Class: Puppet::SSLCertificates::Certificate

Inherits:

Object

• Object
• Puppet::SSLCertificates::Certificate

Defined in:

lib/puppet/sslcertificates/certificate.rb

Constant Summary

SSLCertificates =

Puppet::SSLCertificates

@@params2names =

{
  :name       => "CN",
  :state      => "ST",
  :country    => "C",
  :email      => "emailAddress",
  :org        => "O",
  :city       => "L",
  :ou         => "OU"
}

Instance Attribute Summary

• #cacert ⇒ Object

  Returns the value of attribute cacert.

• #cert ⇒ Object

  Returns the value of attribute cert.

• #certfile ⇒ Object

  Returns the value of attribute certfile.

• #csr ⇒ Object

  Returns the value of attribute csr.

• #dir ⇒ Object

  Returns the value of attribute dir.

• #hash ⇒ Object

  Returns the value of attribute hash.

• #key ⇒ Object

  Returns the value of attribute key.

• #keyfile ⇒ Object

  Returns the value of attribute keyfile.

• #name ⇒ Object

  Returns the value of attribute name.

• #type ⇒ Object

  Returns the value of attribute type.

Instance Method Summary

• #certname ⇒ Object
• #delete ⇒ Object
• #exists? ⇒ Boolean
• #getkey ⇒ Object
• #initialize(hash) ⇒ Certificate constructor

  A new instance of Certificate.

• #mkcsr ⇒ Object

  this only works for servers, not for users.

• #mkkey ⇒ Object
• #mkselfsigned ⇒ Object
• #subject(string = false) ⇒ Object
• #verify ⇒ Object

  verify that we can track down the cert chain or whatever.

• #write ⇒ Object

Constructor Details

#initialize(hash) ⇒ Certificate

Returns a new instance of Certificate.

Raises:

• (Puppet::Error)

# File 'lib/puppet/sslcertificates/certificate.rb', line 52

def initialize(hash)
  raise Puppet::Error, "You must specify the common name for the certificate" unless hash.include?(:name)
  @name = hash[:name]

  # init a few variables
  @cert = @key = @csr = nil

  if hash.include?(:cert)
    @certfile = hash[:cert]
    @dir = File.dirname(@certfile)
  else
    @dir = hash[:dir] || Puppet[:certdir]
    @certfile = File.join(@dir, @name)
  end

  @cacertfile ||= File.join(Puppet[:certdir], "ca.pem")

  Puppet.recmkdir(@dir) unless FileTest.directory?(@dir)

  unless @certfile =~ /\.pem$/
    @certfile += ".pem"
  end
  @keyfile = hash[:key] || File.join(
    Puppet[:privatekeydir], [@name,"pem"].join(".")
  )
  Puppet.recmkdir(@dir) unless FileTest.directory?(@dir)

  [@keyfile].each { |file|
    dir = File.dirname(file)

    Puppet.recmkdir(dir) unless FileTest.directory?(dir)
  }

  @ttl = hash[:ttl] || 365 * 24 * 60 * 60
  @selfsign = hash[:selfsign] || false
  @encrypt = hash[:encrypt] || false
  @replace = hash[:replace] || false
  @issuer = hash[:issuer] || nil

  if hash.include?(:type)
    case hash[:type]
    when :ca, :client, :server; @type = hash[:type]
    else
      raise "Invalid Cert type #{hash[:type]}"
    end
  else
    @type = :client
  end

  @params = {:name => @name}
  [:state, :country, :email, :org, :ou].each { |param|
    @params[param] = hash[param] if hash.include?(param)
  }

  if @encrypt
    if @encrypt =~ /^\//
      File.open(@encrypt) { |f|
        @password = f.read.chomp
      }
    else
      raise Puppet::Error, ":encrypt must be a path to a pass phrase file"
    end
  else
    @password = nil
  end

  @selfsign = hash.include?(:selfsign) && hash[:selfsign]
end

Instance Attribute Details

#cacert ⇒ Object

Returns the value of attribute cacert.

# File 'lib/puppet/sslcertificates/certificate.rb', line 5

def cacert
  @cacert
end

#cert ⇒ Object

Returns the value of attribute cert.

# File 'lib/puppet/sslcertificates/certificate.rb', line 5

def cert
  @cert
end

#certfile ⇒ Object

Returns the value of attribute certfile.

# File 'lib/puppet/sslcertificates/certificate.rb', line 4

def certfile
  @certfile
end

#csr ⇒ Object

Returns the value of attribute csr.

# File 'lib/puppet/sslcertificates/certificate.rb', line 5

def csr
  @csr
end

#dir ⇒ Object

Returns the value of attribute dir.

# File 'lib/puppet/sslcertificates/certificate.rb', line 4

def dir
  @dir
end

#hash ⇒ Object

Returns the value of attribute hash.

# File 'lib/puppet/sslcertificates/certificate.rb', line 4

def hash
  @hash
end

#key ⇒ Object

Returns the value of attribute key.

# File 'lib/puppet/sslcertificates/certificate.rb', line 5

def key
  @key
end

#keyfile ⇒ Object

Returns the value of attribute keyfile.

# File 'lib/puppet/sslcertificates/certificate.rb', line 4

def keyfile
  @keyfile
end

#name ⇒ Object

Returns the value of attribute name.

# File 'lib/puppet/sslcertificates/certificate.rb', line 4

def name
  @name
end

#type ⇒ Object

Returns the value of attribute type.

# File 'lib/puppet/sslcertificates/certificate.rb', line 4

def type
  @type
end

Instance Method Details

#certname ⇒ Object

# File 'lib/puppet/sslcertificates/certificate.rb', line 17

def certname
  OpenSSL::X509::Name.new self.subject
end

#delete ⇒ Object

# File 'lib/puppet/sslcertificates/certificate.rb', line 21

def delete
  [@certfile,@keyfile].each { |file|
    File.unlink(file) if FileTest.exists?(file)
  }

  if @hash
    File.unlink(@hash) if FileTest.symlink?(@hash)
  end
end

#exists? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/puppet/sslcertificates/certificate.rb', line 31

def exists?
  FileTest.exists?(@certfile)
end

#getkey ⇒ Object

# File 'lib/puppet/sslcertificates/certificate.rb', line 35

def getkey
  self.mkkey unless FileTest.exists?(@keyfile)
  if @password

    @key = OpenSSL::PKey::RSA.new(

      File.read(@keyfile),

      @password
    )
  else
    @key = OpenSSL::PKey::RSA.new(
      File.read(@keyfile)
    )
  end
end

#mkcsr ⇒ Object

this only works for servers, not for users

Raises:

• (Puppet::Error)

# File 'lib/puppet/sslcertificates/certificate.rb', line 122

def mkcsr
  self.getkey unless @key

  name = OpenSSL::X509::Name.new self.subject

  @csr = OpenSSL::X509::Request.new
  @csr.version = 0
  @csr.subject = name
  @csr.public_key = @key.public_key
  @csr.sign(@key, OpenSSL::Digest::SHA1.new)

  #File.open(@csrfile, "w") { |f|
  #    f << @csr.to_pem
  #}

  raise Puppet::Error, "CSR sign verification failed" unless @csr.verify(@key.public_key)

  @csr
end

#mkkey ⇒ Object

# File 'lib/puppet/sslcertificates/certificate.rb', line 142

def mkkey
  # @key is the file

  @key = OpenSSL::PKey::RSA.new(1024)
#            { |p,n|
#                case p
#                when 0; Puppet.info "key info: ."  # BN_generate_prime
#                when 1; Puppet.info "key info: +"  # BN_generate_prime
#                when 2; Puppet.info "key info: *"  # searching good prime,
#                                          # n = #of try,
#                                          # but also data from BN_generate_prime
#                when 3; Puppet.info "key info: \n" # found good prime, n==0 - p, n==1 - q,
#                                          # but also data from BN_generate_prime
#                else;   Puppet.info "key info: *"  # BN_generate_prime
#                end
#            }

if @password
#        passwdproc = proc { @password }

  keytext = @key.export(

    OpenSSL::Cipher::DES.new(:EDE3, :CBC),

    @password
    )
    File.open(@keyfile, "w", 0400) { |f|
      f << keytext
    }
  else
    File.open(@keyfile, "w", 0400) { |f|
      f << @key.to_pem
    }
  end

  #cmd = "#{ossl} genrsa -out #{@key} 1024"
end

#mkselfsigned ⇒ Object

Raises:

• (Puppet::Error)

# File 'lib/puppet/sslcertificates/certificate.rb', line 180

def mkselfsigned
  self.getkey unless @key

  raise Puppet::Error, "Cannot replace existing certificate" if @cert

  args = {
    :name => self.certname,
    :ttl => @ttl,
    :issuer => nil,
    :serial => 0x0,
    :publickey => @key.public_key
  }
  if @type
    args[:type] = @type
  else
    args[:type] = :server
  end
  @cert = SSLCertificates.mkcert(args)

  @cert.sign(@key, OpenSSL::Digest::SHA1.new) if @selfsign

  @cert
end

#subject(string = false) ⇒ Object

# File 'lib/puppet/sslcertificates/certificate.rb', line 204

def subject(string = false)
  subj = @@params2names.collect { |param, name|
    [name, @params[param]] if @params.include?(param)
  }.reject { |ary| ary.nil? }

  if string
    return "/" + subj.collect { |ary|
      "%s=%s" % ary
    }.join("/") + "/"
  else
    return subj
  end
end

#verify ⇒ Object

verify that we can track down the cert chain or whatever

# File 'lib/puppet/sslcertificates/certificate.rb', line 219

def verify
  "openssl verify -verbose -CAfile /home/luke/.puppet/ssl/certs/ca.pem -purpose sslserver culain.madstop.com.pem"
end

#write ⇒ Object

# File 'lib/puppet/sslcertificates/certificate.rb', line 223

def write
  files = {
    @certfile => @cert,
    @keyfile => @key,
  }
  files[@cacertfile] = @cacert if defined?(@cacert)

  files.each { |file,thing|
    if thing
      next if FileTest.exists?(file)

      text = nil

      if thing.is_a?(OpenSSL::PKey::RSA) and @password

        text = thing.export(

          OpenSSL::Cipher::DES.new(:EDE3, :CBC),

          @password
        )
      else
        text = thing.to_pem
      end

      File.open(file, "w", 0660) { |f| f.print text }
    end
  }

  SSLCertificates.mkhash(Puppet[:certdir], @cacert, @cacertfile) if defined?(@cacert)
end