Fixing #896 by applying DerekW's patches, with slight

modifications to fit coding style.
author: Luke Kanies <luke@madstop.com> 2007-11-19 15:47:56 -0600
committer: Luke Kanies <luke@madstop.com> 2007-11-19 15:47:56 -0600
commit: 4bd7b6f69edfc984d153a23872a3ac6e123b5765 (patch)
tree: 5cfc2a8d30f04259da5478c00ff696afa8d8f92b /lib/puppet
parent: 8ad27328850c5acf67548c7ad6c93d0c4a43e1ec (diff)
download: puppet-4bd7b6f69edfc984d153a23872a3ac6e123b5765.tar.gz
puppet-4bd7b6f69edfc984d153a23872a3ac6e123b5765.tar.xz
puppet-4bd7b6f69edfc984d153a23872a3ac6e123b5765.zip
3 files changed, 13 insertions, 14 deletions
diff --git a/lib/puppet/defaults.rb b/lib/puppet/defaults.rb
index 5914c3219..a3991bbaa 100644
--- a/lib/puppet/defaults.rb
+++ b/lib/puppet/defaults.rb
@@ -155,6 +155,8 @@ module Puppet
     Puppet.setdefaults(:ssl,
         :certname => [fqdn, "The name to use when handling certificates.  Defaults
             to the fully qualified domain name."],
+        :certdnsnames => ['*', "The DNS names on the Server certificate as a colon-
+            separated list.  Defaults to * (wildcard match for all names)."],
         :certdir => ["$ssldir/certs", "The certificate directory."],
         :publickeydir => ["$ssldir/public_keys", "The public key directory."],
         :privatekeydir => { :default => "$ssldir/private_keys",
diff --git a/lib/puppet/sslcertificates.rb b/lib/puppet/sslcertificates.rb
index 45b9e7a72..1139db048 100755
--- a/lib/puppet/sslcertificates.rb
+++ b/lib/puppet/sslcertificates.rb
@@ -9,7 +9,7 @@ rescue LoadError
 end
 
 module Puppet::SSLCertificates
-    #def self.mkcert(type, name, ttl, issuercert, issuername, serial, publickey)
+    #def self.mkcert(type, name, dnsnames, ttl, issuercert, issuername, serial, publickey)
     def self.mkcert(hash)
         [:type, :name, :ttl, :issuer, :serial, :publickey].each { |param|
             unless hash.include?(param)
@@ -39,6 +39,7 @@ module Puppet::SSLCertificates
         basic_constraint = nil
         key_usage = nil
         ext_key_usage = nil
+        subject_alt_name = []
 
         ef = OpenSSL::X509::ExtensionFactory.new
 
@@ -60,16 +61,17 @@ module Puppet::SSLCertificates
             key_usage = %w{cRLSign keyCertSign}
         when :server:
             basic_constraint = "CA:FALSE"
+            hash[:dnsnames].each(':') { |d| subject_alt_name << 'DNS:' + d } if hash[:dnsnames]
             key_usage = %w{digitalSignature keyEncipherment}
-        ext_key_usage = %w{serverAuth clientAuth}
+            ext_key_usage = %w{serverAuth clientAuth}
         when :ocsp:
             basic_constraint = "CA:FALSE"
             key_usage = %w{nonRepudiation digitalSignature}
-        ext_key_usage = %w{serverAuth OCSPSigning}
+            ext_key_usage = %w{serverAuth OCSPSigning}
         when :client:
             basic_constraint = "CA:FALSE"
             key_usage = %w{nonRepudiation digitalSignature keyEncipherment}
-        ext_key_usage = %w{clientAuth emailProtection}
+            ext_key_usage = %w{clientAuth emailProtection}
             ex << ef.create_extension("nsCertType", "client,email")
         else
             raise Puppet::Error, "unknown cert type '%s'" % hash[:type]
@@ -80,12 +82,9 @@ module Puppet::SSLCertificates
         ex << ef.create_extension("basicConstraints", basic_constraint, true)
         ex << ef.create_extension("subjectKeyIdentifier", "hash")
 
-        if key_usage
-          ex << ef.create_extension("keyUsage", key_usage.join(","))
-        end
-        if ext_key_usage
-          ex << ef.create_extension("extendedKeyUsage", ext_key_usage.join(","))
-        end
+        ex << ef.create_extension("keyUsage", key_usage.join(",")) if key_usage
+        ex << ef.create_extension("extendedKeyUsage", ext_key_usage.join(",")) if ext_key_usage
+	    ex << ef.create_extension("subjectAltName", subject_alt_name.join(",")) if ! subject_alt_name.empty?
 
         #if @ca_config[:cdp_location] then
         #  ex << ef.create_extension("crlDistributionPoints",
@@ -99,10 +98,7 @@ module Puppet::SSLCertificates
         cert.extensions = ex
 
         # for some reason this _must_ be the last extension added
-        if hash[:type] == :ca
-            ex << ef.create_extension("authorityKeyIdentifier",
-                                      "keyid:always,issuer:always")
-        end
+        ex << ef.create_extension("authorityKeyIdentifier", "keyid:always,issuer:always") if hash[:type] == :ca
 
         return cert
     end
diff --git a/lib/puppet/sslcertificates/ca.rb b/lib/puppet/sslcertificates/ca.rb
index 39facdd48..e1b5f2386 100644
--- a/lib/puppet/sslcertificates/ca.rb
+++ b/lib/puppet/sslcertificates/ca.rb
@@ -278,6 +278,7 @@ class Puppet::SSLCertificates::CA
         newcert = Puppet::SSLCertificates.mkcert(
             :type => :server,
             :name => csr.subject,
+            :dnsnames => Puppet[:certdnsnames],
             :ttl => ttl,
             :issuer => @cert,
             :serial => serial,
author	Luke Kanies <luke@madstop.com>	2007-11-19 15:47:56 -0600
committer	Luke Kanies <luke@madstop.com>	2007-11-19 15:47:56 -0600
commit	4bd7b6f69edfc984d153a23872a3ac6e123b5765 (patch)
tree	5cfc2a8d30f04259da5478c00ff696afa8d8f92b /lib/puppet
parent	8ad27328850c5acf67548c7ad6c93d0c4a43e1ec (diff)
download	puppet-4bd7b6f69edfc984d153a23872a3ac6e123b5765.tar.gz puppet-4bd7b6f69edfc984d153a23872a3ac6e123b5765.tar.xz puppet-4bd7b6f69edfc984d153a23872a3ac6e123b5765.zip