Feature #2839 - fingerprint certificate

This patch adds several things: * certificate fingerprinting in --list mode * a puppetca action called "--fingerprint" to display fingerprints of given certificates (or all including CSR) * a --fingerprint puppetd option to display client certificates * each time a CSR is generated, its fingerprint is displayed in the log It is also possible to use --digest in puppetca and puppetd to specify a specific digest algorithm. Signed-off-by: Brice Figureau <brice-puppet@daysofwonder.com>
author: Brice Figureau <brice-puppet@daysofwonder.com> 2009-12-29 15:27:54 +0100
committer: James Turnbull <james@lovedthanlost.net> 2010-01-19 08:37:23 +1100
commit: 3e9677f00a09d0249713ed2fa503e42b07f6d978 (patch)
tree: 0b99bb4cd9039bb220ee75f2520b37920a6b7628 /lib/puppet/application
parent: 91c44b439794a87111ab1a0726a2ad08981c839e (diff)
download: puppet-3e9677f00a09d0249713ed2fa503e42b07f6d978.tar.gz
puppet-3e9677f00a09d0249713ed2fa503e42b07f6d978.tar.xz
puppet-3e9677f00a09d0249713ed2fa503e42b07f6d978.zip
2 files changed, 31 insertions, 10 deletions
diff --git a/lib/puppet/application/puppetca.rb b/lib/puppet/application/puppetca.rb
index adc1a6ff5..7362f2a18 100644
--- a/lib/puppet/application/puppetca.rb
+++ b/lib/puppet/application/puppetca.rb
@@ -6,7 +6,7 @@ Puppet::Application.new(:puppetca) do
 
     should_parse_config
 
-    attr_accessor :mode, :all, :ca
+    attr_accessor :mode, :all, :ca, :digest
 
     def find_mode(opt)
         modes = Puppet::SSL::CertificateAuthority::Interface::INTERFACE_METHODS
@@ -22,6 +22,10 @@ Puppet::Application.new(:puppetca) do
         @all = true
     end
 
+    option("--digest DIGEST") do |arg|
+        @digest = arg
+    end
+
     option("--debug", "-d") do |arg|
         Puppet::Util::Log.level = :debug
     end
@@ -44,7 +48,7 @@ Puppet::Application.new(:puppetca) do
         end
         begin
             @ca.apply(:revoke, :to => hosts) if @mode == :destroy
-            @ca.apply(@mode, :to => hosts)
+            @ca.apply(@mode, :to => hosts, :digest => @digest)
         rescue => detail
             puts detail.backtrace if Puppet[:trace]
             puts detail.to_s
diff --git a/lib/puppet/application/puppetd.rb b/lib/puppet/application/puppetd.rb
index c99b9eaff..ed2c450ee 100644
--- a/lib/puppet/application/puppetd.rb
+++ b/lib/puppet/application/puppetd.rb
@@ -9,7 +9,7 @@ Puppet::Application.new(:puppetd) do
 
     should_parse_config
 
-    attr_accessor :explicit_waitforcert, :args, :agent, :daemon
+    attr_accessor :explicit_waitforcert, :args, :agent, :daemon, :host
 
     preinit do
         # Do an initial trap, so that cancels don't get a stack trace.
@@ -30,7 +30,9 @@ Puppet::Application.new(:puppetd) do
             :disable => false,
             :client => true,
             :fqdn => nil,
-            :serve => []
+            :serve => [],
+            :digest => :MD5,
+            :fingerprint => false,
         }.each do |opt,val|
             options[opt] = val
         end
@@ -49,6 +51,9 @@ Puppet::Application.new(:puppetd) do
     option("--test","-t")
     option("--verbose","-v")
 
+    option("--fingerprint")
+    option("--digest DIGEST")
+
     option("--serve HANDLER", "-s") do |arg|
         if Puppet::Network::Handler.handler(arg)
             options[:serve] << arg.to_sym
@@ -92,10 +97,20 @@ Puppet::Application.new(:puppetd) do
     end
 
     dispatch do
+        return :fingerprint if options[:fingerprint]
         return :onetime if options[:onetime]
         return :main
     end
 
+    command(:fingerprint) do
+        unless cert = host.certificate || host.certificate_request
+           $stderr.puts "Fingerprint asked but no certificate nor certificate request have yet been issued"
+           exit(1)
+           return
+        end
+        Puppet.notice cert.fingerprint(options[:digest])
+    end
+
     command(:onetime) do
         unless options[:client]
             $stderr.puts "onetime is specified but there is no client"
@@ -220,10 +235,10 @@ Puppet::Application.new(:puppetd) do
 
         Puppet.settings.use :main, :puppetd, :ssl
 
-        # We need to specify a ca location for things to work, but
-        # until the REST cert transfers are working, it needs to
-        # be local.
-        Puppet::SSL::Host.ca_location = :remote
+        # We need to specify a ca location for things to work
+        # in fingerprint mode we just need access to the local files and
+        # we don't need a ca.
+        Puppet::SSL::Host.ca_location = options[:fingerprint] ? :none : :remote
 
         Puppet::Transaction::Report.terminus_class = :rest
 
@@ -246,8 +261,10 @@ Puppet::Application.new(:puppetd) do
             @daemon.daemonize
         end
 
-        host = Puppet::SSL::Host.new
-        cert = host.wait_for_cert(options[:waitforcert])
+        @host = Puppet::SSL::Host.new
+        unless options[:fingerprint]
+            cert = @host.wait_for_cert(options[:waitforcert])
+        end
 
         @objects = []
author	Brice Figureau <brice-puppet@daysofwonder.com>	2009-12-29 15:27:54 +0100
committer	James Turnbull <james@lovedthanlost.net>	2010-01-19 08:37:23 +1100
commit	3e9677f00a09d0249713ed2fa503e42b07f6d978 (patch)
tree	0b99bb4cd9039bb220ee75f2520b37920a6b7628 /lib/puppet/application
parent	91c44b439794a87111ab1a0726a2ad08981c839e (diff)
download	puppet-3e9677f00a09d0249713ed2fa503e42b07f6d978.tar.gz puppet-3e9677f00a09d0249713ed2fa503e42b07f6d978.tar.xz puppet-3e9677f00a09d0249713ed2fa503e42b07f6d978.zip