Class: Puppet::SSL::Validator::DefaultValidator Private

Inherits:
Object
  • Object
show all
Defined in:
lib/puppet/ssl/validator/default_validator.rb

Overview

This class is part of a private API. You should avoid using this class if possible, as it may be removed or be changed in the future.

Perform peer certificate verification against the known CA. If there is no CA information known, then no verification is performed

Instance Attribute Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(ssl_configuration = Puppet::SSL::Configuration.new( Puppet[:localcacert], { :ca_chain_file => Puppet[:ssl_client_ca_chain], :ca_auth_file => Puppet[:ssl_client_ca_auth] }), ssl_host = Puppet::SSL::Host.localhost) ⇒ DefaultValidator

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Creates a new DefaultValidator, optionally with an SSL Configuration and SSL Host.



20
21
22
23
24
25
26
27
28
29
30
31
 
# File 'lib/puppet/ssl/validator/default_validator.rb', line 20

def initialize(
    ssl_configuration = Puppet::SSL::Configuration.new(
                                      Puppet[:localcacert], {
                                        :ca_chain_file => Puppet[:ssl_client_ca_chain],
                                        :ca_auth_file  => Puppet[:ssl_client_ca_auth]
                                      }),
    ssl_host = Puppet::SSL::Host.localhost)

  reset!
  @ssl_configuration = ssl_configuration
  @ssl_host = ssl_host
end

Instance Attribute Details

#peer_certsObject (readonly)

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

< class Puppet::SSL::Validator



9
10
11
 
# File 'lib/puppet/ssl/validator/default_validator.rb', line 9

def peer_certs
  @peer_certs
end

#ssl_configurationObject (readonly)

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future. 



11
12
13
 
# File 'lib/puppet/ssl/validator/default_validator.rb', line 11

def ssl_configuration
  @ssl_configuration
end

#verify_errorsObject (readonly)

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future. 



10
11
12
 
# File 'lib/puppet/ssl/validator/default_validator.rb', line 10

def verify_errors
  @verify_errors
end

Instance Method Details

#call(preverify_ok, ssl_context) ⇒ Boolean

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Performs verification of the SSL connection and collection of the certificates for use in constructing the error message if the verification failed. This callback will be executed once for each certificate in a chain being verified.

From the [OpenSSL documentation](www.openssl.org/docs/ssl/SSL_CTX_set_verify.html): The verify_callback function is used to control the behaviour when the SSL_VERIFY_PEER flag is set. It must be supplied by the application and receives two arguments: preverify_ok indicates, whether the verification of the certificate in question was passed (preverify_ok=1) or not (preverify_ok=0). x509_ctx is a pointer to the complete context used for the certificate chain verification.

See Network::HTTP::Connection for more information and where this class is intended to be used.



69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
 
# File 'lib/puppet/ssl/validator/default_validator.rb', line 69

def call(preverify_ok, ssl_context)
  # We must make a copy since the scope of the ssl_context will be lost
  # across invocations of this method.
  current_cert = ssl_context.current_cert
  @peer_certs << Puppet::SSL::Certificate.from_instance(current_cert)

  if preverify_ok
    # If we've copied all of the certs in the chain out of the SSL library
    if @peer_certs.length == ssl_context.chain.length
      # (#20027) The peer cert must be issued by a specific authority
      preverify_ok = valid_peer?
    end
  else
    if ssl_context.error_string
      @verify_errors << "#{ssl_context.error_string} for #{current_cert.subject}"
    end
  end
  preverify_ok
rescue => ex
  @verify_errors << ex.message
  false
end

#has_authz_peer_cert(peer_certs, authz_certs) ⇒ Boolean

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Checks if the set of peer_certs contains at least one certificate issued by a certificate listed in authz_certs



140
141
142
143
144
145
146
 
# File 'lib/puppet/ssl/validator/default_validator.rb', line 140

def has_authz_peer_cert(peer_certs, authz_certs)
  peer_certs.any? do |peer_cert|
    authz_certs.any? do |authz_cert|
      peer_cert.verify(authz_cert.public_key)
    end
  end
end

#reset!Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Resets this validator to its initial validation state. The ssl configuration is not changed.



38
39
40
41
 
# File 'lib/puppet/ssl/validator/default_validator.rb', line 38

def reset!
  @peer_certs = []
  @verify_errors = []
end

#setup_connection(connection) ⇒ void

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

This method returns an undefined value.

Registers the instance’s call method with the connection.



100
101
102
103
104
105
106
107
108
109
110
111
 
# File 'lib/puppet/ssl/validator/default_validator.rb', line 100

def setup_connection(connection)
  if ssl_certificates_are_present?
    connection.cert_store = @ssl_host.ssl_store
    connection.ca_file = @ssl_configuration.ca_auth_file
    connection.cert = @ssl_host.certificate.content
    connection.key = @ssl_host.key.content
    connection.verify_mode = OpenSSL::SSL::VERIFY_PEER
    connection.verify_callback = self
  else
    connection.verify_mode = OpenSSL::SSL::VERIFY_NONE
  end
end

#ssl_certificates_are_present?Boolean

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future. 



150
151
152
 
# File 'lib/puppet/ssl/validator/default_validator.rb', line 150

def ssl_certificates_are_present?
  Puppet::FileSystem.exist?(Puppet[:hostcert]) && Puppet::FileSystem.exist?(@ssl_configuration.ca_auth_file)
end

#valid_peer?Boolean

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Validates the peer certificates against the authorized certificates.



117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
 
# File 'lib/puppet/ssl/validator/default_validator.rb', line 117

def valid_peer?
  descending_cert_chain = @peer_certs.reverse.map {|c| c.content }
  authz_ca_certs = ssl_configuration.ca_auth_certificates

  if not has_authz_peer_cert(descending_cert_chain, authz_ca_certs)
    msg = "The server presented a SSL certificate chain which does not include a " <<
      "CA listed in the ssl_client_ca_auth file.  "
    msg << "Authorized Issuers: #{authz_ca_certs.collect {|c| c.subject}.join(', ')}  " <<
      "Peer Chain: #{descending_cert_chain.collect {|c| c.subject}.join(' => ')}"
    @verify_errors << msg
    false
  else
    true
  end
end