puppetserver-ca 1.11.2 → 1.11.3
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/puppetserver/ca/action/prune.rb +39 -34
- data/lib/puppetserver/ca/utils/http_client.rb +1 -1
- data/lib/puppetserver/ca/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 2ed61f842f79da39e22eaaa5dbac6d686b926d68218463f66853021f1ea8554d
|
|
4
|
+
data.tar.gz: a1fe8e9894ac4d55e95f1611e2d6734367fb72f25bca25351402bc1a58ae10b5
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: b9a305d5a93fe3a2cd00beff0050de08a162ac637994ab045a53f913ca0c0d216021287857e5211a97cc65a199568242ae993eb1e4af625871616ccaddb7618d
|
|
7
|
+
data.tar.gz: 7e8da70418aeb279c7e094c208719404f1a2140bc72bf080fed9ab085fd6f7744da8e206cb7025d808880a4d5428c973884d417da203264c2ab12d09374635b8
|
|
@@ -31,6 +31,7 @@ BANNER
|
|
|
31
31
|
|
|
32
32
|
def run(inputs)
|
|
33
33
|
config_path = inputs['config']
|
|
34
|
+
exit_code = 0
|
|
34
35
|
|
|
35
36
|
# Validate the config path.
|
|
36
37
|
if config_path
|
|
@@ -49,55 +50,59 @@ BANNER
|
|
|
49
50
|
# Getting the CRL(s)
|
|
50
51
|
loader = X509Loader.new(puppet.settings[:cacert], puppet.settings[:cakey], puppet.settings[:cacrl])
|
|
51
52
|
|
|
52
|
-
|
|
53
|
-
number_of_removed_duplicates = prune_CRLs(puppet_crl)
|
|
53
|
+
verified_crls = loader.crls.select { |crl| crl.verify(loader.key) }
|
|
54
54
|
|
|
55
|
-
if
|
|
56
|
-
|
|
57
|
-
|
|
58
|
-
|
|
55
|
+
if verified_crls.length == 1
|
|
56
|
+
puppet_crl = verified_crls.first
|
|
57
|
+
@logger.inform("Total number of certificates found in Puppet's CRL is: #{puppet_crl.revoked.length}.")
|
|
58
|
+
number_of_removed_duplicates = prune_CRL(puppet_crl)
|
|
59
|
+
|
|
60
|
+
if number_of_removed_duplicates > 0
|
|
61
|
+
update_pruned_CRL(puppet_crl, loader.key)
|
|
62
|
+
FileSystem.write_file(puppet.settings[:cacrl], loader.crls, 0644)
|
|
63
|
+
@logger.inform("Removed #{number_of_removed_duplicates} duplicated certs from Puppet's CRL.")
|
|
64
|
+
else
|
|
65
|
+
@logger.inform("No duplicate revocations found in the CRL.")
|
|
66
|
+
end
|
|
59
67
|
else
|
|
60
|
-
@logger.
|
|
68
|
+
@logger.err("Could not identify Puppet's CRL. Aborting prune action.")
|
|
69
|
+
exit_code = 1
|
|
61
70
|
end
|
|
62
71
|
|
|
63
|
-
return
|
|
72
|
+
return exit_code
|
|
64
73
|
end
|
|
65
74
|
|
|
66
|
-
def
|
|
75
|
+
def prune_CRL(crl)
|
|
67
76
|
number_of_removed_duplicates = 0
|
|
68
77
|
|
|
69
|
-
|
|
70
|
-
|
|
71
|
-
|
|
72
|
-
|
|
73
|
-
|
|
74
|
-
|
|
75
|
-
|
|
76
|
-
|
|
77
|
-
|
|
78
|
-
|
|
79
|
-
|
|
80
|
-
|
|
81
|
-
|
|
82
|
-
true
|
|
83
|
-
end
|
|
78
|
+
existed_serial_number = Set.new()
|
|
79
|
+
revoked_list = crl.revoked
|
|
80
|
+
@logger.debug("Pruning duplicate entries in CRL for issuer " \
|
|
81
|
+
"#{crl.issuer.to_s(OpenSSL::X509::Name::RFC2253)}") if @logger.debug?
|
|
82
|
+
|
|
83
|
+
revoked_list.delete_if do |revoked|
|
|
84
|
+
if existed_serial_number.add?(revoked.serial)
|
|
85
|
+
false
|
|
86
|
+
else
|
|
87
|
+
number_of_removed_duplicates += 1
|
|
88
|
+
@logger.debug("Removing duplicate of #{revoked.serial}, " \
|
|
89
|
+
"revoked on #{revoked.time}\n") if @logger.debug?
|
|
90
|
+
true
|
|
84
91
|
end
|
|
85
|
-
crl.revoked=(revoked_list)
|
|
86
92
|
end
|
|
93
|
+
crl.revoked=(revoked_list)
|
|
87
94
|
|
|
88
95
|
return number_of_removed_duplicates
|
|
89
96
|
end
|
|
90
97
|
|
|
91
|
-
def update_pruned_CRL(
|
|
92
|
-
|
|
93
|
-
|
|
94
|
-
|
|
95
|
-
|
|
96
|
-
crl_number.value=(OpenSSL::ASN1::Integer(updated_crl_number))
|
|
97
|
-
end
|
|
98
|
-
crl.extensions=(number_ext + other_ext)
|
|
99
|
-
crl.sign(pkey, OpenSSL::Digest::SHA256.new)
|
|
98
|
+
def update_pruned_CRL(crl, pkey)
|
|
99
|
+
number_ext, other_ext = crl.extensions.partition{ |ext| ext.oid == "crlNumber" }
|
|
100
|
+
number_ext.each do |crl_number|
|
|
101
|
+
updated_crl_number = OpenSSL::BN.new(crl_number.value) + OpenSSL::BN.new(1)
|
|
102
|
+
crl_number.value=(OpenSSL::ASN1::Integer(updated_crl_number))
|
|
100
103
|
end
|
|
104
|
+
crl.extensions=(number_ext + other_ext)
|
|
105
|
+
crl.sign(pkey, OpenSSL::Digest::SHA256.new)
|
|
101
106
|
end
|
|
102
107
|
|
|
103
108
|
def self.parser(parsed = {})
|
|
@@ -141,7 +141,7 @@ module Puppetserver
|
|
|
141
141
|
url = protocol + '://' + host + ':' + port + '/' +
|
|
142
142
|
[endpoint, version, resource_type, resource_name].join('/')
|
|
143
143
|
|
|
144
|
-
url = url + "?" + URI.encode_www_form(query) unless query.empty?
|
|
144
|
+
url = url + "?" + URI.encode_www_form(query) unless query.nil? || query.empty?
|
|
145
145
|
return url
|
|
146
146
|
end
|
|
147
147
|
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: puppetserver-ca
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.11.
|
|
4
|
+
version: 1.11.3
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Puppet, Inc.
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2021-08-
|
|
11
|
+
date: 2021-08-19 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: facter
|