summaryrefslogtreecommitdiffstats
path: root/lib/puppet/sslcertificates/ca.rb
blob: e9e66bc61d550c17ee48a82a66005231141fefad (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
require 'sync'

class Puppet::SSLCertificates::CA
    include Puppet::Util::Warnings

    Certificate = Puppet::SSLCertificates::Certificate
    attr_accessor :keyfile, :file, :config, :dir, :cert, :crl

    def certfile
        @config[:cacert]
    end

    # Remove all traces of a given host.  This is kind of hackish, but, eh.
    def clean(host)
        host = host.downcase
        [:csrdir, :signeddir, :publickeydir, :privatekeydir, :certdir].each do |name|
            dir = Puppet[name]

            file = File.join(dir, host + ".pem")

            if FileTest.exists?(file)
                begin
                    if Puppet[:name] == "cert"
                        puts "Removing #{file}"
                    else
                        Puppet.info "Removing #{file}"
                    end
                    File.unlink(file)
                rescue => detail
                    raise Puppet::Error, "Could not delete #{file}: #{detail}"
                end
            end

        end
    end

    def host2csrfile(hostname)
        File.join(Puppet[:csrdir], [hostname.downcase, "pem"].join("."))
    end

    # this stores signed certs in a directory unrelated to
    # normal client certs
    def host2certfile(hostname)
        File.join(Puppet[:signeddir], [hostname.downcase, "pem"].join("."))
    end

    # Turn our hostname into a Name object
    def thing2name(thing)
        thing.subject.to_a.find { |ary|
            ary[0] == "CN"
        }[1]
    end

    def initialize(hash = {})
        Puppet.settings.use(:main, :ca, :ssl)
        self.setconfig(hash)

        if Puppet[:capass]
            if FileTest.exists?(Puppet[:capass])
                #puts "Reading #{Puppet[:capass]}"
                #system "ls -al #{Puppet[:capass]}"
                #File.read Puppet[:capass]
                @config[:password] = self.getpass
            else
                # Don't create a password if the cert already exists
                @config[:password] = self.genpass unless FileTest.exists?(@config[:cacert])
            end
        end

        self.getcert
        init_crl
        unless FileTest.exists?(@config[:serial])
            Puppet.settings.write(:serial) do |f|
                f << "%04X" % 1
            end
        end
    end

    # Generate a new password for the CA.
    def genpass
        pass = ""
        20.times { pass += (rand(74) + 48).chr }

        begin
            Puppet.settings.write(:capass) { |f| f.print pass }
        rescue Errno::EACCES => detail
            raise Puppet::Error, detail.to_s
        end
        pass
    end

    # Get the CA password.
    def getpass
        if @config[:capass] and File.readable?(@config[:capass])
            return File.read(@config[:capass])
        else
            raise Puppet::Error, "Could not decrypt CA key with password: #{detail}"
        end
    end

    # Get the CA cert.
    def getcert
        if FileTest.exists?(@config[:cacert])
            @cert = OpenSSL::X509::Certificate.new(
                File.read(@config[:cacert])
            )
        else
            self.mkrootcert
        end
    end

    # Retrieve a client's CSR.
    def getclientcsr(host)
        csrfile = host2csrfile(host)
        return nil unless File.exists?(csrfile)

        OpenSSL::X509::Request.new(File.read(csrfile))
    end

    # Retrieve a client's certificate.
    def getclientcert(host)
        certfile = host2certfile(host)
        return [nil, nil] unless File.exists?(certfile)

        [OpenSSL::X509::Certificate.new(File.read(certfile)), @cert]
    end

    # List certificates waiting to be signed.  This returns a list of hostnames, not actual
    # files -- the names can be converted to full paths with host2csrfile.
    def list(dummy_argument=:work_arround_for_ruby_GC_bug)
        return Dir.entries(Puppet[:csrdir]).find_all { |file|
            file =~ /\.pem$/
        }.collect { |file|
            file.sub(/\.pem$/, '')
        }
    end

    # List signed certificates.  This returns a list of hostnames, not actual
    # files -- the names can be converted to full paths with host2csrfile.
    def list_signed(dummy_argument=:work_arround_for_ruby_GC_bug)
        return Dir.entries(Puppet[:signeddir]).find_all { |file|
            file =~ /\.pem$/
        }.collect { |file|
            file.sub(/\.pem$/, '')
        }
    end

    # Create the root certificate.
    def mkrootcert
        # Make the root cert's name the FQDN of the host running the CA.
        name = Facter["hostname"].value
        if domain = Facter["domain"].value
            name += ".#{domain}"
        end

                    cert = Certificate.new(
                
            :name => name,
            :cert => @config[:cacert],
            :encrypt => @config[:capass],
            :key => @config[:cakey],
            :selfsign => true,
            :ttl => ttl,
        
            :type => :ca
        )

        # This creates the cakey file
        Puppet::Util::SUIDManager.asuser(Puppet[:user], Puppet[:group]) do
            @cert = cert.mkselfsigned
        end
        Puppet.settings.write(:cacert) do |f|
            f.puts @cert.to_pem
        end
        Puppet.settings.write(:capub) do |f|
            f.puts @cert.public_key
        end
        cert
    end

    def removeclientcsr(host)
        csrfile = host2csrfile(host)
        raise Puppet::Error, "No certificate request for #{host}" unless File.exists?(csrfile)

        File.unlink(csrfile)
    end

    # Revoke the certificate with serial number SERIAL issued by this
    # CA. The REASON must be one of the OpenSSL::OCSP::REVOKED_* reasons
    def revoke(serial, reason = OpenSSL::OCSP::REVOKED_STATUS_KEYCOMPROMISE)
        time = Time.now
        revoked = OpenSSL::X509::Revoked.new
        revoked.serial = serial
        revoked.time = time
        enum = OpenSSL::ASN1::Enumerated(reason)
        ext = OpenSSL::X509::Extension.new("CRLReason", enum)
        revoked.add_extension(ext)
        @crl.add_revoked(revoked)
        store_crl
    end

    # Take the Puppet config and store it locally.
    def setconfig(hash)
        @config = {}
        Puppet.settings.params("ca").each { |param|
            param = param.intern if param.is_a? String
            if hash.include?(param)
                @config[param] = hash[param]
                Puppet[param] = hash[param]
                hash.delete(param)
            else
                @config[param] = Puppet[param]
            end
        }

        if hash.include?(:password)
            @config[:password] = hash[:password]
            hash.delete(:password)
        end

        raise ArgumentError, "Unknown parameters #{hash.keys.join(",")}" if hash.length > 0

        [:cadir, :csrdir, :signeddir].each { |dir|
            raise Puppet::DevError, "#{dir} is undefined" unless @config[dir]
        }
    end

    # Sign a given certificate request.
    def sign(csr)
        unless csr.is_a?(OpenSSL::X509::Request)
            raise Puppet::Error,
                "CA#sign only accepts OpenSSL::X509::Request objects, not #{csr.class}"
        end

        raise Puppet::Error, "CSR sign verification failed" unless csr.verify(csr.public_key)

        serial = nil
        Puppet.settings.readwritelock(:serial) { |f|
            serial = File.read(@config[:serial]).chomp.hex
            # increment the serial
            f << "%04X" % (serial + 1)
        }


                    newcert = Puppet::SSLCertificates.mkcert(
                
            :type => :server,
            :name => csr.subject,
            :ttl => ttl,
            :issuer => @cert,
            :serial => serial,
        
            :publickey => csr.public_key
        )


        sign_with_key(newcert)

        self.storeclientcert(newcert)

        [newcert, @cert]
    end

    # Store the client's CSR for later signing.  This is called from
    # server/ca.rb, and the CSRs are deleted once the certificate is actually
    # signed.
    def storeclientcsr(csr)
        host = thing2name(csr)

        csrfile = host2csrfile(host)
        raise Puppet::Error, "Certificate request for #{host} already exists" if File.exists?(csrfile)

        Puppet.settings.writesub(:csrdir, csrfile) do |f|
            f.print csr.to_pem
        end
    end

    # Store the certificate that we generate.
    def storeclientcert(cert)
        host = thing2name(cert)

        certfile = host2certfile(host)
        Puppet.notice "Overwriting signed certificate #{certfile} for #{host}" if File.exists?(certfile)

        Puppet::SSLCertificates::Inventory::add(cert)
        Puppet.settings.writesub(:signeddir, certfile) do |f|
            f.print cert.to_pem
        end
    end

    # TTL for new certificates in seconds. If config param :ca_ttl is set,
    # use that, otherwise use :ca_days for backwards compatibility
    def ttl
        days = @config[:ca_days]
        if days && days.size > 0
            warnonce "Parameter ca_ttl is not set. Using depecated ca_days instead."
            return @config[:ca_days] * 24 * 60 * 60
        else
            ttl = @config[:ca_ttl]
            if ttl.is_a?(String)
                unless ttl =~ /^(\d+)(y|d|h|s)$/
                    raise ArgumentError, "Invalid ca_ttl #{ttl}"
                end
                case $2
                when 'y'
                    unit = 365 * 24 * 60 * 60
                when 'd'
                    unit = 24 * 60 * 60
                when 'h'
                    unit = 60 * 60
                when 's'
                    unit = 1
                else
                    raise ArgumentError, "Invalid unit for ca_ttl #{ttl}"
                end
                return $1.to_i * unit
            else
                return ttl
            end
        end
    end

    private
    def init_crl
        if FileTest.exists?(@config[:cacrl])
            @crl = OpenSSL::X509::CRL.new(
                File.read(@config[:cacrl])
            )
        else
            # Create new CRL
            @crl = OpenSSL::X509::CRL.new
            @crl.issuer = @cert.subject
            @crl.version = 1
            store_crl
            @crl
        end
    end

    def store_crl
        # Increment the crlNumber
        e = @crl.extensions.find { |e| e.oid == 'crlNumber' }
        ext = @crl.extensions.reject { |e| e.oid == 'crlNumber' }
        crlNum = OpenSSL::ASN1::Integer(e ? e.value.to_i + 1 : 0)
        ext << OpenSSL::X509::Extension.new("crlNumber", crlNum)
        @crl.extensions = ext

        # Set last/next update
        now = Time.now
        @crl.last_update = now
        # Keep CRL valid for 5 years
        @crl.next_update = now + 5 * 365*24*60*60

        sign_with_key(@crl)
        Puppet.settings.write(:cacrl) do |f|
            f.puts @crl.to_pem
        end
    end

    def sign_with_key(signable, digest = OpenSSL::Digest::SHA1.new)
        cakey = nil
        if @config[:password]
            begin
                cakey = OpenSSL::PKey::RSA.new(
                    File.read(@config[:cakey]), @config[:password]
                )
            rescue
                raise Puppet::Error,
                    "Decrypt of CA private key with password stored in @config[:capass] not possible"
            end
        else
            cakey = OpenSSL::PKey::RSA.new(
                File.read(@config[:cakey])
            )
        end

        raise Puppet::Error, "CA Certificate is invalid" unless @cert.check_private_key(cakey)

        signable.sign(cakey, digest)
    end
end