We have a basically functional CA -- it can sign

requests and return certificates. There's still plenty more work to do, but I'm probably not much more than a day away from redoing puppetca to use this code.
author: Luke Kanies <luke@madstop.com> 2008-03-19 23:46:43 -0500
committer: Luke Kanies <luke@madstop.com> 2008-04-15 21:34:06 -0500
commit: b9d647974915da05af8036933e71bc1e6dc00374 (patch)
tree: 61f4968c292a364978f8681bfccbd1730e6ab8cd /lib/puppet/ssl
parent: 1efed0304ebdc13a55eb2d865cdc4965c5253d3a (diff)
download: puppet-b9d647974915da05af8036933e71bc1e6dc00374.tar.gz
puppet-b9d647974915da05af8036933e71bc1e6dc00374.tar.xz
puppet-b9d647974915da05af8036933e71bc1e6dc00374.zip
4 files changed, 45 insertions, 16 deletions
diff --git a/lib/puppet/ssl/certificate_authority.rb b/lib/puppet/ssl/certificate_authority.rb
index 19887c70b..aa997aaf6 100644
--- a/lib/puppet/ssl/certificate_authority.rb
+++ b/lib/puppet/ssl/certificate_authority.rb
@@ -44,7 +44,7 @@ class Puppet::SSL::CertificateAuthority < Puppet::SSL::Host
         request.generate(key)
 
         # Create a self-signed certificate.
-        @certificate = sign(request, :ca, true)
+        @certificate = sign(name, :ca, request)
 
         Puppet.settings.write(:cacert) do |f|
             f.print @certificate.to_s
@@ -54,6 +54,8 @@ class Puppet::SSL::CertificateAuthority < Puppet::SSL::Host
     end
 
     def initialize
+        Puppet.settings.use :main, :ssl, :ca
+
         # Always name the ca after the host we're running on.
         super(Puppet[:certname])
 
@@ -72,12 +74,14 @@ class Puppet::SSL::CertificateAuthority < Puppet::SSL::Host
             unless csr = Puppet::SSL::CertificateRequest.find(host, :in => :ca_file)
                 raise ArgumentError, "Could not find certificate request for %s" % host
             end
-            issuer = certificate.content
+            issuer = certificate
         end
 
         cert = Puppet::SSL::Certificate.new(host)
         cert.content = Puppet::SSL::CertificateFactory.new(cert_type, csr.content, issuer, next_serial).result
 
+        Puppet.notice "Signed certificate request for %s" % host
+
         # Save the now-signed cert, unless it's a self-signed cert, since we
         # assume it goes somewhere else.
         cert.save(:in => :ca_file) unless self_signing_csr
@@ -88,11 +92,11 @@ class Puppet::SSL::CertificateAuthority < Puppet::SSL::Host
     # Do all of the initialization necessary to set up our
     # ca.
     def setup_ca
-        generate_key unless key
-
         # Make sure we've got a password protecting our private key.
         generate_password unless password?
 
+        generate_key unless key
+
         # And then make sure we've got the whole kaboodle.  This will
         # create a self-signed CA certificate if we don't already have one,
         # and it will just read it in if we do.
diff --git a/lib/puppet/ssl/certificate_factory.rb b/lib/puppet/ssl/certificate_factory.rb
index 47b9f74d7..4b1669804 100644
--- a/lib/puppet/ssl/certificate_factory.rb
+++ b/lib/puppet/ssl/certificate_factory.rb
@@ -58,9 +58,11 @@ class Puppet::SSL::CertificateFactory
 
         method = "add_#{@cert_type.to_s}_extensions"
 
-        raise ArgumentError, "%s is an invalid certificate type" % @cert_type unless respond_to?(method)
-
-        send(method)
+        begin
+            send(method)
+        rescue NoMethodError
+            raise ArgumentError, "%s is an invalid certificate type" % @cert_type
+        end
 
         @extensions << @ef.create_extension("nsComment", "Puppet Ruby/OpenSSL Generated Certificate")
         @extensions << @ef.create_extension("basicConstraints", @basic_constraint, true)
@@ -72,7 +74,7 @@ class Puppet::SSL::CertificateFactory
         @cert.extensions = @extensions
 
         # for some reason this _must_ be the last extension added
-        @extensions << ef.create_extension("authorityKeyIdentifier", "keyid:always,issuer:always") if @cert_type == :ca
+        @extensions << @ef.create_extension("authorityKeyIdentifier", "keyid:always,issuer:always") if @cert_type == :ca
     end
 
     # TTL for new certificates in seconds. If config param :ca_ttl is set, 
diff --git a/lib/puppet/ssl/host.rb b/lib/puppet/ssl/host.rb
index a50355509..0e65d30b1 100644
--- a/lib/puppet/ssl/host.rb
+++ b/lib/puppet/ssl/host.rb
@@ -57,7 +57,7 @@ class Puppet::SSL::Host
     manage_file :key do
         @key = Key.new(name)
         @key.generate
-        @key.save
+        @key.save :in => :file
         true
     end
 
@@ -66,7 +66,7 @@ class Puppet::SSL::Host
         generate_key unless key
         @certificate_request = CertificateRequest.new(name)
         @certificate_request.generate(key)
-        @certificate_request.save
+        @certificate_request.save :in => :file
         return true
     end
 
@@ -78,7 +78,7 @@ class Puppet::SSL::Host
 
         @certificate = Certificate.new(name)
         if @certificate.generate(certificate_request)
-            @certificate.save
+            @certificate.save :in => :file
             return true
         else
             return false
@@ -107,4 +107,23 @@ class Puppet::SSL::Host
     def public_key
         key.public_key
     end
+
+    # Try to get our signed certificate.
+    def retrieve_signed_certificate(source = :ca_file)
+        if cert = Puppet::SSL::Certificate.find(name, :in => source)
+            @certificate = cert
+            @certificate.save :in => :file
+            return true
+        else
+            return false
+        end
+    end
+
+    # Send our CSR to the server, defaulting to the
+    # local CA.
+    def send_certificate_request(dest = :ca_file)
+        raise ArgumentError, "Must generate CSR before sending to server" unless certificate_request
+
+        @certificate_request.save :in => dest
+    end
 end
diff --git a/lib/puppet/ssl/key.rb b/lib/puppet/ssl/key.rb
index 35370ac69..65294ac00 100644
--- a/lib/puppet/ssl/key.rb
+++ b/lib/puppet/ssl/key.rb
@@ -13,11 +13,7 @@ class Puppet::SSL::Key < Puppet::SSL::Base
     # Knows how to create keys with our system defaults.
     def generate
         Puppet.info "Creating a new SSL key for %s" % name
-        if pass = password
-            @content = OpenSSL::PKey::RSA.new(Puppet[:keylength], pass)
-        else
-            @content = OpenSSL::PKey::RSA.new(Puppet[:keylength])
-        end
+        @content = OpenSSL::PKey::RSA.new(Puppet[:keylength].to_i)
     end
 
     def password
@@ -39,4 +35,12 @@ class Puppet::SSL::Key < Puppet::SSL::Base
 
         @content = wrapped_class.new(::File.read(path), password)
     end
+
+    def to_s
+        if pass = password
+            @content.export(OpenSSL::Cipher::DES.new(:EDE3, :CBC), pass)
+        else
+            return super
+        end
+    end
 end
author	Luke Kanies <luke@madstop.com>	2008-03-19 23:46:43 -0500
committer	Luke Kanies <luke@madstop.com>	2008-04-15 21:34:06 -0500
commit	b9d647974915da05af8036933e71bc1e6dc00374 (patch)
tree	61f4968c292a364978f8681bfccbd1730e6ab8cd /lib/puppet/ssl
parent	1efed0304ebdc13a55eb2d865cdc4965c5253d3a (diff)
download	puppet-b9d647974915da05af8036933e71bc1e6dc00374.tar.gz puppet-b9d647974915da05af8036933e71bc1e6dc00374.tar.xz puppet-b9d647974915da05af8036933e71bc1e6dc00374.zip