module Puppet::SSL::Oids

This module defines OIDs for use within Puppet.

# ASN.1 Definition

The following is the formal definition of OIDs specified in this file.

“` puppetCertExtensions OBJECT IDENTIFIER ::= {iso(1) identified-organization(3)

dod(6) internet(1) private(4) enterprise(1) 34380 1}

– the tree under registeredExtensions 'belongs' to puppetlabs – privateExtensions can be extended by enterprises to suit their own needs registeredExtensions OBJECT IDENTIFIER ::= { puppetCertExtensions 1 } privateExtensions OBJECT IDENTIFIER ::= { puppetCertExtensions 2 } authorizationExtensions OBJECT IDENTIFIER ::= { puppetCertExtensions 3 }

– subtree of common registered extensions – The short names for these OIDs are intentionally lowercased and formatted – since they may be exposed inside the Puppet DSL as variables. pp_uuid OBJECT IDENTIFIER ::= { registeredExtensions 1 } pp_instance_id OBJECT IDENTIFIER ::= { registeredExtensions 2 } pp_image_name OBJECT IDENTIFIER ::= { registeredExtensions 3 } pp_preshared_key OBJECT IDENTIFIER ::= { registeredExtensions 4 } “`

@api private

Constants

PUPPET_OIDS

Note: When updating the following OIDs make sure to also update the OID definitions here: github.com/puppetlabs/puppetserver/blob/master/src/clj/puppetlabs/puppetserver/certificate_authority.clj#L122-L159

Public Class Methods

load_custom_oid_file(custom_oid_file, map_key='oid_mapping') click to toggle source

Load custom OID mapping file that enables custom OIDs to be resolved into user-friendly names.

@param custom_oid_file [String] File to obtain custom OIDs mapping from @param map_key [String] Hash key in which custom OIDs mapping is stored

@example Custom OID mapping file


oid_mapping:

'1.3.6.1.4.1.34380.1.2.1.1':
  shortname : 'myshortname'
  longname  : 'Long name'
'1.3.6.1.4.1.34380.1.2.1.2':
  shortname: 'myothershortname'
  longname: 'Other Long name'
    # File lib/puppet/ssl/oids.rb
151 def self.load_custom_oid_file(custom_oid_file, map_key='oid_mapping')
152   oid_defns = parse_custom_oid_file(custom_oid_file, map_key)
153   unless oid_defns.nil?
154     begin
155       oid_defns.each do |oid_defn|
156         OpenSSL::ASN1::ObjectId.register(*oid_defn)
157       end
158     rescue => err
159       raise ArgumentError, _("Error registering ssl custom OIDs mapping from file '%{custom_oid_file}': %{err}") % { custom_oid_file: custom_oid_file, err: err }, err.backtrace
160     end
161   end
162 end
parse_custom_oid_file(custom_oid_file, map_key='oid_mapping') click to toggle source

Parse custom OID mapping file that enables custom OIDs to be resolved into user-friendly names.

@param custom_oid_file [String] File to obtain custom OIDs mapping from @param map_key [String] Hash key in which custom OIDs mapping is stored

@example Custom OID mapping file


oid_mapping:

'1.3.6.1.4.1.34380.1.2.1.1':
  shortname : 'myshortname'
  longname  : 'Long name'
'1.3.6.1.4.1.34380.1.2.1.2':
  shortname: 'myothershortname'
  longname: 'Other Long name'
    # File lib/puppet/ssl/oids.rb
106 def self.parse_custom_oid_file(custom_oid_file, map_key='oid_mapping')
107   if File.exist?(custom_oid_file) && File.readable?(custom_oid_file)
108     mapping = nil
109     begin
110       mapping = Puppet::Util::Yaml.safe_load_file(custom_oid_file, [Symbol])
111     rescue => err
112       raise Puppet::Error, _("Error loading ssl custom OIDs mapping file from '%{custom_oid_file}': %{err}") % { custom_oid_file: custom_oid_file, err: err }, err.backtrace
113     end
114 
115     unless mapping.has_key?(map_key)
116       raise Puppet::Error, _("Error loading ssl custom OIDs mapping file from '%{custom_oid_file}': no such index '%{map_key}'") % { custom_oid_file: custom_oid_file, map_key: map_key }
117     end
118 
119     unless mapping[map_key].is_a?(Hash)
120       raise Puppet::Error, _("Error loading ssl custom OIDs mapping file from '%{custom_oid_file}': data under index '%{map_key}' must be a Hash") % { custom_oid_file: custom_oid_file, map_key: map_key }
121     end
122 
123     oid_defns = []
124     mapping[map_key].keys.each do |oid|
125       shortname, longname = mapping[map_key][oid].values_at("shortname","longname")
126       if shortname.nil? || longname.nil?
127         raise Puppet::Error, _("Error loading ssl custom OIDs mapping file from '%{custom_oid_file}': incomplete definition of oid '%{oid}'") % { custom_oid_file: custom_oid_file, oid: oid }
128       end
129       oid_defns << [oid, shortname, longname]
130     end
131 
132     oid_defns
133   end
134 end
register_puppet_oids() click to toggle source

Register our custom Puppet OIDs with OpenSSL so they can be used as CSR extensions. Without registering these OIDs, OpenSSL will fail when it encounters such an extension in a CSR.

   # File lib/puppet/ssl/oids.rb
81 def self.register_puppet_oids()
82   if !@did_register_puppet_oids
83     PUPPET_OIDS.each do |oid_defn|
84       OpenSSL::ASN1::ObjectId.register(*oid_defn)
85     end
86 
87     @did_register_puppet_oids = true
88   end
89 end
subtree_of?(first, second, exclusive = false) click to toggle source

Determine if the first OID contains the second OID

@param first [String] The containing OID, in dotted form or as the short name @param second [String] The contained OID, in dotted form or as the short name @param exclusive [true, false] If an OID should not be considered as a subtree of itself

@example Comparing two dotted OIDs

Puppet::SSL::Oids.subtree_of?('1.3.6.1', '1.3.6.1.4.1') #=> true
Puppet::SSL::Oids.subtree_of?('1.3.6.1', '1.3.6') #=> false

@example Comparing an OID short name with a dotted OID

Puppet::SSL::Oids.subtree_of?('IANA', '1.3.6.1.4.1') #=> true
Puppet::SSL::Oids.subtree_of?('1.3.6.1', 'enterprises') #=> true

@example Comparing an OID against itself

Puppet::SSL::Oids.subtree_of?('IANA', 'IANA') #=> true
Puppet::SSL::Oids.subtree_of?('IANA', 'IANA', true) #=> false

@return [true, false]

    # File lib/puppet/ssl/oids.rb
183 def self.subtree_of?(first, second, exclusive = false)
184   first_oid = OpenSSL::ASN1::ObjectId.new(first).oid
185   second_oid = OpenSSL::ASN1::ObjectId.new(second).oid
186 
187 
188   if exclusive and first_oid == second_oid
189     false
190   else
191     second_oid.index(first_oid) == 0
192   end
193 rescue OpenSSL::ASN1::ASN1Error, TypeError
194   false
195 end