diff options
Diffstat (limited to 'lib/puppet/sslcertificates/certificate.rb')
| -rw-r--r-- | lib/puppet/sslcertificates/certificate.rb | 376 |
1 files changed, 188 insertions, 188 deletions
diff --git a/lib/puppet/sslcertificates/certificate.rb b/lib/puppet/sslcertificates/certificate.rb index a9d1dd4ea..2d30bb09f 100644 --- a/lib/puppet/sslcertificates/certificate.rb +++ b/lib/puppet/sslcertificates/certificate.rb @@ -1,148 +1,148 @@ class Puppet::SSLCertificates::Certificate - SSLCertificates = Puppet::SSLCertificates - - attr_accessor :certfile, :keyfile, :name, :dir, :hash, :type - attr_accessor :key, :cert, :csr, :cacert - - @@params2names = { - :name => "CN", - :state => "ST", - :country => "C", - :email => "emailAddress", - :org => "O", - :city => "L", - :ou => "OU" + SSLCertificates = Puppet::SSLCertificates + + attr_accessor :certfile, :keyfile, :name, :dir, :hash, :type + attr_accessor :key, :cert, :csr, :cacert + + @@params2names = { + :name => "CN", + :state => "ST", + :country => "C", + :email => "emailAddress", + :org => "O", + :city => "L", + :ou => "OU" + } + + def certname + OpenSSL::X509::Name.new self.subject + end + + def delete + [@certfile,@keyfile].each { |file| + File.unlink(file) if FileTest.exists?(file) } - def certname - OpenSSL::X509::Name.new self.subject + if @hash + File.unlink(@hash) if FileTest.symlink?(@hash) end + end - def delete - [@certfile,@keyfile].each { |file| - File.unlink(file) if FileTest.exists?(file) - } - - if @hash - File.unlink(@hash) if FileTest.symlink?(@hash) - end - end + def exists? + FileTest.exists?(@certfile) + end - def exists? - FileTest.exists?(@certfile) - end - - def getkey - self.mkkey unless FileTest.exists?(@keyfile) - if @password + def getkey + self.mkkey unless FileTest.exists?(@keyfile) + if @password - @key = OpenSSL::PKey::RSA.new( + @key = OpenSSL::PKey::RSA.new( - File.read(@keyfile), + File.read(@keyfile), - @password - ) - else - @key = OpenSSL::PKey::RSA.new( - File.read(@keyfile) - ) - end + @password + ) + else + @key = OpenSSL::PKey::RSA.new( + File.read(@keyfile) + ) end + end - def initialize(hash) - raise Puppet::Error, "You must specify the common name for the certificate" unless hash.include?(:name) - @name = hash[:name] - - # init a few variables - @cert = @key = @csr = nil + def initialize(hash) + raise Puppet::Error, "You must specify the common name for the certificate" unless hash.include?(:name) + @name = hash[:name] - if hash.include?(:cert) - @certfile = hash[:cert] - @dir = File.dirname(@certfile) - else - @dir = hash[:dir] || Puppet[:certdir] - @certfile = File.join(@dir, @name) - end + # init a few variables + @cert = @key = @csr = nil - @cacertfile ||= File.join(Puppet[:certdir], "ca.pem") + if hash.include?(:cert) + @certfile = hash[:cert] + @dir = File.dirname(@certfile) + else + @dir = hash[:dir] || Puppet[:certdir] + @certfile = File.join(@dir, @name) + end - Puppet.recmkdir(@dir) unless FileTest.directory?(@dir) + @cacertfile ||= File.join(Puppet[:certdir], "ca.pem") - unless @certfile =~ /\.pem$/ - @certfile += ".pem" - end - @keyfile = hash[:key] || File.join( - Puppet[:privatekeydir], [@name,"pem"].join(".") - ) - Puppet.recmkdir(@dir) unless FileTest.directory?(@dir) + Puppet.recmkdir(@dir) unless FileTest.directory?(@dir) - [@keyfile].each { |file| - dir = File.dirname(file) + unless @certfile =~ /\.pem$/ + @certfile += ".pem" + end + @keyfile = hash[:key] || File.join( + Puppet[:privatekeydir], [@name,"pem"].join(".") + ) + Puppet.recmkdir(@dir) unless FileTest.directory?(@dir) - Puppet.recmkdir(dir) unless FileTest.directory?(dir) - } + [@keyfile].each { |file| + dir = File.dirname(file) - @ttl = hash[:ttl] || 365 * 24 * 60 * 60 - @selfsign = hash[:selfsign] || false - @encrypt = hash[:encrypt] || false - @replace = hash[:replace] || false - @issuer = hash[:issuer] || nil - - if hash.include?(:type) - case hash[:type] - when :ca, :client, :server; @type = hash[:type] - else - raise "Invalid Cert type #{hash[:type]}" - end - else - @type = :client - end + Puppet.recmkdir(dir) unless FileTest.directory?(dir) + } - @params = {:name => @name} - [:state, :country, :email, :org, :ou].each { |param| - @params[param] = hash[param] if hash.include?(param) - } + @ttl = hash[:ttl] || 365 * 24 * 60 * 60 + @selfsign = hash[:selfsign] || false + @encrypt = hash[:encrypt] || false + @replace = hash[:replace] || false + @issuer = hash[:issuer] || nil + + if hash.include?(:type) + case hash[:type] + when :ca, :client, :server; @type = hash[:type] + else + raise "Invalid Cert type #{hash[:type]}" + end + else + @type = :client + end - if @encrypt - if @encrypt =~ /^\// - File.open(@encrypt) { |f| - @password = f.read.chomp - } - else - raise Puppet::Error, ":encrypt must be a path to a pass phrase file" - end - else - @password = nil - end + @params = {:name => @name} + [:state, :country, :email, :org, :ou].each { |param| + @params[param] = hash[param] if hash.include?(param) + } - @selfsign = hash.include?(:selfsign) && hash[:selfsign] + if @encrypt + if @encrypt =~ /^\// + File.open(@encrypt) { |f| + @password = f.read.chomp + } + else + raise Puppet::Error, ":encrypt must be a path to a pass phrase file" + end + else + @password = nil end - # this only works for servers, not for users - def mkcsr - self.getkey unless @key + @selfsign = hash.include?(:selfsign) && hash[:selfsign] + end - name = OpenSSL::X509::Name.new self.subject + # this only works for servers, not for users + def mkcsr + self.getkey unless @key - @csr = OpenSSL::X509::Request.new - @csr.version = 0 - @csr.subject = name - @csr.public_key = @key.public_key - @csr.sign(@key, OpenSSL::Digest::SHA1.new) + name = OpenSSL::X509::Name.new self.subject - #File.open(@csrfile, "w") { |f| - # f << @csr.to_pem - #} + @csr = OpenSSL::X509::Request.new + @csr.version = 0 + @csr.subject = name + @csr.public_key = @key.public_key + @csr.sign(@key, OpenSSL::Digest::SHA1.new) - raise Puppet::Error, "CSR sign verification failed" unless @csr.verify(@key.public_key) + #File.open(@csrfile, "w") { |f| + # f << @csr.to_pem + #} - @csr - end + raise Puppet::Error, "CSR sign verification failed" unless @csr.verify(@key.public_key) - def mkkey - # @key is the file + @csr + end - @key = OpenSSL::PKey::RSA.new(1024) + def mkkey + # @key is the file + + @key = OpenSSL::PKey::RSA.new(1024) # { |p,n| # case p # when 0; Puppet.info "key info: ." # BN_generate_prime @@ -156,100 +156,100 @@ class Puppet::SSLCertificates::Certificate # end # } - if @password - # passwdproc = proc { @password } - - keytext = @key.export( + if @password + # passwdproc = proc { @password } - OpenSSL::Cipher::DES.new(:EDE3, :CBC), + keytext = @key.export( - @password - ) - File.open(@keyfile, "w", 0400) { |f| - f << keytext - } - else - File.open(@keyfile, "w", 0400) { |f| - f << @key.to_pem - } - end + OpenSSL::Cipher::DES.new(:EDE3, :CBC), - #cmd = "#{ossl} genrsa -out #{@key} 1024" + @password + ) + File.open(@keyfile, "w", 0400) { |f| + f << keytext + } + else + File.open(@keyfile, "w", 0400) { |f| + f << @key.to_pem + } end - def mkselfsigned - self.getkey unless @key + #cmd = "#{ossl} genrsa -out #{@key} 1024" + end - raise Puppet::Error, "Cannot replace existing certificate" if @cert + def mkselfsigned + self.getkey unless @key - args = { - :name => self.certname, - :ttl => @ttl, - :issuer => nil, - :serial => 0x0, - :publickey => @key.public_key - } - if @type - args[:type] = @type - else - args[:type] = :server - end - @cert = SSLCertificates.mkcert(args) + raise Puppet::Error, "Cannot replace existing certificate" if @cert - @cert.sign(@key, OpenSSL::Digest::SHA1.new) if @selfsign - - @cert + args = { + :name => self.certname, + :ttl => @ttl, + :issuer => nil, + :serial => 0x0, + :publickey => @key.public_key + } + if @type + args[:type] = @type + else + args[:type] = :server end + @cert = SSLCertificates.mkcert(args) - def subject(string = false) - subj = @@params2names.collect { |param, name| - [name, @params[param]] if @params.include?(param) - }.reject { |ary| ary.nil? } + @cert.sign(@key, OpenSSL::Digest::SHA1.new) if @selfsign - if string - return "/" + subj.collect { |ary| - "%s=%s" % ary - }.join("/") + "/" - else - return subj - end - end + @cert + end - # verify that we can track down the cert chain or whatever - def verify - "openssl verify -verbose -CAfile /home/luke/.puppet/ssl/certs/ca.pem -purpose sslserver culain.madstop.com.pem" + def subject(string = false) + subj = @@params2names.collect { |param, name| + [name, @params[param]] if @params.include?(param) + }.reject { |ary| ary.nil? } + + if string + return "/" + subj.collect { |ary| + "%s=%s" % ary + }.join("/") + "/" + else + return subj end + end - def write - files = { - @certfile => @cert, - @keyfile => @key, - } - files[@cacertfile] = @cacert if defined?(@cacert) + # verify that we can track down the cert chain or whatever + def verify + "openssl verify -verbose -CAfile /home/luke/.puppet/ssl/certs/ca.pem -purpose sslserver culain.madstop.com.pem" + end - files.each { |file,thing| - if thing - next if FileTest.exists?(file) + def write + files = { + @certfile => @cert, + @keyfile => @key, + } + files[@cacertfile] = @cacert if defined?(@cacert) - text = nil + files.each { |file,thing| + if thing + next if FileTest.exists?(file) - if thing.is_a?(OpenSSL::PKey::RSA) and @password + text = nil - text = thing.export( + if thing.is_a?(OpenSSL::PKey::RSA) and @password - OpenSSL::Cipher::DES.new(:EDE3, :CBC), + text = thing.export( - @password - ) - else - text = thing.to_pem - end + OpenSSL::Cipher::DES.new(:EDE3, :CBC), - File.open(file, "w", 0660) { |f| f.print text } - end - } + @password + ) + else + text = thing.to_pem + end - SSLCertificates.mkhash(Puppet[:certdir], @cacert, @cacertfile) if defined?(@cacert) - end + File.open(file, "w", 0660) { |f| f.print text } + end + } + + SSLCertificates.mkhash(Puppet[:certdir], @cacert, @cacertfile) if defined?(@cacert) + end end |