diff options
author | Brice Figureau <brice-puppet@daysofwonder.com> | 2009-07-05 19:45:40 +0200 |
---|---|---|
committer | James Turnbull <james@lovedthanlost.net> | 2009-07-07 16:20:27 +1000 |
commit | 8b09b8316e5f385522fcc4353b3cea725076fb25 (patch) | |
tree | 6524fb2be7d54ad25837d3616601920b731f4152 /lib | |
parent | ea66cf6b9a5de1dd784dfed8995babf90225f8a0 (diff) | |
download | puppet-8b09b8316e5f385522fcc4353b3cea725076fb25.tar.gz puppet-8b09b8316e5f385522fcc4353b3cea725076fb25.tar.xz puppet-8b09b8316e5f385522fcc4353b3cea725076fb25.zip |
Fix #2082 - puppetca shouldn't list revoked certificates
This patch does two things:
* it enhance puppetca to list revoked certificates (prefixed by -)
* it fixes the ca crl verification which was broken
Signed-off-by: Brice Figureau <brice-puppet@daysofwonder.com>
Diffstat (limited to 'lib')
-rw-r--r-- | lib/puppet/ssl/certificate_authority.rb | 11 | ||||
-rw-r--r-- | lib/puppet/ssl/certificate_authority/interface.rb | 10 |
2 files changed, 19 insertions, 2 deletions
diff --git a/lib/puppet/ssl/certificate_authority.rb b/lib/puppet/ssl/certificate_authority.rb index 4a7d4615b..10d13c28e 100644 --- a/lib/puppet/ssl/certificate_authority.rb +++ b/lib/puppet/ssl/certificate_authority.rb @@ -17,6 +17,14 @@ class Puppet::SSL::CertificateAuthority require 'puppet/ssl/certificate_authority/interface' + class CertificateVerificationError < RuntimeError + attr_accessor :error_code + + def initialize(code) + @error_code = code + end + end + class << self include Puppet::Util::Cacher @@ -276,9 +284,10 @@ class Puppet::SSL::CertificateAuthority store.add_file Puppet[:cacert] store.add_crl crl.content if self.crl store.purpose = OpenSSL::X509::PURPOSE_SSL_CLIENT + store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL|OpenSSL::X509::V_FLAG_CRL_CHECK unless store.verify(cert.content) - raise "Certificate for %s failed verification" % name + raise CertificateVerificationError.new(store.error), store.error_string end end diff --git a/lib/puppet/ssl/certificate_authority/interface.rb b/lib/puppet/ssl/certificate_authority/interface.rb index e4552950c..3f91434e3 100644 --- a/lib/puppet/ssl/certificate_authority/interface.rb +++ b/lib/puppet/ssl/certificate_authority/interface.rb @@ -60,8 +60,16 @@ class Puppet::SSL::CertificateAuthority::Interface end hosts.uniq.sort.each do |host| - if signed.include?(host) + invalid = false + begin + ca.verify(host) unless requests.include?(host) + rescue Puppet::SSL::CertificateAuthority::CertificateVerificationError => details + invalid = details.to_s + end + if not invalid and signed.include?(host) puts "+ " + host + elsif invalid + puts "- " + host + " (" + invalid + ")" else puts host end |