diff options
| author | Luke Kanies <luke@madstop.com> | 2008-03-19 23:46:43 -0500 |
|---|---|---|
| committer | Luke Kanies <luke@madstop.com> | 2008-04-15 21:34:06 -0500 |
| commit | b9d647974915da05af8036933e71bc1e6dc00374 (patch) | |
| tree | 61f4968c292a364978f8681bfccbd1730e6ab8cd /lib | |
| parent | 1efed0304ebdc13a55eb2d865cdc4965c5253d3a (diff) | |
| download | puppet-b9d647974915da05af8036933e71bc1e6dc00374.tar.gz puppet-b9d647974915da05af8036933e71bc1e6dc00374.tar.xz puppet-b9d647974915da05af8036933e71bc1e6dc00374.zip | |
We have a basically functional CA -- it can sign
requests and return certificates. There's still plenty
more work to do, but I'm probably not much more than a
day away from redoing puppetca to use this code.
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/puppet/indirector/certificate_request/ca_file.rb | 6 | ||||
| -rw-r--r-- | lib/puppet/indirector/key/file.rb | 4 | ||||
| -rw-r--r-- | lib/puppet/ssl/certificate_authority.rb | 12 | ||||
| -rw-r--r-- | lib/puppet/ssl/certificate_factory.rb | 10 | ||||
| -rw-r--r-- | lib/puppet/ssl/host.rb | 25 | ||||
| -rw-r--r-- | lib/puppet/ssl/key.rb | 14 | ||||
| -rw-r--r-- | lib/puppet/util/settings.rb | 2 |
7 files changed, 54 insertions, 19 deletions
diff --git a/lib/puppet/indirector/certificate_request/ca_file.rb b/lib/puppet/indirector/certificate_request/ca_file.rb index 08aa73eaf..24c262ef3 100644 --- a/lib/puppet/indirector/certificate_request/ca_file.rb +++ b/lib/puppet/indirector/certificate_request/ca_file.rb @@ -5,4 +5,10 @@ class Puppet::SSL::CertificateRequest::CaFile < Puppet::Indirector::SslFile desc "Manage the CA collection of certificate requests on disk." store_in :csrdir + + def save(instance, *args) + result = super + Puppet.notice "%s has a waiting certificate request" % instance.name + result + end end diff --git a/lib/puppet/indirector/key/file.rb b/lib/puppet/indirector/key/file.rb index 9efcd1a31..03e94ed2d 100644 --- a/lib/puppet/indirector/key/file.rb +++ b/lib/puppet/indirector/key/file.rb @@ -11,7 +11,7 @@ class Puppet::SSL::Key::File < Puppet::Indirector::SslFile end # Remove the public key, in addition to the private key - def destroy(key) + def destroy(key, options = {}) super return unless FileTest.exist?(public_key_path(key.name)) @@ -24,7 +24,7 @@ class Puppet::SSL::Key::File < Puppet::Indirector::SslFile end # Save the public key, in addition to the private key. - def save(key) + def save(key, options = {}) super begin diff --git a/lib/puppet/ssl/certificate_authority.rb b/lib/puppet/ssl/certificate_authority.rb index 19887c70b..aa997aaf6 100644 --- a/lib/puppet/ssl/certificate_authority.rb +++ b/lib/puppet/ssl/certificate_authority.rb @@ -44,7 +44,7 @@ class Puppet::SSL::CertificateAuthority < Puppet::SSL::Host request.generate(key) # Create a self-signed certificate. - @certificate = sign(request, :ca, true) + @certificate = sign(name, :ca, request) Puppet.settings.write(:cacert) do |f| f.print @certificate.to_s @@ -54,6 +54,8 @@ class Puppet::SSL::CertificateAuthority < Puppet::SSL::Host end def initialize + Puppet.settings.use :main, :ssl, :ca + # Always name the ca after the host we're running on. super(Puppet[:certname]) @@ -72,12 +74,14 @@ class Puppet::SSL::CertificateAuthority < Puppet::SSL::Host unless csr = Puppet::SSL::CertificateRequest.find(host, :in => :ca_file) raise ArgumentError, "Could not find certificate request for %s" % host end - issuer = certificate.content + issuer = certificate end cert = Puppet::SSL::Certificate.new(host) cert.content = Puppet::SSL::CertificateFactory.new(cert_type, csr.content, issuer, next_serial).result + Puppet.notice "Signed certificate request for %s" % host + # Save the now-signed cert, unless it's a self-signed cert, since we # assume it goes somewhere else. cert.save(:in => :ca_file) unless self_signing_csr @@ -88,11 +92,11 @@ class Puppet::SSL::CertificateAuthority < Puppet::SSL::Host # Do all of the initialization necessary to set up our # ca. def setup_ca - generate_key unless key - # Make sure we've got a password protecting our private key. generate_password unless password? + generate_key unless key + # And then make sure we've got the whole kaboodle. This will # create a self-signed CA certificate if we don't already have one, # and it will just read it in if we do. diff --git a/lib/puppet/ssl/certificate_factory.rb b/lib/puppet/ssl/certificate_factory.rb index 47b9f74d7..4b1669804 100644 --- a/lib/puppet/ssl/certificate_factory.rb +++ b/lib/puppet/ssl/certificate_factory.rb @@ -58,9 +58,11 @@ class Puppet::SSL::CertificateFactory method = "add_#{@cert_type.to_s}_extensions" - raise ArgumentError, "%s is an invalid certificate type" % @cert_type unless respond_to?(method) - - send(method) + begin + send(method) + rescue NoMethodError + raise ArgumentError, "%s is an invalid certificate type" % @cert_type + end @extensions << @ef.create_extension("nsComment", "Puppet Ruby/OpenSSL Generated Certificate") @extensions << @ef.create_extension("basicConstraints", @basic_constraint, true) @@ -72,7 +74,7 @@ class Puppet::SSL::CertificateFactory @cert.extensions = @extensions # for some reason this _must_ be the last extension added - @extensions << ef.create_extension("authorityKeyIdentifier", "keyid:always,issuer:always") if @cert_type == :ca + @extensions << @ef.create_extension("authorityKeyIdentifier", "keyid:always,issuer:always") if @cert_type == :ca end # TTL for new certificates in seconds. If config param :ca_ttl is set, diff --git a/lib/puppet/ssl/host.rb b/lib/puppet/ssl/host.rb index a50355509..0e65d30b1 100644 --- a/lib/puppet/ssl/host.rb +++ b/lib/puppet/ssl/host.rb @@ -57,7 +57,7 @@ class Puppet::SSL::Host manage_file :key do @key = Key.new(name) @key.generate - @key.save + @key.save :in => :file true end @@ -66,7 +66,7 @@ class Puppet::SSL::Host generate_key unless key @certificate_request = CertificateRequest.new(name) @certificate_request.generate(key) - @certificate_request.save + @certificate_request.save :in => :file return true end @@ -78,7 +78,7 @@ class Puppet::SSL::Host @certificate = Certificate.new(name) if @certificate.generate(certificate_request) - @certificate.save + @certificate.save :in => :file return true else return false @@ -107,4 +107,23 @@ class Puppet::SSL::Host def public_key key.public_key end + + # Try to get our signed certificate. + def retrieve_signed_certificate(source = :ca_file) + if cert = Puppet::SSL::Certificate.find(name, :in => source) + @certificate = cert + @certificate.save :in => :file + return true + else + return false + end + end + + # Send our CSR to the server, defaulting to the + # local CA. + def send_certificate_request(dest = :ca_file) + raise ArgumentError, "Must generate CSR before sending to server" unless certificate_request + + @certificate_request.save :in => dest + end end diff --git a/lib/puppet/ssl/key.rb b/lib/puppet/ssl/key.rb index 35370ac69..65294ac00 100644 --- a/lib/puppet/ssl/key.rb +++ b/lib/puppet/ssl/key.rb @@ -13,11 +13,7 @@ class Puppet::SSL::Key < Puppet::SSL::Base # Knows how to create keys with our system defaults. def generate Puppet.info "Creating a new SSL key for %s" % name - if pass = password - @content = OpenSSL::PKey::RSA.new(Puppet[:keylength], pass) - else - @content = OpenSSL::PKey::RSA.new(Puppet[:keylength]) - end + @content = OpenSSL::PKey::RSA.new(Puppet[:keylength].to_i) end def password @@ -39,4 +35,12 @@ class Puppet::SSL::Key < Puppet::SSL::Base @content = wrapped_class.new(::File.read(path), password) end + + def to_s + if pass = password + @content.export(OpenSSL::Cipher::DES.new(:EDE3, :CBC), pass) + else + return super + end + end end diff --git a/lib/puppet/util/settings.rb b/lib/puppet/util/settings.rb index 24a71516a..e595e2eea 100644 --- a/lib/puppet/util/settings.rb +++ b/lib/puppet/util/settings.rb @@ -685,7 +685,7 @@ Generated on #{Time.now}. end sync.synchronize(Sync::EX) do - File.open(file, "r+", 0600) do |rf| + File.open(file, ::File::CREAT|::File::RDWR, 0600) do |rf| rf.lock_exclusive do if File.exist?(tmpfile) raise Puppet::Error, ".tmp file already exists for %s; Aborting locked write. Check the .tmp file and delete if appropriate" % |