d88d88098766164e3fc834343461de20d81858a65523e8ad53f179c7f56a4d5b5a43ecdae63e59d1d8ba959ff9ea007e58f4ca1d559d758b2786f4db21
|
7
|
+
data.tar.gz: 803bacaad5099f629adeb64cdb86ea711e4a14235714836f9fccd6746fae9d84e66252d51d907d4e15378a5dc6271772b1bc7289e0ce3c996ad9d061cfe9f9cc
|
@@ -183,7 +183,6 @@ BANNER
|
|
183
183
|
settings[:publickeydir]])
|
184
184
|
|
185
185
|
ca = Puppetserver::Ca::LocalCertificateAuthority.new(digest, settings)
|
186
|
-
ca_cert, ca_key = ca.load_ca
|
187
186
|
return false if CliParsing.handle_errors(@logger, ca.errors)
|
188
187
|
|
189
188
|
passed = certnames.map do |certname|
|
@@ -197,7 +196,7 @@ BANNER
|
|
197
196
|
key, csr = generate_key_csr(certname, settings, digest)
|
198
197
|
next false unless csr
|
199
198
|
|
200
|
-
cert = ca.sign_authorized_cert(
|
199
|
+
cert = ca.sign_authorized_cert(csr, current_alt_names)
|
201
200
|
next false unless save_file(cert.to_pem, certname, settings[:certdir], "Certificate")
|
202
201
|
next false unless save_file(cert.to_pem, certname, settings[:signeddir], "Certificate")
|
203
202
|
next false unless save_keys(certname, settings, key)
|
@@ -73,7 +73,8 @@ BANNER
|
|
73
73
|
|
74
74
|
def import(loader, settings, signing_digest)
|
75
75
|
ca = Puppetserver::Ca::LocalCertificateAuthority.new(signing_digest, settings)
|
76
|
-
|
76
|
+
ca.load_ssl_components(loader)
|
77
|
+
master_key, master_cert = ca.create_master_cert
|
77
78
|
return ca.errors if ca.errors.any?
|
78
79
|
|
79
80
|
FileSystem.ensure_dirs([settings[:ssldir],
|
@@ -77,8 +77,8 @@ BANNER
|
|
77
77
|
ca = Puppetserver::Ca::LocalCertificateAuthority.new(signing_digest, settings)
|
78
78
|
|
79
79
|
root_key, root_cert, root_crl = ca.create_root_cert
|
80
|
-
|
81
|
-
master_key, master_cert = ca.create_master_cert
|
80
|
+
ca.create_intermediate_cert(root_key, root_cert)
|
81
|
+
master_key, master_cert = ca.create_master_cert
|
82
82
|
return ca.errors if ca.errors.any?
|
83
83
|
|
84
84
|
FileSystem.ensure_dirs([settings[:ssldir],
|
@@ -89,14 +89,14 @@ BANNER
|
|
89
89
|
settings[:signeddir]])
|
90
90
|
|
91
91
|
public_files = [
|
92
|
-
[settings[:cacert], [
|
93
|
-
[settings[:cacrl], [
|
94
|
-
[settings[:cadir] + '/infra_crl.pem', [
|
92
|
+
[settings[:cacert], [ca.cert, root_cert]],
|
93
|
+
[settings[:cacrl], [ca.crl, root_crl]],
|
94
|
+
[settings[:cadir] + '/infra_crl.pem', [ca.crl, root_crl]],
|
95
95
|
[settings[:hostcert], master_cert],
|
96
|
-
[settings[:localcacert], [
|
97
|
-
[settings[:hostcrl], [
|
96
|
+
[settings[:localcacert], [ca.cert, root_cert]],
|
97
|
+
[settings[:hostcrl], [ca.crl, root_crl]],
|
98
98
|
[settings[:hostpubkey], master_key.public_key],
|
99
|
-
[settings[:capub],
|
99
|
+
[settings[:capub], ca.key.public_key],
|
100
100
|
[settings[:cert_inventory], ca.inventory_entry(master_cert)],
|
101
101
|
[settings[:cadir] + '/infra_inventory.txt', ''],
|
102
102
|
[settings[:cadir] + '/infra_serials', ''],
|
@@ -107,7 +107,7 @@ BANNER
|
|
107
107
|
private_files = [
|
108
108
|
[settings[:hostprivkey], master_key],
|
109
109
|
[settings[:rootkey], root_key],
|
110
|
-
[settings[:cakey],
|
110
|
+
[settings[:cakey], ca.key],
|
111
111
|
]
|
112
112
|
|
113
113
|
files_to_check = public_files + private_files
|
@@ -104,7 +104,7 @@ module Puppetserver
|
|
104
104
|
[:cadir, '$ssldir/ca'],
|
105
105
|
[:certdir, '$ssldir/certs'],
|
106
106
|
[:certname, default_certname],
|
107
|
-
[:server, '
|
107
|
+
[:server, 'puppet'],
|
108
108
|
[:masterport, '8140'],
|
109
109
|
[:privatekeydir, '$ssldir/private_keys'],
|
110
110
|
[:publickeydir, '$ssldir/public_keys'],
|
@@ -1,5 +1,6 @@
|
|
1
1
|
require 'puppetserver/ca/host'
|
2
2
|
require 'puppetserver/ca/utils/file_system'
|
3
|
+
require 'puppetserver/ca/x509_loader'
|
3
4
|
|
4
5
|
require 'openssl'
|
5
6
|
|
@@ -36,11 +37,35 @@ module Puppetserver
|
|
36
37
|
["authorityKeyIdentifier", "keyid:always", false]
|
37
38
|
].freeze
|
38
39
|
|
40
|
+
attr_reader :cert, :key, :crl
|
41
|
+
|
39
42
|
def initialize(digest, settings)
|
40
43
|
@digest = digest
|
41
44
|
@host = Host.new(digest)
|
42
45
|
@settings = settings
|
43
46
|
@errors = []
|
47
|
+
|
48
|
+
if ssl_assets_exist?
|
49
|
+
loader = Puppetserver::Ca::X509Loader.new(@settings[:cacert], @settings[:cakey], @settings[:cacrl])
|
50
|
+
if loader.errors.empty?
|
51
|
+
load_ssl_components(loader)
|
52
|
+
else
|
53
|
+
@errors += loader.errors
|
54
|
+
@errors << "CA not initialized. Please set up your CA before attempting to generate certs offline."
|
55
|
+
end
|
56
|
+
end
|
57
|
+
end
|
58
|
+
|
59
|
+
def ssl_assets_exist?
|
60
|
+
File.exist?(@settings[:cacert]) &&
|
61
|
+
File.exist?(@settings[:cakey]) &&
|
62
|
+
File.exist?(@settings[:cacrl])
|
63
|
+
end
|
64
|
+
|
65
|
+
def load_ssl_components(loader)
|
66
|
+
@cert = loader.certs.first
|
67
|
+
@key = loader.key
|
68
|
+
@crl = loader.crls.first
|
44
69
|
end
|
45
70
|
|
46
71
|
def errors
|
@@ -76,7 +101,7 @@ module Puppetserver
|
|
76
101
|
time.strftime('%Y-%m-%dT%H:%M:%S%Z')
|
77
102
|
end
|
78
103
|
|
79
|
-
def create_master_cert
|
104
|
+
def create_master_cert
|
80
105
|
master_cert = nil
|
81
106
|
master_key = @host.create_private_key(@settings[:keylength],
|
82
107
|
@settings[:hostprivkey],
|
@@ -89,37 +114,17 @@ module Puppetserver
|
|
89
114
|
alt_names = @settings[:subject_alt_names]
|
90
115
|
end
|
91
116
|
|
92
|
-
master_cert = sign_authorized_cert(
|
117
|
+
master_cert = sign_authorized_cert(master_csr, alt_names)
|
93
118
|
end
|
94
119
|
|
95
120
|
return master_key, master_cert
|
96
121
|
end
|
97
122
|
|
98
|
-
|
99
|
-
def load_ca
|
100
|
-
signing_cert = nil
|
101
|
-
key = nil
|
102
|
-
|
103
|
-
if File.exist?(@settings[:cacert]) && File.exist?(@settings[:cakey]) && File.exist?(@settings[:cacrl])
|
104
|
-
loader = Puppetserver::Ca::X509Loader.new(@settings[:cacert], @settings[:cakey], @settings[:cacrl])
|
105
|
-
if loader.errors.empty?
|
106
|
-
signing_cert = loader.certs[0]
|
107
|
-
key = loader.key
|
108
|
-
else
|
109
|
-
@errors += loader.errors
|
110
|
-
end
|
111
|
-
else
|
112
|
-
@errors << "CA not initialized. Please set up your CA before attempting to generate certs offline."
|
113
|
-
end
|
114
|
-
|
115
|
-
return signing_cert, key
|
116
|
-
end
|
117
|
-
|
118
|
-
def sign_authorized_cert(int_key, int_cert, csr, alt_names = '')
|
123
|
+
def sign_authorized_cert(csr, alt_names = '')
|
119
124
|
cert = OpenSSL::X509::Certificate.new
|
120
125
|
cert.public_key = csr.public_key
|
121
126
|
cert.subject = csr.subject
|
122
|
-
cert.issuer =
|
127
|
+
cert.issuer = @cert.subject
|
123
128
|
cert.version = 2
|
124
129
|
cert.serial = next_serial(@settings[:serial])
|
125
130
|
cert.not_before = CERT_VALID_FROM
|
@@ -127,14 +132,14 @@ module Puppetserver
|
|
127
132
|
|
128
133
|
return unless add_custom_extensions(cert)
|
129
134
|
|
130
|
-
ef = extension_factory_for(
|
135
|
+
ef = extension_factory_for(@cert, cert)
|
131
136
|
add_authorized_extensions(cert, ef)
|
132
137
|
|
133
138
|
if !alt_names.empty?
|
134
139
|
add_subject_alt_names_extension(alt_names, cert, ef)
|
135
140
|
end
|
136
141
|
|
137
|
-
cert.sign(
|
142
|
+
cert.sign(@key, @digest)
|
138
143
|
|
139
144
|
cert
|
140
145
|
end
|
@@ -220,12 +225,12 @@ module Puppetserver
|
|
220
225
|
end
|
221
226
|
|
222
227
|
def create_intermediate_cert(root_key, root_cert)
|
223
|
-
|
224
|
-
int_csr = @host.create_csr(name: @settings[:ca_name], key:
|
225
|
-
|
226
|
-
|
228
|
+
@key = @host.create_private_key(@settings[:keylength])
|
229
|
+
int_csr = @host.create_csr(name: @settings[:ca_name], key: @key)
|
230
|
+
@cert = sign_intermediate(root_key, root_cert, int_csr)
|
231
|
+
@crl = create_crl_for(@cert, @key)
|
227
232
|
|
228
|
-
return
|
233
|
+
return nil
|
229
234
|
end
|
230
235
|
|
231
236
|
def sign_intermediate(ca_key, ca_cert, csr)
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: puppetserver-ca
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.1.
|
4
|
+
version: 1.1.3
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Puppet, Inc.
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2018-
|
11
|
+
date: 2018-11-16 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: facter
|