diff options
| author | lutter <lutter@980ebf18-57e1-0310-9a29-db15c13687c0> | 2006-09-13 16:50:43 +0000 |
|---|---|---|
| committer | lutter <lutter@980ebf18-57e1-0310-9a29-db15c13687c0> | 2006-09-13 16:50:43 +0000 |
| commit | 09f264a540cb863ac7df380efc01993b82e5a0b1 (patch) | |
| tree | 1943f8591f0bf74ebf45bd6df35144bb80a0b5d7 /lib/puppet | |
| parent | 130b2455572dae21def75ca2ac8e9f5a89672daf (diff) | |
| download | puppet-09f264a540cb863ac7df380efc01993b82e5a0b1.tar.gz puppet-09f264a540cb863ac7df380efc01993b82e5a0b1.tar.xz puppet-09f264a540cb863ac7df380efc01993b82e5a0b1.zip | |
Add config parameter ca_ttl and deprecate ca_days; ca_ttl makes it possible to generate certs that are valid for < 1 day
git-svn-id: https://reductivelabs.com/svn/puppet/trunk@1581 980ebf18-57e1-0310-9a29-db15c13687c0
Diffstat (limited to 'lib/puppet')
| -rwxr-xr-x | lib/puppet/sslcertificates.rb | 6 | ||||
| -rw-r--r-- | lib/puppet/sslcertificates/ca.rb | 47 | ||||
| -rw-r--r-- | lib/puppet/sslcertificates/certificate.rb | 4 |
3 files changed, 49 insertions, 8 deletions
diff --git a/lib/puppet/sslcertificates.rb b/lib/puppet/sslcertificates.rb index d237192c5..8c93139a9 100755 --- a/lib/puppet/sslcertificates.rb +++ b/lib/puppet/sslcertificates.rb @@ -47,9 +47,9 @@ module Puppet::SSLCertificates } ) - #def self.mkcert(type, name, days, issuercert, issuername, serial, publickey) + #def self.mkcert(type, name, ttl, issuercert, issuername, serial, publickey) def self.mkcert(hash) - [:type, :name, :days, :issuer, :serial, :publickey].each { |param| + [:type, :name, :ttl, :issuer, :serial, :publickey].each { |param| unless hash.include?(param) raise ArgumentError, "mkcert called without %s" % param end @@ -66,7 +66,7 @@ module Puppet::SSLCertificates cert.issuer = hash[:name] end cert.not_before = from - cert.not_after = from + (hash[:days] * 24 * 60 * 60) + cert.not_after = from + hash[:ttl] cert.version = 2 # X509v3 cert.public_key = hash[:publickey] diff --git a/lib/puppet/sslcertificates/ca.rb b/lib/puppet/sslcertificates/ca.rb index 4d4f5748e..283809b51 100644 --- a/lib/puppet/sslcertificates/ca.rb +++ b/lib/puppet/sslcertificates/ca.rb @@ -1,4 +1,6 @@ class Puppet::SSLCertificates::CA + include Puppet::Util::Warnings + Certificate = Puppet::SSLCertificates::Certificate attr_accessor :keyfile, :file, :config, :dir, :cert, :crl @@ -66,7 +68,14 @@ class Puppet::SSLCertificates::CA autosigns any key request, and is a very bad idea), false (which never autosigns any key request), and the path to a file, which uses that configuration file to determine which keys to sign."}, - :ca_days => [1825, "How long a certificate should be valid."], + :ca_days => ["", "How long a certificate should be valid. + This parameter is deprecated, use ca_ttl instead"], + :ca_ttl => ["5y", "The default TTL for new certificates; valid values + must be an integer, optionally followed by one of the units + 'y' (years of 365 days), 'd' (days), 'h' (hours), or + 's' (seconds). The unit defaults to seconds. If this parameter + is set, ca_days is ignored. Examples are '3600' (one hour) + and '1825d', which is the same as '5y' (5 years) "], :ca_md => ["md5", "The type of hash used in certificates."], :req_bits => [2048, "The bit length of the certificates."], :keylength => [1024, "The bit length of keys."] @@ -76,6 +85,38 @@ class Puppet::SSLCertificates::CA @config[:cacert] end + # TTL for new certificates in seconds. If config param :ca_ttl is set, + # use that, otherwise use :ca_days for backwards compatibility + def ttl + days = @config[:ca_days] + if days && days.size > 0 + warnonce "Parameter ca_ttl is not set. Using depecated ca_days instead." + return @config[:ca_days] * 24 * 60 * 60 + else + ttl = @config[:ca_ttl] + if ttl.is_a?(String) + unless ttl =~ /^(\d+)(y|d|h|s)$/ + raise ArgumentError, "Invalid ca_ttl #{ttl}" + end + case $2 + when 'y' + unit = 365 * 24 * 60 * 60 + when 'd' + unit = 24 * 60 * 60 + when 'h' + unit = 60 * 60 + when 's' + unit = 1 + else + raise ArgumentError, "Invalid unit for ca_ttl #{ttl}" + end + return $1.to_i * unit + else + return ttl + end + end + end + # Remove all traces of a given host. This is kind of hackish, but, eh. def clean(host) [:csrdir, :signeddir, :publickeydir, :privatekeydir, :certdir].each do |name| @@ -219,7 +260,7 @@ class Puppet::SSLCertificates::CA :encrypt => @config[:capass], :key => @config[:cakey], :selfsign => true, - :length => 1825, + :ttl => ttl, :type => :ca ) @@ -288,7 +329,7 @@ class Puppet::SSLCertificates::CA newcert = Puppet::SSLCertificates.mkcert( :type => :server, :name => csr.subject, - :days => @config[:ca_days], + :ttl => ttl, :issuer => @cert, :serial => serial, :publickey => csr.public_key diff --git a/lib/puppet/sslcertificates/certificate.rb b/lib/puppet/sslcertificates/certificate.rb index 618b7473a..e56bfa266 100644 --- a/lib/puppet/sslcertificates/certificate.rb +++ b/lib/puppet/sslcertificates/certificate.rb @@ -93,7 +93,7 @@ class Puppet::SSLCertificates::Certificate end } - @days = hash[:length] || 365 + @ttl = hash[:ttl] || 365 * 24 * 60 * 60 @selfsign = hash[:selfsign] || false @encrypt = hash[:encrypt] || false @replace = hash[:replace] || false @@ -206,7 +206,7 @@ class Puppet::SSLCertificates::Certificate args = { :name => self.certname, - :days => @days, + :ttl => @ttl, :issuer => nil, :serial => 0x0, :publickey => @key.public_key |