class Puppet::SSL::Certificate

Manage certificates themselves. This class has no 'generate' method because the CA is responsible for turning CSRs into certificates; we can only retrieve them from the CA (or not, as is often the case).

@deprecated Use {Puppet::SSL::SSLProvider} instead.

Public Class Methods

subject_alt_names_for(cert) click to toggle source
   # File lib/puppet/ssl/certificate.rb
20 def self.subject_alt_names_for(cert)
21   alts = cert.extensions.find{|ext| ext.oid == "subjectAltName"}
22   return [] unless alts
23   alts.value.split(/\s*,\s*/)
24 end
supported_formats() click to toggle source

Because of how the format handler class is included, this can't be in the base class.

   # File lib/puppet/ssl/certificate.rb
16 def self.supported_formats
17   [:s]
18 end

Public Instance Methods

custom_extensions() click to toggle source

Any extensions registered with custom OIDs as defined in module Puppet::SSL::Oids may be looked up here.

A cert with a 'pp_uuid' extension having the value 'abcd' would return:

{ 'oid' => 'pp_uuid', 'value' => 'abcd'}

@return [Array<Hash{String => String}>] An array of two element hashes, with key/value pairs for the extension's oid, and its value.

   # File lib/puppet/ssl/certificate.rb
50 def custom_extensions
51   custom_exts = content.extensions.select do |ext|
52     Puppet::SSL::Oids.subtree_of?('ppRegCertExt', ext.oid) or
53       Puppet::SSL::Oids.subtree_of?('ppPrivCertExt', ext.oid) or
54       Puppet::SSL::Oids.subtree_of?('ppAuthCertExt', ext.oid)
55   end
56 
57   custom_exts.map do |ext|
58     {'oid' => ext.oid, 'value' => get_ext_val(ext.oid)}
59   end
60 end
expiration() click to toggle source
   # File lib/puppet/ssl/certificate.rb
30 def expiration
31   return nil unless content
32   content.not_after
33 end
subject_alt_names() click to toggle source
   # File lib/puppet/ssl/certificate.rb
26 def subject_alt_names
27   self.class.subject_alt_names_for(content)
28 end
unmunged_name() click to toggle source

This name is what gets extracted from the subject before being passed to the constructor, so it's not downcased

   # File lib/puppet/ssl/certificate.rb
37 def unmunged_name
38   self.class.name_from_subject(content.subject.to_utf8)
39 end

Private Instance Methods

exts_seq() click to toggle source

Extract the extensions sequence from the wrapped certificate's raw ASN.1 form

   # File lib/puppet/ssl/certificate.rb
66 def exts_seq
67   # See RFC-2459 section 4.1 (https://tools.ietf.org/html/rfc2459#section-4.1)
68   # to see where this is defined. Essentially this is saying "in the first
69   # sequence in the certificate, find the item that's tagged with 3. This
70   # is where the extensions are stored."
71   @extensions_tag ||= 3
72 
73   @exts_seq ||= OpenSSL::ASN1.decode(content.to_der).value[0].value.find do |data|
74     (data.tag == @extensions_tag) && (data.tag_class == :CONTEXT_SPECIFIC)
75   end.value[0]
76 end
get_ext_val(oid) click to toggle source

Get the DER parsed value of an X.509 extension by it's OID, or short name if one has been registered with OpenSSL.

   # File lib/puppet/ssl/certificate.rb
80 def get_ext_val(oid)
81   ext_obj = exts_seq.value.find do |ext_seq|
82     ext_seq.value[0].value == oid
83   end
84 
85   raw_val = ext_obj.value.last.value
86 
87   begin
88     OpenSSL::ASN1.decode(raw_val).value
89   rescue OpenSSL::ASN1::ASN1Error
90     # This is required to maintain backward compatibility with the previous
91     # way trusted facts were signed. See PUP-3560
92     raw_val
93   end
94 end