Module: Puppet::Util::SSL Private

Defined in:
lib/puppet/util/ssl.rb

Overview

This module is part of a private API. You should avoid using this module if possible, as it may be removed or be changed in the future.

SSL is a private module with class methods that help work with x.509 subjects and errors.

Constant Summary collapse

@@dn_parsers =

This classvariable is part of a private API. You should avoid using this classvariable if possible, as it may be removed or be changed in the future.

nil
@@no_name =

This classvariable is part of a private API. You should avoid using this classvariable if possible, as it may be removed or be changed in the future.

nil

Class Method Summary collapse

Class Method Details

.cn_from_subject(subject) ⇒ String?

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

cn_from_subject extracts the CN from the given OpenSSL certificate subject.


46
47
48
49
50
# File 'lib/puppet/util/ssl.rb', line 46

def self.cn_from_subject(subject)
  if subject.respond_to? :to_a
    (subject.to_a.assoc('CN') || [])[1]
  end
end

.handle_connection_error(error, verifier, host) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Extract and format meaningful error messages from OpenSSL::OpenSSLErrors and a Validator. Re-raises the error if unknown.


69
70
71
72
73
74
75
76
77
78
79
80
81
82
# File 'lib/puppet/util/ssl.rb', line 69

def self.handle_connection_error(error, verifier, host)
  # can be nil
  peer_cert = verifier.peer_certs.last

  if error.message.include? "certificate verify failed"
    msg = error.message
    msg << ": [" + verifier.verify_errors.join('; ') + "]"
    raise Puppet::Error, msg, error.backtrace
  elsif peer_cert && !OpenSSL::SSL.verify_certificate_identity(peer_cert, host)
    raise Puppet::SSL::CertMismatchError.new(peer_cert, host)
  else
    raise error
  end
end

.is_possibly_valid_dn?(dn) ⇒ Boolean

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.


52
53
54
# File 'lib/puppet/util/ssl.rb', line 52

def self.is_possibly_valid_dn?(dn)
  dn =~ /=/
end

.subject_from_dn(dn) ⇒ OpenSSL::X509::Name

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Given a DN string, parse it into an OpenSSL certificate subject. This method will flexibly handle both OpenSSL and RFC2253 formats, as given by nginx and Apache, respectively.


20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
# File 'lib/puppet/util/ssl.rb', line 20

def self.subject_from_dn(dn)
  if is_possibly_valid_dn?(dn)
    parsers = @@dn_parsers ||= [
          OpenSSL::X509::Name.method(:parse_rfc2253),
          OpenSSL::X509::Name.method(:parse_openssl)
      ]
    parsers.each do |parser|
      begin
        return parser.call(dn)
      rescue OpenSSL::X509::NameError
      end
    end
  end

  @@no_name ||= OpenSSL::X509::Name.new
end