class Puppet::SSL::Certificate
Manage certificates themselves. This class has no 'generate' method because the CA is responsible for turning CSRs into certificates; we can only retrieve them from the CA (or not, as is often the case).
@deprecated Use {Puppet::SSL::SSLProvider} instead.
Public Class Methods
# File lib/puppet/ssl/certificate.rb 20 def self.subject_alt_names_for(cert) 21 alts = cert.extensions.find{|ext| ext.oid == "subjectAltName"} 22 return [] unless alts 23 alts.value.split(/\s*,\s*/) 24 end
Because of how the format handler class is included, this can't be in the base class.
# File lib/puppet/ssl/certificate.rb 16 def self.supported_formats 17 [:s] 18 end
Public Instance Methods
Any extensions registered with custom OIDs as defined in module Puppet::SSL::Oids
may be looked up here.
A cert with a 'pp_uuid' extension having the value 'abcd' would return:
- { 'oid' => 'pp_uuid', 'value' => 'abcd'}
-
@return [Array<Hash{String => String}>] An array of two element hashes, with key/value pairs for the extension's oid, and its value.
# File lib/puppet/ssl/certificate.rb 50 def custom_extensions 51 custom_exts = content.extensions.select do |ext| 52 Puppet::SSL::Oids.subtree_of?('ppRegCertExt', ext.oid) or 53 Puppet::SSL::Oids.subtree_of?('ppPrivCertExt', ext.oid) or 54 Puppet::SSL::Oids.subtree_of?('ppAuthCertExt', ext.oid) 55 end 56 57 custom_exts.map do |ext| 58 {'oid' => ext.oid, 'value' => get_ext_val(ext.oid)} 59 end 60 end
# File lib/puppet/ssl/certificate.rb 30 def expiration 31 return nil unless content 32 content.not_after 33 end
# File lib/puppet/ssl/certificate.rb 26 def subject_alt_names 27 self.class.subject_alt_names_for(content) 28 end
This name is what gets extracted from the subject before being passed to the constructor, so it's not downcased
# File lib/puppet/ssl/certificate.rb 37 def unmunged_name 38 self.class.name_from_subject(content.subject.to_utf8) 39 end
Private Instance Methods
Extract the extensions sequence from the wrapped certificate's raw ASN.1 form
# File lib/puppet/ssl/certificate.rb 66 def exts_seq 67 # See RFC-2459 section 4.1 (https://tools.ietf.org/html/rfc2459#section-4.1) 68 # to see where this is defined. Essentially this is saying "in the first 69 # sequence in the certificate, find the item that's tagged with 3. This 70 # is where the extensions are stored." 71 @extensions_tag ||= 3 72 73 @exts_seq ||= OpenSSL::ASN1.decode(content.to_der).value[0].value.find do |data| 74 (data.tag == @extensions_tag) && (data.tag_class == :CONTEXT_SPECIFIC) 75 end.value[0] 76 end
Get the DER parsed value of an X.509 extension by it's OID, or short name if one has been registered with OpenSSL
.
# File lib/puppet/ssl/certificate.rb 80 def get_ext_val(oid) 81 ext_obj = exts_seq.value.find do |ext_seq| 82 ext_seq.value[0].value == oid 83 end 84 85 raw_val = ext_obj.value.last.value 86 87 begin 88 OpenSSL::ASN1.decode(raw_val).value 89 rescue OpenSSL::ASN1::ASN1Error 90 # This is required to maintain backward compatibility with the previous 91 # way trusted facts were signed. See PUP-3560 92 raw_val 93 end 94 end