diff options
Diffstat (limited to 'lib/puppet')
| -rw-r--r-- | lib/puppet/network/http/webrick.rb | 18 | ||||
| -rw-r--r-- | lib/puppet/ssl/certificate_revocation_list.rb | 13 | ||||
| -rw-r--r-- | lib/puppet/ssl/host.rb | 18 |
3 files changed, 32 insertions, 17 deletions
diff --git a/lib/puppet/network/http/webrick.rb b/lib/puppet/network/http/webrick.rb index 9bcf9958f..30085ec47 100644 --- a/lib/puppet/network/http/webrick.rb +++ b/lib/puppet/network/http/webrick.rb @@ -93,7 +93,7 @@ class Puppet::Network::HTTP::WEBrick host.generate unless host.key - raise Puppet::Error, "Could not retrieve certificate for %s" % host.name unless host.certificate + raise Puppet::Error, "Could not retrieve certificate for %s and not running on a valid certificate authority" % host.name unless host.certificate results[:SSLPrivateKey] = host.key.content results[:SSLCertificate] = host.certificate.content @@ -107,25 +107,11 @@ class Puppet::Network::HTTP::WEBrick results[:SSLCACertificateFile] = Puppet[:localcacert] results[:SSLVerifyClient] = OpenSSL::SSL::VERIFY_PEER - results[:SSLCertificateStore] = setup_ssl_store if Puppet[:crl] + results[:SSLCertificateStore] = host.ssl_store if Puppet[:crl] results end - # Create our Certificate revocation list - def setup_ssl_store - unless crl = Puppet::SSL::CertificateRevocationList.find("ca") - raise Puppet::Error, "Could not find CRL; set 'crl' to 'false' to disable CRL usage" - end - store = OpenSSL::X509::Store.new - store.purpose = OpenSSL::X509::PURPOSE_ANY - store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL|OpenSSL::X509::V_FLAG_CRL_CHECK - - store.add_file(Puppet[:localcacert]) - store.add_crl(crl.content) - return store - end - private def setup_handlers diff --git a/lib/puppet/ssl/certificate_revocation_list.rb b/lib/puppet/ssl/certificate_revocation_list.rb index 96b71c7a3..3029c14a4 100644 --- a/lib/puppet/ssl/certificate_revocation_list.rb +++ b/lib/puppet/ssl/certificate_revocation_list.rb @@ -9,12 +9,23 @@ class Puppet::SSL::CertificateRevocationList < Puppet::SSL::Base indirects :certificate_revocation_list, :terminus_class => :file # Knows how to create a CRL with our system defaults. - def generate(cert) + def generate(cert, cakey) Puppet.info "Creating a new certificate revocation list" @content = wrapped_class.new @content.issuer = cert.subject @content.version = 1 + # Init the CRL number. + crlNum = OpenSSL::ASN1::Integer(0) + @content.extensions = [OpenSSL::X509::Extension.new("crlNumber", crlNum)] + + # Set last/next update + @content.last_update = Time.now + # Keep CRL valid for 5 years + @content.next_update = Time.now + 5 * 365*24*60*60 + + @content.sign(cakey, OpenSSL::Digest::SHA1.new) + @content end diff --git a/lib/puppet/ssl/host.rb b/lib/puppet/ssl/host.rb index 09086e0fa..105b39dc6 100644 --- a/lib/puppet/ssl/host.rb +++ b/lib/puppet/ssl/host.rb @@ -164,6 +164,24 @@ class Puppet::SSL::Host def public_key key.content.public_key end + + # Create/return a store that uses our SSL info to validate + # connections. + def ssl_store(purpose = OpenSSL::X509::PURPOSE_ANY) + store = OpenSSL::X509::Store.new + store.purpose = purpose + + store.add_file(Puppet[:localcacert]) + + if Puppet[:crl] + unless crl = Puppet::SSL::CertificateRevocationList.find("ca") + raise ArgumentError, "Could not find CRL; set 'crl' to 'false' to disable CRL usage" + end + store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL|OpenSSL::X509::V_FLAG_CRL_CHECK + store.add_crl(crl.content) + end + return store + end end require 'puppet/ssl/certificate_authority' |