Changing all of the SSL terminus classes to treat CA files specially.

This is a kind of weird design situation.  For instance, we've got a
collection of certificates in the :certdir, but then there's a special
CA certificate off by itself.  Rather than build a whole separate
infrastructure for managing those separate files (cert and key, at least),
I decided to add special support for specifying where to find the CA-specific
bits, and then code for handling them when necessary.

This requires that we have a standard way of knowing whether we should be
managing the CA bits or normal host files.  The Puppet::SSL::Host class now has
a 'ca_name' method that returns the string we're using for the CA name; this
name is currently 'ca'.  We have to use a name, because the name is the only
thing that all methods have access to (e.g., when trying to 'find' the right
cert, we only have the name available).

What this means is that if you want access to the CA key or cert, then create
a Puppet::SSL::Host instance with the name 'ca'.

You'll still get the CA cert created with the host's :certname; it will just
be stored in a different location.

2 files changed, 38 insertions, 40 deletions

diff --git a/lib/puppet/ssl/certificate_revocation_list.rb b/lib/puppet/ssl/certificate_revocation_list.rb
index e892e276a..939b48443 100644
--- a/lib/puppet/ssl/certificate_revocation_list.rb
+++ b/lib/puppet/ssl/certificate_revocation_list.rb
@@ -1,12 +1,16 @@
 require 'puppet/ssl/base'
+require 'puppet/indirector'
 
 # Manage the CRL.
 class Puppet::SSL::CertificateRevocationList < Puppet::SSL::Base
     wraps OpenSSL::X509::CRL
 
+    extend Puppet::Indirector
+    indirects :certificate_revocation_list
+
     # Knows how to create a CRL with our system defaults.
-    def generate(cert, key)
-        Puppet.info "Creating a new SSL key for %s" % name
+    def generate(cert)
+        Puppet.info "Creating a new certificate revocation list"
         @content = wrapped_class.new
         @content.issuer = cert.subject
         @content.version = 1
@@ -14,29 +18,19 @@ class Puppet::SSL::CertificateRevocationList < Puppet::SSL::Base
         @content
     end
 
-    def initialize(name, cert, key)
+    def initialize
         raise Puppet::Error, "Cannot manage the CRL when :cacrl is set to false" if [false, "false"].include?(Puppet[:cacrl])
 
-        @name = name
-
-        read_or_generate(cert, key)
-    end
-
-    # A stupid indirection method to make this easier to test.  Yay.
-    def read_or_generate(cert, key)
-        unless read(Puppet[:cacrl])
-            generate(cert, key)
-            save(key)
-        end
+        @name = "crl"
     end
 
     # Revoke the certificate with serial number SERIAL issued by this
-    # CA. The REASON must be one of the OpenSSL::OCSP::REVOKED_* reasons
-    def revoke(serial, reason = OpenSSL::OCSP::REVOKED_STATUS_KEYCOMPROMISE)
-        if @config[:cacrl] == 'false'
-            raise Puppet::Error, "Revocation requires a CRL, but ca_crl is set to 'false'"
-        end
+    # CA, then write the CRL back to disk. The REASON must be one of the
+    # OpenSSL::OCSP::REVOKED_* reasons
+    def revoke(serial, cakey, reason = OpenSSL::OCSP::REVOKED_STATUS_KEYCOMPROMISE)
         time = Time.now
+
+        # Add our revocation to the CRL.
         revoked = OpenSSL::X509::Revoked.new
         revoked.serial = serial
         revoked.time = time
@@ -44,13 +38,7 @@ class Puppet::SSL::CertificateRevocationList < Puppet::SSL::Base
         ext = OpenSSL::X509::Extension.new("CRLReason", enum)
         revoked.add_extension(ext)
         @content.add_revoked(revoked)
-        store_crl
-    end
 
-    # Save the CRL to disk.  Note that none of the other Base subclasses
-    # have this method, because they all use the indirector to find and save
-    # the CRL.
-    def save(key)
         # Increment the crlNumber
         e = @content.extensions.find { |e| e.oid == 'crlNumber' }
         ext = @content.extensions.reject { |e| e.oid == 'crlNumber' }
@@ -59,14 +47,12 @@ class Puppet::SSL::CertificateRevocationList < Puppet::SSL::Base
         @content.extensions = ext
 
         # Set last/next update
-        now = Time.now
-        @content.last_update = now
+        @content.last_update = time
         # Keep CRL valid for 5 years
-        @content.next_update = now + 5 * 365*24*60*60
+        @content.next_update = time + 5 * 365*24*60*60
+
+        @content.sign(cakey, OpenSSL::Digest::SHA1.new)
 
-        sign_with_key(@content)
-        Puppet.settings.write(:cacrl) do |f|
-            f.puts @content.to_pem
-        end
+        save
     end
 end
diff --git a/lib/puppet/ssl/host.rb b/lib/puppet/ssl/host.rb
index 6f49175aa..dbd885316 100644
--- a/lib/puppet/ssl/host.rb
+++ b/lib/puppet/ssl/host.rb
@@ -15,7 +15,15 @@ class Puppet::SSL::Host
     extend Puppet::Util::ConstantInflector
 
     attr_reader :name
-    attr_accessor :ca
+    attr_accessor :ca, :password_file
+
+    CA_NAME = "ca"
+
+    # This is the constant that people will use to mark that a given host is
+    # a certificate authority.
+    def self.ca_name
+        CA_NAME
+    end
 
     # Search for more than one host, optionally only specifying
     # an interest in hosts with a given file type.
@@ -36,6 +44,11 @@ class Puppet::SSL::Host
         end
     end
 
+    # Is this a ca host, meaning that all of its files go in the CA location?
+    def ca?
+        ca
+    end
+
     def key
         return nil unless (defined?(@key) and @key) or @key = Key.find(name)
         @key.content
@@ -45,8 +58,12 @@ class Puppet::SSL::Host
     # with no inputs.
     def generate_key
         @key = Key.new(name)
+
+        # If a password file is set, then the key will be stored
+        # encrypted by the password.
+        @key.password_file = password_file if password_file
         @key.generate
-        @key.save :in => :file
+        @key.save
         true
     end
 
@@ -60,7 +77,7 @@ class Puppet::SSL::Host
         generate_key unless key
         @certificate_request = CertificateRequest.new(name)
         @certificate_request.generate(key)
-        @certificate_request.save :in => :file
+        @certificate_request.save
         return true
     end
 
@@ -71,11 +88,6 @@ class Puppet::SSL::Host
         @certificate.content
     end
 
-    # Is this a ca host, meaning that all of its files go in the CA collections?
-    def ca?
-        ca
-    end
-
     # Remove all traces of this ssl host
     def destroy
         [key, certificate, certificate_request].each do |instance|