Class: Puppet::SSL::Validator::DefaultValidator Private

Inherits:

Object

• Object
• Puppet::SSL::Validator::DefaultValidator

Defined in:

lib/puppet/ssl/validator/default_validator.rb

Overview

This class is part of a private API. You should avoid using this class if possible, as it may be removed or be changed in the future.

Perform peer certificate verification against the known CA. If there is no CA information known, then no verification is performed

Constant Summary

FIVE_MINUTES_AS_SECONDS =

This constant is part of a private API. You should avoid using this constant if possible, as it may be removed or be changed in the future.

5 * 60

Instance Attribute Summary

• #peer_certs ⇒ Object readonly private

  < class Puppet::SSL::Validator.

• #ssl_configuration ⇒ Object readonly private
• #verify_errors ⇒ Object readonly private

Instance Method Summary

• #call(preverify_ok, store_context) ⇒ Boolean private

  Performs verification of the SSL connection and collection of the certificates for use in constructing the error message if the verification failed.

• #has_authz_peer_cert(peer_certs, authz_certs) ⇒ Boolean private

  Checks if the set of peer_certs contains at least one certificate issued by a certificate listed in authz_certs.

• #initialize(ssl_configuration = Puppet::SSL::Configuration.new( Puppet[:localcacert], { :ca_auth_file => Puppet[:ssl_client_ca_auth] }), ssl_host = Puppet.lookup(:ssl_host)) ⇒ DefaultValidator constructor private

  Creates a new DefaultValidator, optionally with an SSL Configuration and SSL Host.

• #reset! ⇒ Object private

  Resets this validator to its initial validation state.

• #setup_connection(connection) ⇒ void private

  Registers the instance’s call method with the connection.

• #ssl_certificates_are_present? ⇒ Boolean private
• #valid_peer? ⇒ Boolean private

  Validates the peer certificates against the authorized certificates.

Constructor Details

#initialize(ssl_configuration = Puppet::SSL::Configuration.new( Puppet[:localcacert], { :ca_auth_file => Puppet[:ssl_client_ca_auth] }), ssl_host = Puppet.lookup(:ssl_host)) ⇒ DefaultValidator

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Creates a new DefaultValidator, optionally with an SSL Configuration and SSL Host.

Parameters:

• ssl_configuration (Puppet::SSL::Configuration) (defaults to: Puppet::SSL::Configuration.new( Puppet[:localcacert], { :ca_auth_file => Puppet[:ssl_client_ca_auth] })) —

  (a default configuration) ssl_configuration the SSL configuration to use

• ssl_host (Puppet::SSL::Host) (defaults to: Puppet.lookup(:ssl_host)) —

  The SSL host to use

# File 'lib/puppet/ssl/validator/default_validator.rb', line 23

def initialize(
    ssl_configuration = Puppet::SSL::Configuration.new(
                                      Puppet[:localcacert], {
                                        :ca_auth_file  => Puppet[:ssl_client_ca_auth]
                                      }),
    ssl_host = Puppet.lookup(:ssl_host))

  reset!
  @ssl_configuration = ssl_configuration
  @ssl_host = ssl_host
end

Instance Attribute Details

#peer_certs ⇒ Object (readonly)

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

< class Puppet::SSL::Validator

# File 'lib/puppet/ssl/validator/default_validator.rb', line 10

def peer_certs
  @peer_certs
end

#ssl_configuration ⇒ Object (readonly)

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

# File 'lib/puppet/ssl/validator/default_validator.rb', line 12

def ssl_configuration
  @ssl_configuration
end

#verify_errors ⇒ Object (readonly)

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

# File 'lib/puppet/ssl/validator/default_validator.rb', line 11

def verify_errors
  @verify_errors
end

Instance Method Details

#call(preverify_ok, store_context) ⇒ Boolean

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Performs verification of the SSL connection and collection of the certificates for use in constructing the error message if the verification failed. This callback will be executed once for each certificate in a chain being verified.

From the [OpenSSL documentation](www.openssl.org/docs/ssl/SSL_CTX_set_verify.html): The ‘verify_callback` function is used to control the behaviour when the SSL_VERIFY_PEER flag is set. It must be supplied by the application and receives two arguments: preverify_ok indicates, whether the verification of the certificate in question was passed (preverify_ok=1) or not (preverify_ok=0). x509_store_ctx is a pointer to the complete context used for the certificate chain verification.

See Network::HTTP::Connection for more information and where this class is intended to be used.

Parameters:

• preverify_ok (Boolean) —

  indicates whether the verification of the certificate in question was passed (preverify_ok=true)

• store_context (OpenSSL::X509::StoreContext) —

  holds the X509 store context for the chain being verified.

Returns:

• (Boolean) —

  false if the peer is invalid, true otherwise.

# File 'lib/puppet/ssl/validator/default_validator.rb', line 71

def call(preverify_ok, store_context)
  current_cert = store_context.current_cert
  @peer_certs << Puppet::SSL::Certificate.from_instance(current_cert)

  # We must make a copy since the scope of the store_context will be lost
  # across invocations of this method.
  if preverify_ok
    # If we've copied all of the certs in the chain out of the SSL library
    if @peer_certs.length == store_context.chain.length
      # (#20027) The peer cert must be issued by a specific authority
      preverify_ok = valid_peer?
    end
  else
    error = store_context.error || 0
    error_string = store_context.error_string || "OpenSSL error #{error}"

    case error
    when OpenSSL::X509::V_ERR_CRL_NOT_YET_VALID
      # current_crl can be nil
      # https://github.com/ruby/ruby/blob/ruby_1_9_3/ext/openssl/ossl_x509store.c#L501-L510
      crl = store_context.current_crl
      if crl
        if crl.last_update && crl.last_update < Time.now + FIVE_MINUTES_AS_SECONDS
          Puppet.debug("Ignoring CRL not yet valid, current time #{Time.now.utc}, CRL last updated #{crl.last_update.utc}")
          preverify_ok = true
        else
          @verify_errors << "#{error_string} for #{crl.issuer}"
        end
      else
        @verify_errors << error_string
      end
    else
      @verify_errors << "#{error_string} for #{current_cert.subject}"
    end
  end
  preverify_ok
rescue => ex
  @verify_errors << ex.message
  false
end

#has_authz_peer_cert(peer_certs, authz_certs) ⇒ Boolean

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Checks if the set of peer_certs contains at least one certificate issued by a certificate listed in authz_certs

Returns:

• (Boolean)

# File 'lib/puppet/ssl/validator/default_validator.rb', line 160

def has_authz_peer_cert(peer_certs, authz_certs)
  peer_certs.any? do |peer_cert|
    authz_certs.any? do |authz_cert|
      peer_cert.verify(authz_cert.public_key)
    end
  end
end

#reset! ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Resets this validator to its initial validation state. The ssl configuration is not changed.

# File 'lib/puppet/ssl/validator/default_validator.rb', line 40

def reset!
  @peer_certs = []
  @verify_errors = []
end

#setup_connection(connection) ⇒ void

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

This method returns an undefined value.

Registers the instance’s call method with the connection.

Parameters:

• connection (Net::HTTP) —

  The connection to validate

# File 'lib/puppet/ssl/validator/default_validator.rb', line 120

def setup_connection(connection)
  if ssl_certificates_are_present?
    connection.cert_store = @ssl_host.ssl_store
    connection.ca_file = @ssl_configuration.ca_auth_file
    connection.cert = @ssl_host.certificate.content
    connection.key = @ssl_host.key.content
    connection.verify_mode = OpenSSL::SSL::VERIFY_PEER
    connection.verify_callback = self
  else
    connection.verify_mode = OpenSSL::SSL::VERIFY_NONE
  end
end

#ssl_certificates_are_present? ⇒ Boolean

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Returns:

• (Boolean)

# File 'lib/puppet/ssl/validator/default_validator.rb', line 170

def ssl_certificates_are_present?
  Puppet::FileSystem.exist?(Puppet[:hostcert]) && Puppet::FileSystem.exist?(@ssl_configuration.ca_auth_file)
end

#valid_peer? ⇒ Boolean

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Validates the peer certificates against the authorized certificates.

Returns:

• (Boolean)

# File 'lib/puppet/ssl/validator/default_validator.rb', line 137

def valid_peer?
  descending_cert_chain = @peer_certs.reverse.map {|c| c.content }
  authz_ca_certs = ssl_configuration.ca_auth_certificates

  if not has_authz_peer_cert(descending_cert_chain, authz_ca_certs)
    msg = "The server presented a SSL certificate chain which does not include a " <<
      "CA listed in the ssl_client_ca_auth file.  "
    msg << "Authorized Issuers: #{authz_ca_certs.collect {|c| c.subject}.join(', ')}  " <<
      "Peer Chain: #{descending_cert_chain.collect {|c| c.subject}.join(' => ')}"
    @verify_errors << msg
    false
  else
    true
  end
end