1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
|
require 'monitor'
require 'puppet/ssl/host'
require 'puppet/ssl/certificate_request'
# The class that knows how to sign certificates. It creates
# a 'special' SSL::Host whose name is 'ca', thus indicating
# that, well, it's the CA. There's some magic in the
# indirector/ssl_file terminus base class that does that
# for us.
# This class mostly just signs certs for us, but
# it can also be seen as a general interface into all of the
# SSL stuff.
class Puppet::SSL::CertificateAuthority
require 'puppet/ssl/certificate_factory'
require 'puppet/ssl/inventory'
require 'puppet/ssl/certificate_revocation_list'
require 'puppet/ssl/certificate_authority/interface'
require 'puppet/network/authstore'
extend MonitorMixin
class CertificateVerificationError < RuntimeError
attr_accessor :error_code
def initialize(code)
@error_code = code
end
end
def self.singleton_instance
synchronize do
@singleton_instance ||= new
end
end
def self.ca?
return false unless Puppet[:ca]
return false unless Puppet.run_mode.master?
true
end
# If this process can function as a CA, then return a singleton
# instance.
def self.instance
return nil unless ca?
singleton_instance
end
attr_reader :name, :host
# Create and run an applicator. I wanted to build an interface where you could do
# something like 'ca.apply(:generate).to(:all) but I don't think it's really possible.
def apply(method, options)
raise ArgumentError, "You must specify the hosts to apply to; valid values are an array or the symbol :all" unless options[:to]
applier = Interface.new(method, options)
applier.apply(self)
end
# If autosign is configured, then autosign all CSRs that match our configuration.
def autosign
return unless auto = autosign?
store = nil
store = autosign_store(auto) if auto != true
Puppet::SSL::CertificateRequest.indirection.search("*").each do |csr|
sign(csr.name) if auto == true or store.allowed?(csr.name, "127.1.1.1")
end
end
# Do we autosign? This returns true, false, or a filename.
def autosign?
auto = Puppet[:autosign]
return false if ['false', false].include?(auto)
return true if ['true', true].include?(auto)
raise ArgumentError, "The autosign configuration '#{auto}' must be a fully qualified file" unless auto =~ /^\//
FileTest.exist?(auto) && auto
end
# Create an AuthStore for autosigning.
def autosign_store(file)
auth = Puppet::Network::AuthStore.new
File.readlines(file).each do |line|
next if line =~ /^\s*#/
next if line =~ /^\s*$/
auth.allow(line.chomp)
end
auth
end
# Retrieve (or create, if necessary) the certificate revocation list.
def crl
unless defined?(@crl)
unless @crl = Puppet::SSL::CertificateRevocationList.indirection.find(Puppet::SSL::CA_NAME)
@crl = Puppet::SSL::CertificateRevocationList.new(Puppet::SSL::CA_NAME)
@crl.generate(host.certificate.content, host.key.content)
Puppet::SSL::CertificateRevocationList.indirection.save(@crl)
end
end
@crl
end
# Delegate this to our Host class.
def destroy(name)
Puppet::SSL::Host.destroy(name)
end
# Generate a new certificate.
def generate(name)
raise ArgumentError, "A Certificate already exists for #{name}" if Puppet::SSL::Certificate.indirection.find(name)
host = Puppet::SSL::Host.new(name)
host.generate_certificate_request
sign(name)
end
# Generate our CA certificate.
def generate_ca_certificate
generate_password unless password?
host.generate_key unless host.key
# Create a new cert request. We do this
# specially, because we don't want to actually
# save the request anywhere.
request = Puppet::SSL::CertificateRequest.new(host.name)
request.generate(host.key)
# Create a self-signed certificate.
@certificate = sign(host.name, :ca, request)
# And make sure we initialize our CRL.
crl
end
def initialize
Puppet.settings.use :main, :ssl, :ca
@name = Puppet[:certname]
@host = Puppet::SSL::Host.new(Puppet::SSL::Host.ca_name)
setup
end
# Retrieve (or create, if necessary) our inventory manager.
def inventory
@inventory ||= Puppet::SSL::Inventory.new
end
# Generate a new password for the CA.
def generate_password
pass = ""
20.times { pass += (rand(74) + 48).chr }
begin
Puppet.settings.write(:capass) { |f| f.print pass }
rescue Errno::EACCES => detail
raise Puppet::Error, "Could not write CA password: #{detail}"
end
@password = pass
pass
end
# List all signed certificates.
def list
Puppet::SSL::Certificate.indirection.search("*").collect { |c| c.name }
end
# Read the next serial from the serial file, and increment the
# file so this one is considered used.
def next_serial
serial = nil
# This is slightly odd. If the file doesn't exist, our readwritelock creates
# it, but with a mode we can't actually read in some cases. So, use
# a default before the lock.
serial = 0x1 unless FileTest.exist?(Puppet[:serial])
Puppet.settings.readwritelock(:serial) { |f|
serial ||= File.read(Puppet.settings[:serial]).chomp.hex if FileTest.exist?(Puppet[:serial])
# We store the next valid serial, not the one we just used.
f << "%04X" % (serial + 1)
}
serial
end
# Does the password file exist?
def password?
FileTest.exist? Puppet[:capass]
end
# Print a given host's certificate as text.
def print(name)
(cert = Puppet::SSL::Certificate.indirection.find(name)) ? cert.to_text : nil
end
# Revoke a given certificate.
def revoke(name)
raise ArgumentError, "Cannot revoke certificates when the CRL is disabled" unless crl
if cert = Puppet::SSL::Certificate.indirection.find(name)
serial = cert.content.serial
elsif ! serial = inventory.serial(name)
raise ArgumentError, "Could not find a serial number for #{name}"
end
crl.revoke(serial, host.key.content)
end
# This initializes our CA so it actually works. This should be a private
# method, except that you can't any-instance stub private methods, which is
# *awesome*. This method only really exists to provide a stub-point during
# testing.
def setup
generate_ca_certificate unless @host.certificate
end
# Sign a given certificate request.
def sign(hostname, cert_type = :server, self_signing_csr = nil)
# This is a self-signed certificate
if self_signing_csr
csr = self_signing_csr
issuer = csr.content
else
unless csr = Puppet::SSL::CertificateRequest.indirection.find(hostname)
raise ArgumentError, "Could not find certificate request for #{hostname}"
end
issuer = host.certificate.content
end
cert = Puppet::SSL::Certificate.new(hostname)
cert.content = Puppet::SSL::CertificateFactory.new(cert_type, csr.content, issuer, next_serial).result
cert.content.sign(host.key.content, OpenSSL::Digest::SHA1.new)
Puppet.notice "Signed certificate request for #{hostname}"
# Add the cert to the inventory before we save it, since
# otherwise we could end up with it being duplicated, if
# this is the first time we build the inventory file.
inventory.add(cert)
# Save the now-signed cert. This should get routed correctly depending
# on the certificate type.
Puppet::SSL::Certificate.indirection.save(cert)
# And remove the CSR if this wasn't self signed.
Puppet::SSL::CertificateRequest.indirection.destroy(csr.name) unless self_signing_csr
cert
end
# Verify a given host's certificate.
def verify(name)
unless cert = Puppet::SSL::Certificate.indirection.find(name)
raise ArgumentError, "Could not find a certificate for #{name}"
end
store = OpenSSL::X509::Store.new
store.add_file Puppet[:cacert]
store.add_crl crl.content if self.crl
store.purpose = OpenSSL::X509::PURPOSE_SSL_CLIENT
store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL|OpenSSL::X509::V_FLAG_CRL_CHECK if Puppet.settings[:certificate_revocation]
raise CertificateVerificationError.new(store.error), store.error_string unless store.verify(cert.content)
end
def fingerprint(name, md = :MD5)
unless cert = Puppet::SSL::Certificate.indirection.find(name) || Puppet::SSL::CertificateRequest.indirection.find(name)
raise ArgumentError, "Could not find a certificate or csr for #{name}"
end
cert.fingerprint(md)
end
# List the waiting certificate requests.
def waiting?
Puppet::SSL::CertificateRequest.indirection.search("*").collect { |r| r.name }
end
end
|