diff options
| author | Luke Kanies <luke@madstop.com> | 2005-08-24 21:26:52 +0000 |
|---|---|---|
| committer | Luke Kanies <luke@madstop.com> | 2005-08-24 21:26:52 +0000 |
| commit | 66b3355cc3e025f2659d038d4055b5df0dcbe253 (patch) | |
| tree | a391552f746b87d5fd90102c2bd36139672eed7d /lib/puppet/sslcertificates.rb | |
| parent | 386ebee31dcc67ac5a7fb569ee58c2365e0666e1 (diff) | |
| download | puppet-66b3355cc3e025f2659d038d4055b5df0dcbe253.tar.gz puppet-66b3355cc3e025f2659d038d4055b5df0dcbe253.tar.xz puppet-66b3355cc3e025f2659d038d4055b5df0dcbe253.zip | |
Certificates now verify!
git-svn-id: https://reductivelabs.com/svn/puppet/trunk@588 980ebf18-57e1-0310-9a29-db15c13687c0
Diffstat (limited to 'lib/puppet/sslcertificates.rb')
| -rwxr-xr-x | lib/puppet/sslcertificates.rb | 83 |
1 files changed, 45 insertions, 38 deletions
diff --git a/lib/puppet/sslcertificates.rb b/lib/puppet/sslcertificates.rb index b8a4d27aa..5b587a41b 100755 --- a/lib/puppet/sslcertificates.rb +++ b/lib/puppet/sslcertificates.rb @@ -49,6 +49,7 @@ module SSLCertificates raise ArgumentError, "mkcert called without %s" % param end } + cert = OpenSSL::X509::Certificate.new from = Time.now @@ -57,7 +58,7 @@ module SSLCertificates cert.issuer = hash[:issuer].subject else # we're a self-signed cert - cert.issuer = cert.subject + cert.issuer = hash[:name] end cert.not_before = from cert.not_after = from + (hash[:days] * 24 * 60 * 60) @@ -67,62 +68,59 @@ module SSLCertificates cert.serial = hash[:serial] basic_constraint = nil - key_usage = [] - ext_key_usage = [] + key_usage = nil + ext_key_usage = nil + + ef = OpenSSL::X509::ExtensionFactory.new + + ef.subject_certificate = cert + if hash[:issuer] + ef.issuer_certificate = hash[:issuer] + else + ef.issuer_certificate = cert + end + + ex = [] case hash[:type] when :ca: basic_constraint = "CA:TRUE" - key_usage.push %w{cRLSign keyCertSign} + key_usage = %w{cRLSign keyCertSign} when :terminalsubca: basic_constraint = "CA:TRUE,pathlen:0" - key_usage %w{cRLSign keyCertSign} + key_usage = %w{cRLSign keyCertSign} when :server: basic_constraint = "CA:FALSE" - key_usage << %w{digitalSignature keyEncipherment} - ext_key_usage << "serverAuth" + key_usage = %w{digitalSignature keyEncipherment} + ext_key_usage = %w{serverAuth} when :ocsp: basic_constraint = "CA:FALSE" - key_usage << %w{nonRepudiation digitalSignature} - ext_key_usage << %w{serverAuth OCSPSigning} + key_usage = %w{nonRepudiation digitalSignature} + ext_key_usage = %w{serverAuth OCSPSigning} when :client: basic_constraint = "CA:FALSE" - key_usage << %w{nonRepudiation digitalSignature keyEncipherment} - ext_key_usage << %w{clientAuth emailProtection} + key_usage = %w{nonRepudiation digitalSignature keyEncipherment} + ext_key_usage = %w{clientAuth emailProtection} + ex << ef.create_extension("nsCertType", "client,email") else raise Puppet::Error, "unknown cert type '%s'" % hash[:type] end - key_usage.flatten! - ext_key_usage.flatten! - - ef = OpenSSL::X509::ExtensionFactory.new + Puppet.debug "Key usage is %s" % key_usage.inspect + Puppet.debug "ExtKey usage is %s" % ext_key_usage.inspect - if hash[:issuer] - ef.issuer_certificate = hash[:issuer] - else - ef.issuer_certificate = cert - end - - ef.subject_certificate = cert - - ex = [] - ex << ef.create_extension("basicConstraints", basic_constraint, true) ex << ef.create_extension("nsComment", "Puppet Ruby/OpenSSL Generated Certificate") + ex << ef.create_extension("basicConstraints", basic_constraint, true) ex << ef.create_extension("subjectKeyIdentifier", "hash") - #ex << ef.create_extension("nsCertType", "client,email") - unless key_usage.empty? then + + if key_usage ex << ef.create_extension("keyUsage", key_usage.join(",")) end - #ex << ef.create_extension("authorityKeyIdentifier", - # "keyid:always,issuer:always") - #ex << ef.create_extension("authorityKeyIdentifier", "keyid:always") - unless ext_key_usage.empty? then + if ext_key_usage ex << ef.create_extension("extendedKeyUsage", ext_key_usage.join(",")) end - #if @ca_config[:cdp_location] then # ex << ef.create_extension("crlDistributionPoints", # @ca_config[:cdp_location]) @@ -134,8 +132,11 @@ module SSLCertificates #end cert.extensions = ex - # write the cert out - #File.open(certfile, "w") { |f| f << cert.to_pem } + # for some reason this _must_ be the last extension added + if hash[:type] == :ca + ex << ef.create_extension("authorityKeyIdentifier", + "keyid:always,issuer:always") + end return cert end @@ -311,7 +312,8 @@ module SSLCertificates :encrypt => @config[:passfile], :key => @config[:cakey], :selfsign => true, - :length => 1825 + :length => 1825, + :type => :ca ) @cert = cert.mkselfsigned File.open(@config[:cacert], "w", 0660) { |f| @@ -658,14 +660,19 @@ module SSLCertificates raise Puppet::Error, "Cannot replace existing certificate" end - @cert = SSLCertificates.mkcert( - :type => :server, + args = { :name => self.certname, :days => @days, :issuer => nil, :serial => 0x0, :publickey => @key.public_key - ) + } + if @type + args[:type] = @type + else + args[:type] = :server + end + @cert = SSLCertificates.mkcert(args) @cert.sign(@key, OpenSSL::Digest::SHA1.new) if @selfsign |