2 files changed, 38 insertions, 40 deletions

diff --git a/lib/puppet/ssl/certificate_revocation_list.rb b/lib/puppet/ssl/certificate_revocation_list.rb
index e892e276a..939b48443 100644
--- a/lib/puppet/ssl/certificate_revocation_list.rb
+++ b/lib/puppet/ssl/certificate_revocation_list.rb
@@ -1,12 +1,16 @@
 require 'puppet/ssl/base'
+require 'puppet/indirector'
 
 # Manage the CRL.
 class Puppet::SSL::CertificateRevocationList < Puppet::SSL::Base
     wraps OpenSSL::X509::CRL
 
+    extend Puppet::Indirector
+    indirects :certificate_revocation_list
+
     # Knows how to create a CRL with our system defaults.
-    def generate(cert, key)
-        Puppet.info "Creating a new SSL key for %s" % name
+    def generate(cert)
+        Puppet.info "Creating a new certificate revocation list"
         @content = wrapped_class.new
         @content.issuer = cert.subject
         @content.version = 1
@@ -14,29 +18,19 @@ class Puppet::SSL::CertificateRevocationList < Puppet::SSL::Base
         @content
     end
 
-    def initialize(name, cert, key)
+    def initialize
         raise Puppet::Error, "Cannot manage the CRL when :cacrl is set to false" if [false, "false"].include?(Puppet[:cacrl])
 
-        @name = name
-
-        read_or_generate(cert, key)
-    end
-
-    # A stupid indirection method to make this easier to test.  Yay.
-    def read_or_generate(cert, key)
-        unless read(Puppet[:cacrl])
-            generate(cert, key)
-            save(key)
-        end
+        @name = "crl"
     end
 
     # Revoke the certificate with serial number SERIAL issued by this
-    # CA. The REASON must be one of the OpenSSL::OCSP::REVOKED_* reasons
-    def revoke(serial, reason = OpenSSL::OCSP::REVOKED_STATUS_KEYCOMPROMISE)
-        if @config[:cacrl] == 'false'
-            raise Puppet::Error, "Revocation requires a CRL, but ca_crl is set to 'false'"
-        end
+    # CA, then write the CRL back to disk. The REASON must be one of the
+    # OpenSSL::OCSP::REVOKED_* reasons
+    def revoke(serial, cakey, reason = OpenSSL::OCSP::REVOKED_STATUS_KEYCOMPROMISE)
         time = Time.now
+
+        # Add our revocation to the CRL.
         revoked = OpenSSL::X509::Revoked.new
         revoked.serial = serial
         revoked.time = time
@@ -44,13 +38,7 @@ class Puppet::SSL::CertificateRevocationList < Puppet::SSL::Base
         ext = OpenSSL::X509::Extension.new("CRLReason", enum)
         revoked.add_extension(ext)
         @content.add_revoked(revoked)
-        store_crl
-    end
 
-    # Save the CRL to disk.  Note that none of the other Base subclasses
-    # have this method, because they all use the indirector to find and save
-    # the CRL.
-    def save(key)
         # Increment the crlNumber
         e = @content.extensions.find { |e| e.oid == 'crlNumber' }
         ext = @content.extensions.reject { |e| e.oid == 'crlNumber' }
@@ -59,14 +47,12 @@ class Puppet::SSL::CertificateRevocationList < Puppet::SSL::Base
         @content.extensions = ext
 
         # Set last/next update
-        now = Time.now
-        @content.last_update = now
+        @content.last_update = time
         # Keep CRL valid for 5 years
-        @content.next_update = now + 5 * 365*24*60*60
+        @content.next_update = time + 5 * 365*24*60*60
+
+        @content.sign(cakey, OpenSSL::Digest::SHA1.new)
 
-        sign_with_key(@content)
-        Puppet.settings.write(:cacrl) do |f|
-            f.puts @content.to_pem
-        end
+        save
     end
 end
diff --git a/lib/puppet/ssl/host.rb b/lib/puppet/ssl/host.rb
index 6f49175aa..dbd885316 100644
--- a/lib/puppet/ssl/host.rb
+++ b/lib/puppet/ssl/host.rb
@@ -15,7 +15,15 @@ class Puppet::SSL::Host
     extend Puppet::Util::ConstantInflector
 
     attr_reader :name
-    attr_accessor :ca
+    attr_accessor :ca, :password_file
+
+    CA_NAME = "ca"
+
+    # This is the constant that people will use to mark that a given host is
+    # a certificate authority.
+    def self.ca_name
+        CA_NAME
+    end
 
     # Search for more than one host, optionally only specifying
     # an interest in hosts with a given file type.
@@ -36,6 +44,11 @@ class Puppet::SSL::Host
         end
     end
 
+    # Is this a ca host, meaning that all of its files go in the CA location?
+    def ca?
+        ca
+    end
+
     def key
         return nil unless (defined?(@key) and @key) or @key = Key.find(name)
         @key.content
@@ -45,8 +58,12 @@ class Puppet::SSL::Host
     # with no inputs.
     def generate_key
         @key = Key.new(name)
+
+        # If a password file is set, then the key will be stored
+        # encrypted by the password.
+        @key.password_file = password_file if password_file
         @key.generate
-        @key.save :in => :file
+        @key.save
         true
     end
 
@@ -60,7 +77,7 @@ class Puppet::SSL::Host
         generate_key unless key
         @certificate_request = CertificateRequest.new(name)
         @certificate_request.generate(key)
-        @certificate_request.save :in => :file
+        @certificate_request.save
         return true
     end
 
@@ -71,11 +88,6 @@ class Puppet::SSL::Host
         @certificate.content
     end
 
-    # Is this a ca host, meaning that all of its files go in the CA collections?
-    def ca?
-        ca
-    end
-
     # Remove all traces of this ssl host
     def destroy
         [key, certificate, certificate_request].each do |instance|