1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
|
require 'fileutils'
require 'openssl'
require 'yaml'
module Puppetserver
module Ca
class Host
# Exclude OIDs that may conflict with how Puppet creates CSRs.
#
# We only have nominal support for Microsoft extension requests, but since we
# ultimately respect that field when looking for extension requests in a CSR
# we need to prevent that field from being written to directly.
PRIVATE_CSR_ATTRIBUTES = [
'extReq', '1.2.840.113549.1.9.14',
'msExtReq', '1.3.6.1.4.1.311.2.1.14',
]
PRIVATE_EXTENSIONS = [
'subjectAltName', '2.5.29.17',
]
# A mapping of Puppet extension short names to their OIDs. These appear in
# csr_attributes.yaml.
PUPPET_SHORT_NAMES =
{'pp_uuid' => "1.3.6.1.4.1.34380.1.1.1",
'pp_instance_id' => "1.3.6.1.4.1.34380.1.1.2",
'pp_image_name' => "1.3.6.1.4.1.34380.1.1.3",
'pp_preshared_key'=> "1.3.6.1.4.1.34380.1.1.4",
'pp_cost_center' => "1.3.6.1.4.1.34380.1.1.5",
'pp_product' => "1.3.6.1.4.1.34380.1.1.6",
'pp_project' => "1.3.6.1.4.1.34380.1.1.7",
'pp_application' => "1.3.6.1.4.1.34380.1.1.8",
'pp_service'=> "1.3.6.1.4.1.34380.1.1.9",
'pp_employee' => "1.3.6.1.4.1.34380.1.1.10",
'pp_created_by' => "1.3.6.1.4.1.34380.1.1.11",
'pp_environment' => "1.3.6.1.4.1.34380.1.1.12",
'pp_role' => "1.3.6.1.4.1.34380.1.1.13",
'pp_software_version' => "1.3.6.1.4.1.34380.1.1.14",
'pp_department' => "1.3.6.1.4.1.34380.1.1.15",
'pp_cluster' => "1.3.6.1.4.1.34380.1.1.16",
'pp_provisioner' => "1.3.6.1.4.1.34380.1.1.17",
'pp_region' => "1.3.6.1.4.1.34380.1.1.18",
'pp_datacenter' => "1.3.6.1.4.1.34380.1.1.19",
'pp_zone' => "1.3.6.1.4.1.34380.1.1.20",
'pp_network' => "1.3.6.1.4.1.34380.1.1.21",
'pp_securitypolicy' => "1.3.6.1.4.1.34380.1.1.22",
'pp_cloudplatform' => "1.3.6.1.4.1.34380.1.1.23",
'pp_apptier' => "1.3.6.1.4.1.34380.1.1.24",
'pp_hostname' => "1.3.6.1.4.1.34380.1.1.25",
'pp_owner' => "1.3.6.1.4.1.34380.1.1.26",
'pp_authorization' => "1.3.6.1.4.1.34380.1.3.1",
'pp_auth_role' => "1.3.6.1.4.1.34380.1.3.13"}
attr_reader :errors
def initialize(digest)
@digest = digest
@errors = []
end
# If both the private and public keys exist for a server then we want
# to honor them here, if only one key exists we want to surface an error,
# and if neither exist we generate a new key. This logic is necessary for
# proper bootstrapping for certain server workflows.
def create_private_key(keylength, private_path = '', public_path = '')
if File.exist?(private_path) && File.exist?(public_path)
return OpenSSL::PKey.read(File.read(private_path))
elsif !File.exist?(private_path) && !File.exist?(public_path)
return OpenSSL::PKey::RSA.new(keylength)
elsif !File.exist?(private_path) && File.exist?(public_path)
@errors << "Missing private key to match public key at #{public_path}"
return nil
elsif File.exist?(private_path) && !File.exist?(public_path)
@errors << "Missing public key to match private key at #{private_path}"
return nil
end
end
def create_csr(name:, key:, cli_extensions: [], csr_attributes_path: '')
csr = OpenSSL::X509::Request.new
csr.public_key = key.public_key
csr.subject = OpenSSL::X509::Name.new([["CN", name]])
custom_attributes = get_custom_attributes(csr_attributes_path)
extension_requests = get_extension_requests(csr_attributes_path)
add_csr_attributes(csr, custom_attributes)
add_csr_extensions(csr, extension_requests, cli_extensions)
csr.sign(key, @digest) if @errors.empty?
csr
end
def extension_attribute(extensions)
seq = OpenSSL::ASN1::Sequence(extensions)
ext_req = OpenSSL::ASN1::Set([seq])
OpenSSL::X509::Attribute.new("extReq", ext_req)
end
def get_custom_attributes(attributes_path)
if csr_attributes = load_csr_attributes(attributes_path)
csr_attributes['custom_attributes']
end
end
def get_extension_requests(attributes_path)
if csr_attributes = load_csr_attributes(attributes_path)
csr_attributes['extension_requests']
end
end
# This loads all the custom_attributes and extension requests
# from the csr_attributes.yaml
def load_csr_attributes(attributes_path)
@custom_csr_attributes ||=
if File.exist?(attributes_path)
yaml = YAML.load_file(attributes_path)
if !yaml.is_a?(Hash)
@errors << "Invalid CSR attributes, expected instance of Hash, received instance of #{yaml.class}"
return
end
yaml
end
end
def add_csr_attributes(csr, csr_attributes)
if csr_attributes
csr_attributes.each do |oid, value|
begin
if PRIVATE_CSR_ATTRIBUTES.include? oid
@errors << "Cannot specify CSR attribute #{oid}: conflicts with internally used CSR attribute"
end
oid = PUPPET_SHORT_NAMES[oid] || oid
encoded = OpenSSL::ASN1::PrintableString.new(value.to_s)
attr_set = OpenSSL::ASN1::Set.new([encoded])
csr.add_attribute(OpenSSL::X509::Attribute.new(oid, attr_set))
rescue OpenSSL::X509::AttributeError => e
@errors << "Cannot create CSR with attribute #{oid}: #{e.message}"
end
end
end
end
def add_csr_extensions(csr, extension_requests, cli_extensions)
if extension_requests || cli_extensions.any?
extensions =
if extension_requests
validated_extensions(extension_requests) + cli_extensions
else
cli_extensions
end
csr.add_attribute(extension_attribute(extensions))
end
end
def validated_extensions(extension_requests)
extensions = []
extension_requests.each do |oid, value|
begin
if PRIVATE_EXTENSIONS.include? oid
@errors << "Cannot specify CSR extension request #{oid}: conflicts with internally used extension request"
end
oid = PUPPET_SHORT_NAMES[oid] || oid
ext = OpenSSL::X509::Extension.new(oid, OpenSSL::ASN1::UTF8String.new(value.to_s).to_der, false)
extensions << ext
rescue OpenSSL::X509::ExtensionError => e
@errors << "Cannot create CSR with extension request #{oid}: #{e.message}"
end
end
extensions
end
end
end
end
|
