puppetserver-ca 1.3.2 → 1.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 7d21f7cdfd7425e4c88f7393fdd78534437eee25
-  data.tar.gz: 80a876597aa720abd453663da272579f95361248
+  metadata.gz: e7759fd051a92708f8ac8aad4b8e89a636472b05
+  data.tar.gz: f3cfd8de0bbdd17fd5c0f13656486dbbdbc243f1
 SHA512:
-  metadata.gz: 778cdc29b03bf61bde662da6c5f8796616c1aead0bb72e136a0e688d7dd7fec552dce878eb043f51252de650d86f8c10c76811125988302d67125dce67ce9fc0
-  data.tar.gz: 96602ab1cf6da30af50fd1b50aaac4a96a936f35c60e7e2d6acec10a4e63fbb8888f586b28b517e291b524a1dea070b84425ff7d8e08fec2cecf5ce4b0dd2b54
+  metadata.gz: bbaac0d6e00a9ed1d30dfb5f0ccc1d92e459fc07aaecb0fa2e8cdf61a320d3baf63d3752bf3adf1f4dacf9f25d051f4f239139bf45c4842975448e154e9353d0
+  data.tar.gz: 1de3171122351341e0eb50ac675c6f168a8b6df37209f6e50723528485a120cf3fbdef023d28c066a80fd64b1a8f125930d81a620e4966e22bdb7468000fd0a1

data/lib/puppetserver/ca/action/import.rb

@@ -71,7 +71,7 @@ BANNER
 
         def import(loader, settings, signing_digest)
           ca = Puppetserver::Ca::LocalCertificateAuthority.new(signing_digest, settings)
-          ca.load_ssl_components(loader)
+          ca.initialize_ssl_components(loader)
           master_key, master_cert = ca.create_master_cert
           return ca.errors if ca.errors.any?
 

data/lib/puppetserver/ca/local_certificate_authority.rb

@@ -70,6 +70,35 @@ module Puppetserver
         @crl = loader.crl
       end
 
+      # Initialize SSL state
+      #
+      # This method is similar to {#load_ssl_components}, but has extra
+      # logic for initializing components that may not be present when
+      # the CA is set up for the first time. For example, SSL components
+      # provided by an external CA will often not include a pre-generated
+      # leaf CRL.
+      #
+      # @note Check {#errors} after calling this method for issues that
+      #   may have occurred during initialization.
+      #
+      # @param loader [Puppetserver::Ca::X509Loader]
+      # @return [void]
+      def initialize_ssl_components(loader)
+        @cert_bundle = loader.certs
+        @key = loader.key
+        @cert = loader.cert
+
+        if loader.crl.nil?
+          loader.crl = create_crl_for(@cert, @key)
+
+          loader.validate_full_chain(@cert_bundle, loader.crls)
+          @errors += loader.errors
+        end
+
+        @crl_chain = loader.crls
+        @crl = loader.crl
+      end
+
       def errors
         @errors += @host.errors
       end
@@ -93,7 +122,7 @@ module Puppetserver
 
       def next_serial(serial_file)
         if File.exist?(serial_file)
-          File.read(serial_file).to_i
+          File.read(serial_file).to_i(16)
         else
           1
         end
@@ -259,7 +288,7 @@ module Puppetserver
       end
 
       def update_serial_file(serial)
-        Puppetserver::Ca::Utils::FileSystem.write_file(@settings[:serial], serial, 0644)
+        Puppetserver::Ca::Utils::FileSystem.write_file(@settings[:serial], serial.to_s(16), 0644)
       end
     end
   end

data/lib/puppetserver/ca/version.rb

@@ -1,5 +1,5 @@
 module Puppetserver
   module Ca
-    VERSION = "1.3.2"
+    VERSION = "1.4.0"
   end
 end

data/lib/puppetserver/ca/x509_loader.rb

@@ -33,6 +33,10 @@ module Puppetserver
         signing_cert
       end
 
+      # Find a CRL in the chain issued by the signing cert
+      #
+      # @return [OpenSSL::X509::CRL] If a CRL is found.
+      # @return [nil] If no CRL is found.
       def find_leaf_crl
         return if @crls.empty? || @cert.nil?
 
@@ -40,10 +44,6 @@ module Puppetserver
           crl.issuer == @cert.subject
         end
 
-        if leaf_crl.nil?
-          @errors << 'Could not find CRL issued by CA certificate'
-        end
-
         leaf_crl
       end
 
@@ -59,7 +59,7 @@ module Puppetserver
           validate_cert_and_key(pkey, @cert)
         end
 
-        unless bundle.empty? || @cert.nil?
+        unless bundle.empty? || @cert.nil? || @crl.nil?
           validate_full_chain(bundle, chain)
         end
       end
@@ -124,6 +124,15 @@ module Puppetserver
         return crls
       end
 
+      # Replace the CRL for the signing cert of this loader
+      #
+      # @param new_crl [OpenSSL::X509::CRL]
+      # @return [void]
+      def crl=(new_crl)
+        @crl = new_crl
+        @crls = [new_crl] + @crls.reject {|c| c.issuer == new_crl.issuer }
+      end
+
       def validate_cert_and_key(key, cert)
         unless cert.check_private_key(key)
           @errors << 'Private key and certificate do not match'

data/puppetserver-ca.gemspec

@@ -16,11 +16,13 @@ Gem::Specification.new do |spec|
   spec.files         = `git ls-files -z`.split("\x0").reject do |f|
     f.match(%r{^(test|spec|features)/})
   end
+  spec.bindir        = "exe"
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.require_paths = ["lib"]
 
   spec.add_runtime_dependency "facter", [">= 2.0.1", "< 4"]
 
-  spec.add_development_dependency "bundler", "~> 1.16"
+  spec.add_development_dependency "bundler", ">= 1.16"
   spec.add_development_dependency "rake", "~> 10.0"
   spec.add_development_dependency "rspec", "~> 3.0"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: puppetserver-ca
 version: !ruby/object:Gem::Version
-  version: 1.3.2
+  version: 1.4.0
 platform: ruby
 authors:
 - Puppet, Inc.
 autorequire: 
-bindir: bin
+bindir: exe
 cert_chain: []
-date: 2019-07-16 00:00:00.000000000 Z
+date: 2019-08-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: facter
@@ -34,14 +34,14 @@ dependencies:
   name: bundler
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '1.16'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '1.16'
 - !ruby/object:Gem::Dependency
@@ -75,7 +75,8 @@ dependencies:
 description: 
 email:
 - release@puppet.com
-executables: []
+executables:
+- puppetserver-ca
 extensions: []
 extra_rdoc_files: []
 files: