Class: Puppet::SSL::CertificateAuthority
- Extended by:
- MonitorMixin
- Defined in:
- lib/vendor/puppet/ssl/certificate_authority.rb,
lib/vendor/puppet/ssl/certificate_authority/interface.rb
Overview
The class that knows how to sign certificates. It creates a ‘special’ SSL::Host whose name is ‘ca’, thus indicating that, well, it’s the CA. There’s some magic in the indirector/ssl_file terminus base class that does that for us.
This class mostly just signs certs for us, but
it can also be seen as a general interface into all of the SSL stuff.
Defined Under Namespace
Classes: CertificateSigningError, CertificateVerificationError, Interface
Constant Summary collapse
- RequestExtensionWhitelist =
We will only sign extensions on this whitelist, ever. Any CSR with a requested extension that we don’t recognize is rejected, against the risk that it will introduce some security issue through our ignorance of it.
Adding an extension to this whitelist simply means we will consider it further, not that we will always accept a certificate with an extension requested on this list.
%w{subjectAltName}
Instance Attribute Summary collapse
-
#host ⇒ Object
readonly
Returns the value of attribute host.
-
#name ⇒ Object
readonly
Returns the value of attribute name.
Class Method Summary collapse
- .ca? ⇒ Boolean
-
.instance ⇒ Object
If this process can function as a CA, then return a singleton instance.
- .singleton_instance ⇒ Object
Instance Method Summary collapse
-
#apply(method, options) ⇒ Object
Create and run an applicator.
-
#autosign ⇒ Object
If autosign is configured, then autosign all CSRs that match our configuration.
-
#autosign? ⇒ Boolean
Do we autosign? This returns true, false, or a filename.
-
#autosign_store(file) ⇒ Object
Create an AuthStore for autosigning.
- #check_internal_signing_policies(hostname, csr, allow_dns_alt_names) ⇒ Object
-
#crl ⇒ Object
Retrieve (or create, if necessary) the certificate revocation list.
-
#destroy(name) ⇒ Object
Delegate this to our Host class.
- #fingerprint(name, md = :MD5) ⇒ Object
-
#generate(name, options = {}) ⇒ Object
Generate a new certificate.
-
#generate_ca_certificate ⇒ Object
Generate our CA certificate.
-
#generate_password ⇒ Object
Generate a new password for the CA.
-
#initialize ⇒ CertificateAuthority
constructor
A new instance of CertificateAuthority.
-
#inventory ⇒ Object
Retrieve (or create, if necessary) our inventory manager.
-
#list ⇒ Object
List all signed certificates.
-
#next_serial ⇒ Object
Read the next serial from the serial file, and increment the file so this one is considered used.
-
#password? ⇒ Boolean
Does the password file exist?.
-
#print(name) ⇒ Object
Print a given host’s certificate as text.
-
#revoke(name) ⇒ Object
Revoke a given certificate.
-
#setup ⇒ Object
This initializes our CA so it actually works.
-
#sign(hostname, allow_dns_alt_names = false, self_signing_csr = nil) ⇒ Object
Sign a given certificate request.
-
#verify(name) ⇒ Object
Verify a given host’s certificate.
-
#waiting? ⇒ Boolean
List the waiting certificate requests.
Constructor Details
#initialize ⇒ CertificateAuthority
Returns a new instance of CertificateAuthority.
162 163 164 165 166 167 168 169 170 |
# File 'lib/vendor/puppet/ssl/certificate_authority.rb', line 162 def initialize Puppet.settings.use :main, :ssl, :ca @name = Puppet[:certname] @host = Puppet::SSL::Host.new(Puppet::SSL::Host.ca_name) setup end |
Instance Attribute Details
#host ⇒ Object (readonly)
Returns the value of attribute host.
67 68 69 |
# File 'lib/vendor/puppet/ssl/certificate_authority.rb', line 67 def host @host end |
#name ⇒ Object (readonly)
Returns the value of attribute name.
67 68 69 |
# File 'lib/vendor/puppet/ssl/certificate_authority.rb', line 67 def name @name end |
Class Method Details
.ca? ⇒ Boolean
53 54 55 56 57 |
# File 'lib/vendor/puppet/ssl/certificate_authority.rb', line 53 def self.ca? return false unless Puppet[:ca] return false unless Puppet.run_mode.master? true end |
.instance ⇒ Object
If this process can function as a CA, then return a singleton instance.
61 62 63 64 65 |
# File 'lib/vendor/puppet/ssl/certificate_authority.rb', line 61 def self.instance return nil unless ca? singleton_instance end |
.singleton_instance ⇒ Object
39 40 41 42 43 |
# File 'lib/vendor/puppet/ssl/certificate_authority.rb', line 39 def self.singleton_instance synchronize do @singleton_instance ||= new end end |
Instance Method Details
#apply(method, options) ⇒ Object
Create and run an applicator. I wanted to build an interface where you could do something like ‘ca.apply(:generate).to(:all) but I don’t think it’s really possible.
71 72 73 74 75 |
# File 'lib/vendor/puppet/ssl/certificate_authority.rb', line 71 def apply(method, ) raise ArgumentError, "You must specify the hosts to apply to; valid values are an array or the symbol :all" unless [:to] applier = Interface.new(method, ) applier.apply(self) end |
#autosign ⇒ Object
If autosign is configured, then autosign all CSRs that match our configuration.
78 79 80 81 82 83 84 85 86 87 |
# File 'lib/vendor/puppet/ssl/certificate_authority.rb', line 78 def autosign return unless auto = autosign? store = nil store = autosign_store(auto) if auto != true Puppet::SSL::CertificateRequest.indirection.search("*").each do |csr| sign(csr.name) if auto == true or store.allowed?(csr.name, "127.1.1.1") end end |
#autosign? ⇒ Boolean
Do we autosign? This returns true, false, or a filename.
90 91 92 93 94 95 96 97 |
# File 'lib/vendor/puppet/ssl/certificate_authority.rb', line 90 def autosign? auto = Puppet[:autosign] return false if ['false', false].include?(auto) return true if ['true', true].include?(auto) raise ArgumentError, "The autosign configuration '#{auto}' must be a fully qualified file" unless auto =~ /^\// FileTest.exist?(auto) && auto end |
#autosign_store(file) ⇒ Object
Create an AuthStore for autosigning.
100 101 102 103 104 105 106 107 108 109 |
# File 'lib/vendor/puppet/ssl/certificate_authority.rb', line 100 def autosign_store(file) auth = Puppet::Network::AuthStore.new File.readlines(file).each do |line| next if line =~ /^\s*#/ next if line =~ /^\s*$/ auth.allow(line.chomp) end auth end |
#check_internal_signing_policies(hostname, csr, allow_dns_alt_names) ⇒ Object
298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 |
# File 'lib/vendor/puppet/ssl/certificate_authority.rb', line 298 def check_internal_signing_policies(hostname, csr, allow_dns_alt_names) # Reject unknown request extensions. unknown_req = csr.request_extensions. reject {|x| RequestExtensionWhitelist.include? x["oid"] } if unknown_req and not unknown_req.empty? names = unknown_req.map {|x| x["oid"] }.sort.uniq.join(", ") raise CertificateSigningError.new(hostname), "CSR has request extensions that are not permitted: #{names}" end # Do not sign misleading CSRs cn = csr.content.subject.to_a.assoc("CN")[1] if hostname != cn raise CertificateSigningError.new(hostname), "CSR subject common name #{cn.inspect} does not match expected certname #{hostname.inspect}" end if hostname !~ Puppet::SSL::Base::VALID_CERTNAME raise CertificateSigningError.new(hostname), "CSR #{hostname.inspect} subject contains unprintable or non-ASCII characters" end # Wildcards: we don't allow 'em at any point. # # The stringification here makes the content visible, and saves us having # to scrobble through the content of the CSR subject field to make sure it # is what we expect where we expect it. if csr.content.subject.to_s.include? '*' raise CertificateSigningError.new(hostname), "CSR subject contains a wildcard, which is not allowed: #{csr.content.subject.to_s}" end unless csr.subject_alt_names.empty? # If you alt names are allowed, they are required. Otherwise they are # disallowed. Self-signed certs are implicitly trusted, however. unless allow_dns_alt_names raise CertificateSigningError.new(hostname), "CSR '#{csr.name}' contains subject alternative names (#{csr.subject_alt_names.join(', ')}), which are disallowed. Use `puppet cert --allow-dns-alt-names sign #{csr.name}` to sign this request." end # If subjectAltNames are present, validate that they are only for DNS # labels, not any other kind. unless csr.subject_alt_names.all? {|x| x =~ /^DNS:/ } raise CertificateSigningError.new(hostname), "CSR '#{csr.name}' contains a subjectAltName outside the DNS label space: #{csr.subject_alt_names.join(', ')}. To continue, this CSR needs to be cleaned." end # Check for wildcards in the subjectAltName fields too. if csr.subject_alt_names.any? {|x| x.include? '*' } raise CertificateSigningError.new(hostname), "CSR '#{csr.name}' subjectAltName contains a wildcard, which is not allowed: #{csr.subject_alt_names.join(', ')} To continue, this CSR needs to be cleaned." end end return true # good enough for us! end |
#crl ⇒ Object
Retrieve (or create, if necessary) the certificate revocation list.
112 113 114 115 116 117 118 119 120 121 |
# File 'lib/vendor/puppet/ssl/certificate_authority.rb', line 112 def crl unless defined?(@crl) unless @crl = Puppet::SSL::CertificateRevocationList.indirection.find(Puppet::SSL::CA_NAME) @crl = Puppet::SSL::CertificateRevocationList.new(Puppet::SSL::CA_NAME) @crl.generate(host.certificate.content, host.key.content) Puppet::SSL::CertificateRevocationList.indirection.save(@crl) end end @crl end |
#destroy(name) ⇒ Object
Delegate this to our Host class.
124 125 126 |
# File 'lib/vendor/puppet/ssl/certificate_authority.rb', line 124 def destroy(name) Puppet::SSL::Host.destroy(name) end |
#fingerprint(name, md = :MD5) ⇒ Object
363 364 365 366 367 368 |
# File 'lib/vendor/puppet/ssl/certificate_authority.rb', line 363 def fingerprint(name, md = :MD5) unless cert = Puppet::SSL::Certificate.indirection.find(name) || Puppet::SSL::CertificateRequest.indirection.find(name) raise ArgumentError, "Could not find a certificate or csr for #{name}" end cert.fingerprint(md) end |
#generate(name, options = {}) ⇒ Object
Generate a new certificate.
129 130 131 132 133 134 135 136 137 138 139 |
# File 'lib/vendor/puppet/ssl/certificate_authority.rb', line 129 def generate(name, = {}) raise ArgumentError, "A Certificate already exists for #{name}" if Puppet::SSL::Certificate.indirection.find(name) host = Puppet::SSL::Host.new(name) # Pass on any requested subjectAltName field. san = [:dns_alt_names] host = Puppet::SSL::Host.new(name) host.generate_certificate_request(:dns_alt_names => san) sign(name, !!san) end |
#generate_ca_certificate ⇒ Object
Generate our CA certificate.
142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 |
# File 'lib/vendor/puppet/ssl/certificate_authority.rb', line 142 def generate_ca_certificate generate_password unless password? host.generate_key unless host.key # Create a new cert request. We do this specially, because we don't want # to actually save the request anywhere. request = Puppet::SSL::CertificateRequest.new(host.name) # We deliberately do not put any subjectAltName in here: the CA # certificate absolutely does not need them. --daniel 2011-10-13 request.generate(host.key) # Create a self-signed certificate. @certificate = sign(host.name, false, request) # And make sure we initialize our CRL. crl end |
#generate_password ⇒ Object
Generate a new password for the CA.
178 179 180 181 182 183 184 185 186 187 188 189 190 191 |
# File 'lib/vendor/puppet/ssl/certificate_authority.rb', line 178 def generate_password pass = "" 20.times { pass += (rand(74) + 48).chr } begin Puppet.settings.write(:capass) { |f| f.print pass } rescue Errno::EACCES => detail raise Puppet::Error, "Could not write CA password: #{detail}" end @password = pass pass end |
#inventory ⇒ Object
Retrieve (or create, if necessary) our inventory manager.
173 174 175 |
# File 'lib/vendor/puppet/ssl/certificate_authority.rb', line 173 def inventory @inventory ||= Puppet::SSL::Inventory.new end |
#list ⇒ Object
List all signed certificates.
194 195 196 |
# File 'lib/vendor/puppet/ssl/certificate_authority.rb', line 194 def list Puppet::SSL::Certificate.indirection.search("*").collect { |c| c.name } end |
#next_serial ⇒ Object
Read the next serial from the serial file, and increment the file so this one is considered used.
200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 |
# File 'lib/vendor/puppet/ssl/certificate_authority.rb', line 200 def next_serial serial = nil # This is slightly odd. If the file doesn't exist, our readwritelock creates # it, but with a mode we can't actually read in some cases. So, use # a default before the lock. serial = 0x1 unless FileTest.exist?(Puppet[:serial]) Puppet.settings.readwritelock(:serial) { |f| serial ||= File.read(Puppet.settings[:serial]).chomp.hex if FileTest.exist?(Puppet[:serial]) # We store the next valid serial, not the one we just used. f << "%04X" % (serial + 1) } serial end |
#password? ⇒ Boolean
Does the password file exist?
219 220 221 |
# File 'lib/vendor/puppet/ssl/certificate_authority.rb', line 219 def password? FileTest.exist? Puppet[:capass] end |
#print(name) ⇒ Object
Print a given host’s certificate as text.
224 225 226 |
# File 'lib/vendor/puppet/ssl/certificate_authority.rb', line 224 def print(name) (cert = Puppet::SSL::Certificate.indirection.find(name)) ? cert.to_text : nil end |
#revoke(name) ⇒ Object
Revoke a given certificate.
229 230 231 232 233 234 235 236 237 238 239 240 |
# File 'lib/vendor/puppet/ssl/certificate_authority.rb', line 229 def revoke(name) raise ArgumentError, "Cannot revoke certificates when the CRL is disabled" unless crl if cert = Puppet::SSL::Certificate.indirection.find(name) serial = cert.content.serial elsif name =~ /^0x[0-9A-Fa-f]+$/ serial = name.hex elsif ! serial = inventory.serial(name) raise ArgumentError, "Could not find a serial number for #{name}" end crl.revoke(serial, host.key.content) end |
#setup ⇒ Object
This initializes our CA so it actually works. This should be a private method, except that you can’t any-instance stub private methods, which is awesome. This method only really exists to provide a stub-point during testing.
246 247 248 |
# File 'lib/vendor/puppet/ssl/certificate_authority.rb', line 246 def setup generate_ca_certificate unless @host.certificate end |
#sign(hostname, allow_dns_alt_names = false, self_signing_csr = nil) ⇒ Object
Sign a given certificate request.
251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 |
# File 'lib/vendor/puppet/ssl/certificate_authority.rb', line 251 def sign(hostname, allow_dns_alt_names = false, self_signing_csr = nil) # This is a self-signed certificate if self_signing_csr # # This is a self-signed certificate, which is for the CA. Since this # # forces the certificate to be self-signed, anyone who manages to trick # # the system into going through this path gets a certificate they could # # generate anyway. There should be no security risk from that. csr = self_signing_csr cert_type = :ca issuer = csr.content else allow_dns_alt_names = true if hostname == Puppet[:certname].downcase unless csr = Puppet::SSL::CertificateRequest.indirection.find(hostname) raise ArgumentError, "Could not find certificate request for #{hostname}" end cert_type = :server issuer = host.certificate.content # Make sure that the CSR conforms to our internal signing policies. # This will raise if the CSR doesn't conform, but just in case... check_internal_signing_policies(hostname, csr, allow_dns_alt_names) or raise CertificateSigningError.new(hostname), "CSR had an unknown failure checking internal signing policies, will not sign!" end cert = Puppet::SSL::Certificate.new(hostname) cert.content = Puppet::SSL::CertificateFactory. build(cert_type, csr, issuer, next_serial) cert.content.sign(host.key.content, OpenSSL::Digest::SHA1.new) Puppet.notice "Signed certificate request for #{hostname}" # Add the cert to the inventory before we save it, since # otherwise we could end up with it being duplicated, if # this is the first time we build the inventory file. inventory.add(cert) # Save the now-signed cert. This should get routed correctly depending # on the certificate type. Puppet::SSL::Certificate.indirection.save(cert) # And remove the CSR if this wasn't self signed. Puppet::SSL::CertificateRequest.indirection.destroy(csr.name) unless self_signing_csr cert end |
#verify(name) ⇒ Object
Verify a given host’s certificate.
350 351 352 353 354 355 356 357 358 359 360 361 |
# File 'lib/vendor/puppet/ssl/certificate_authority.rb', line 350 def verify(name) unless cert = Puppet::SSL::Certificate.indirection.find(name) raise ArgumentError, "Could not find a certificate for #{name}" end store = OpenSSL::X509::Store.new store.add_file Puppet[:cacert] store.add_crl crl.content if self.crl store.purpose = OpenSSL::X509::PURPOSE_SSL_CLIENT store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL|OpenSSL::X509::V_FLAG_CRL_CHECK if Puppet.settings[:certificate_revocation] raise CertificateVerificationError.new(store.error), store.error_string unless store.verify(cert.content) end |
#waiting? ⇒ Boolean
List the waiting certificate requests.
371 372 373 |
# File 'lib/vendor/puppet/ssl/certificate_authority.rb', line 371 def waiting? Puppet::SSL::CertificateRequest.indirection.search("*").collect { |r| r.name } end |