From 49be54e5d4c5c19ec1f7e5e454666bb59ebfe88f Mon Sep 17 00:00:00 2001
From: Markus Roberts <Markus@reality.com>
Date: Mon, 29 Mar 2010 17:16:05 -0700
Subject: Revert the guts of #2890

This patch reverts the semantically significant parts of #2890 due to the
issues discussed on #3360 (security concerns when used with autosign,
inconsistency between REST & XMLRPC semantics) but leaves the semantically
neutral changes (code cleanup, added tests) in place.

This patch is intended for 0.25.x, but may also be applied as a step in the
resolution of #3450 (refactored #2890, add "remove_certs" flag) in Rolwf.
---
 lib/puppet/ssl/certificate.rb |  5 ++---
 lib/puppet/ssl/host.rb        | 27 +++++++++++++++++----------
 2 files changed, 19 insertions(+), 13 deletions(-)

(limited to 'lib/puppet/ssl')

diff --git a/lib/puppet/ssl/certificate.rb b/lib/puppet/ssl/certificate.rb
index b6cba99a7..f9297f380 100644
--- a/lib/puppet/ssl/certificate.rb
+++ b/lib/puppet/ssl/certificate.rb
@@ -28,8 +28,7 @@ class Puppet::SSL::Certificate < Puppet::SSL::Base
     end
 
     def expiration
-        # Our expiration is either that of the cache or the content, whichever comes first
-        cache_expiration = @expiration
-        [(content and content.not_after), cache_expiration].compact.sort.first
+        return nil unless content
+        return content.not_after
     end
 end
diff --git a/lib/puppet/ssl/host.rb b/lib/puppet/ssl/host.rb
index 8d44ffe9c..225c9790f 100644
--- a/lib/puppet/ssl/host.rb
+++ b/lib/puppet/ssl/host.rb
@@ -154,19 +154,26 @@ class Puppet::SSL::Host
     end
 
     def certificate
-        @certificate ||= (
+        unless @certificate
+            generate_key unless key
+
             # get the CA cert first, since it's required for the normal cert
             # to be of any use.
-            if not (key or generate_key) or not (ca? or Certificate.find("ca")) or not (cert = Certificate.find(name)) or cert.expired?
-                nil
-            elsif not cert.content.check_private_key(key.content)
-                Certificate.expire(name)
-                Puppet.warning "Retrieved certificate does not match private key"
-                nil
-            else
-                cert
+            return nil unless Certificate.find("ca") unless ca?
+            return nil unless @certificate = Certificate.find(name)
+
+            unless certificate_matches_key?
+                raise Puppet::Error, "Retrieved certificate does not match private key; please remove certificate from server and regenerate it with the current key"
             end
-            )
+        end
+        @certificate
+    end
+
+    def certificate_matches_key?
+        return false unless key
+        return false unless certificate
+
+        return certificate.content.check_private_key(key.content)
     end
 
     # Generate all necessary parts of our ssl host.
-- 
cgit