Fixing a critical problem in how CRLs were saved and moving SSL Store responsibilities to the SSL::Host class.

I was previously saving invalid CRLs unless they'd had a revocation done in them; this commit fixes them so that they're always valid. Also, I've added to SSL::Host the ability to generate a valid SSL Store, suitable for validation. This is now used by Webrick and can be used by the http clients, too. This should have been two commits, but I'm kind of down the rabbit hole ATM.
author: Luke Kanies <luke@madstop.com> 2008-05-05 21:00:29 -0500
committer: Luke Kanies <luke@madstop.com> 2008-05-05 21:00:29 -0500
commit: 160f9d99e33b051d40f00971683cf54a0ff00c32 (patch)
tree: 50f5a7e2e40482289f84175036a42874fad26dac /lib/puppet
parent: ce6d5787aaefc4c980e51c394328c2ddc2f7cb9c (diff)
download: puppet-160f9d99e33b051d40f00971683cf54a0ff00c32.tar.gz
puppet-160f9d99e33b051d40f00971683cf54a0ff00c32.tar.xz
puppet-160f9d99e33b051d40f00971683cf54a0ff00c32.zip
3 files changed, 32 insertions, 17 deletions
diff --git a/lib/puppet/network/http/webrick.rb b/lib/puppet/network/http/webrick.rb
index 9bcf9958f..30085ec47 100644
--- a/lib/puppet/network/http/webrick.rb
+++ b/lib/puppet/network/http/webrick.rb
@@ -93,7 +93,7 @@ class Puppet::Network::HTTP::WEBrick
 
         host.generate unless host.key
 
-        raise Puppet::Error, "Could not retrieve certificate for %s" % host.name unless host.certificate
+        raise Puppet::Error, "Could not retrieve certificate for %s and not running on a valid certificate authority" % host.name unless host.certificate
 
         results[:SSLPrivateKey] = host.key.content
         results[:SSLCertificate] = host.certificate.content
@@ -107,25 +107,11 @@ class Puppet::Network::HTTP::WEBrick
         results[:SSLCACertificateFile] = Puppet[:localcacert]
         results[:SSLVerifyClient] = OpenSSL::SSL::VERIFY_PEER
 
-        results[:SSLCertificateStore] = setup_ssl_store if Puppet[:crl]
+        results[:SSLCertificateStore] = host.ssl_store if Puppet[:crl]
 
         results
     end
 
-    # Create our Certificate revocation list
-    def setup_ssl_store
-        unless crl = Puppet::SSL::CertificateRevocationList.find("ca")
-            raise Puppet::Error, "Could not find CRL; set 'crl' to 'false' to disable CRL usage"
-        end
-        store = OpenSSL::X509::Store.new
-        store.purpose = OpenSSL::X509::PURPOSE_ANY
-        store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL|OpenSSL::X509::V_FLAG_CRL_CHECK
-
-        store.add_file(Puppet[:localcacert])
-        store.add_crl(crl.content)
-        return store
-    end
-
   private
     
     def setup_handlers
diff --git a/lib/puppet/ssl/certificate_revocation_list.rb b/lib/puppet/ssl/certificate_revocation_list.rb
index 96b71c7a3..3029c14a4 100644
--- a/lib/puppet/ssl/certificate_revocation_list.rb
+++ b/lib/puppet/ssl/certificate_revocation_list.rb
@@ -9,12 +9,23 @@ class Puppet::SSL::CertificateRevocationList < Puppet::SSL::Base
     indirects :certificate_revocation_list, :terminus_class => :file
 
     # Knows how to create a CRL with our system defaults.
-    def generate(cert)
+    def generate(cert, cakey)
         Puppet.info "Creating a new certificate revocation list"
         @content = wrapped_class.new
         @content.issuer = cert.subject
         @content.version = 1
 
+        # Init the CRL number.
+        crlNum = OpenSSL::ASN1::Integer(0)
+        @content.extensions = [OpenSSL::X509::Extension.new("crlNumber", crlNum)]
+
+        # Set last/next update
+        @content.last_update = Time.now
+        # Keep CRL valid for 5 years
+        @content.next_update = Time.now + 5 * 365*24*60*60
+
+        @content.sign(cakey, OpenSSL::Digest::SHA1.new)
+
         @content
     end
 
diff --git a/lib/puppet/ssl/host.rb b/lib/puppet/ssl/host.rb
index 09086e0fa..105b39dc6 100644
--- a/lib/puppet/ssl/host.rb
+++ b/lib/puppet/ssl/host.rb
@@ -164,6 +164,24 @@ class Puppet::SSL::Host
     def public_key
         key.content.public_key
     end
+
+    # Create/return a store that uses our SSL info to validate
+    # connections.
+    def ssl_store(purpose = OpenSSL::X509::PURPOSE_ANY)
+        store = OpenSSL::X509::Store.new
+        store.purpose = purpose
+
+        store.add_file(Puppet[:localcacert])
+
+        if Puppet[:crl]
+            unless crl = Puppet::SSL::CertificateRevocationList.find("ca")
+                raise ArgumentError, "Could not find CRL; set 'crl' to 'false' to disable CRL usage"
+            end
+            store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL|OpenSSL::X509::V_FLAG_CRL_CHECK
+            store.add_crl(crl.content)
+        end
+        return store
+    end
 end
 
 require 'puppet/ssl/certificate_authority'
author	Luke Kanies <luke@madstop.com>	2008-05-05 21:00:29 -0500
committer	Luke Kanies <luke@madstop.com>	2008-05-05 21:00:29 -0500
commit	160f9d99e33b051d40f00971683cf54a0ff00c32 (patch)
tree	50f5a7e2e40482289f84175036a42874fad26dac /lib/puppet
parent	ce6d5787aaefc4c980e51c394328c2ddc2f7cb9c (diff)
download	puppet-160f9d99e33b051d40f00971683cf54a0ff00c32.tar.gz puppet-160f9d99e33b051d40f00971683cf54a0ff00c32.tar.xz puppet-160f9d99e33b051d40f00971683cf54a0ff00c32.zip