diff options
| author | Nick Lewis <nick@puppetlabs.com> | 2011-06-14 14:42:21 -0700 |
|---|---|---|
| committer | Nick Lewis <nick@puppetlabs.com> | 2011-06-14 16:56:17 -0700 |
| commit | 1d867b026dbfa38d44f042680acf708b42295882 (patch) | |
| tree | cf44506f1c3be2d40e631d3b52b4b4bdd2988a23 | |
| parent | d1c965a2e1ddde3907ecf83303a832a6fd5c20e9 (diff) | |
| download | puppet-1d867b026dbfa38d44f042680acf708b42295882.tar.gz puppet-1d867b026dbfa38d44f042680acf708b42295882.tar.xz puppet-1d867b026dbfa38d44f042680acf708b42295882.zip | |
(#7224) Add a helper to Puppet::SSL::Certificate to retrieve alternate names
Alternate names, if present, are specified in the subjectAltName extension of
the certificate. The values are in the form:
"DNS:alternate_name1, DNS:alternate_name2"
This helper will retrieve the value of the subjectAltName extension and extract
the alternate names, returning and empty list if the extension is absent. This
will make it easier to access the entire list of possible names for a
certificate, rather than just the common name; this is helpful for generating
more detailed SSL error messages.
Paired-With: Jacob Helwig <jacob@puppetlabs.com>
| -rw-r--r-- | lib/puppet/ssl/certificate.rb | 6 | ||||
| -rwxr-xr-x | spec/unit/ssl/certificate_spec.rb | 25 |
2 files changed, 31 insertions, 0 deletions
diff --git a/lib/puppet/ssl/certificate.rb b/lib/puppet/ssl/certificate.rb index a0e600291..d57ac1a06 100644 --- a/lib/puppet/ssl/certificate.rb +++ b/lib/puppet/ssl/certificate.rb @@ -27,6 +27,12 @@ class Puppet::SSL::Certificate < Puppet::SSL::Base [:s] end + def alternate_names + alts = content.extensions.find{|ext| ext.oid == "subjectAltName"} + return [] unless alts + alts.value.split(/,\s+/).map{|al| al.sub(/^DNS:/,'')} + end + def expiration return nil unless content content.not_after diff --git a/spec/unit/ssl/certificate_spec.rb b/spec/unit/ssl/certificate_spec.rb index 0b635f2bc..de5cedf59 100755 --- a/spec/unit/ssl/certificate_spec.rb +++ b/spec/unit/ssl/certificate_spec.rb @@ -89,6 +89,31 @@ describe Puppet::SSL::Certificate do @certificate.should respond_to(:content) end + describe "#alternate_names" do + before do + Puppet[:certdnsnames] = 'foo:bar:baz' + @csr = OpenSSL::X509::Request.new + @csr.subject = OpenSSL::X509::Name.new([['CN', 'quux']]) + @csr.public_key = OpenSSL::PKey::RSA.generate(Puppet[:keylength]).public_key + end + + it "should list all alternate names when the extension is present" do + cert = Puppet::SSL::CertificateFactory.new('server', @csr, @csr, 14).result + + @certificate = @class.from_s(cert.to_pem) + + @certificate.alternate_names.should =~ ['foo', 'bar', 'baz', 'quux'] + end + + it "should return an empty list of names if the extension is absent" do + cert = Puppet::SSL::CertificateFactory.new('client', @csr, @csr, 14).result + + @certificate = @class.from_s(cert.to_pem) + + @certificate.alternate_names.should == [] + end + end + it "should return a nil expiration if there is no actual certificate" do @certificate.stubs(:content).returns nil |