module Puppet::SSL::Oids
This module defines OIDs for use within Puppet
.
# ASN.1 Definition
The following is the formal definition of OIDs specified in this file.
“` puppetCertExtensions OBJECT IDENTIFIER ::= {iso(1) identified-organization(3)
dod(6) internet(1) private(4) enterprise(1) 34380 1}
– the tree under registeredExtensions 'belongs' to puppetlabs – privateExtensions can be extended by enterprises to suit their own needs registeredExtensions OBJECT IDENTIFIER ::= { puppetCertExtensions 1 } privateExtensions OBJECT IDENTIFIER ::= { puppetCertExtensions 2 } authorizationExtensions OBJECT IDENTIFIER ::= { puppetCertExtensions 3 }
– subtree of common registered extensions – The short names for these OIDs are intentionally lowercased and formatted – since they may be exposed inside the Puppet
DSL as variables. pp_uuid OBJECT IDENTIFIER ::= { registeredExtensions 1 } pp_instance_id OBJECT IDENTIFIER ::= { registeredExtensions 2 } pp_image_name OBJECT IDENTIFIER ::= { registeredExtensions 3 } pp_preshared_key OBJECT IDENTIFIER ::= { registeredExtensions 4 } “`
@api private
Constants
- PUPPET_OIDS
Note: When updating the following OIDs make sure to also update the OID definitions here: github.com/puppetlabs/puppetserver/blob/master/src/clj/puppetlabs/puppetserver/certificate_authority.clj#L122-L159
Public Class Methods
Load custom OID mapping file that enables custom OIDs to be resolved into user-friendly names.
@param custom_oid_file [String] File to obtain custom OIDs mapping from @param map_key [String] Hash key in which custom OIDs mapping is stored
@example Custom OID mapping file
oid_mapping:
'1.3.6.1.4.1.34380.1.2.1.1': shortname : 'myshortname' longname : 'Long name' '1.3.6.1.4.1.34380.1.2.1.2': shortname: 'myothershortname' longname: 'Other Long name'
# File lib/puppet/ssl/oids.rb 151 def self.load_custom_oid_file(custom_oid_file, map_key='oid_mapping') 152 oid_defns = parse_custom_oid_file(custom_oid_file, map_key) 153 unless oid_defns.nil? 154 begin 155 oid_defns.each do |oid_defn| 156 OpenSSL::ASN1::ObjectId.register(*oid_defn) 157 end 158 rescue => err 159 raise ArgumentError, _("Error registering ssl custom OIDs mapping from file '%{custom_oid_file}': %{err}") % { custom_oid_file: custom_oid_file, err: err }, err.backtrace 160 end 161 end 162 end
Parse custom OID mapping file that enables custom OIDs to be resolved into user-friendly names.
@param custom_oid_file [String] File to obtain custom OIDs mapping from @param map_key [String] Hash key in which custom OIDs mapping is stored
@example Custom OID mapping file
oid_mapping:
'1.3.6.1.4.1.34380.1.2.1.1': shortname : 'myshortname' longname : 'Long name' '1.3.6.1.4.1.34380.1.2.1.2': shortname: 'myothershortname' longname: 'Other Long name'
# File lib/puppet/ssl/oids.rb 106 def self.parse_custom_oid_file(custom_oid_file, map_key='oid_mapping') 107 if File.exist?(custom_oid_file) && File.readable?(custom_oid_file) 108 mapping = nil 109 begin 110 mapping = Puppet::Util::Yaml.safe_load_file(custom_oid_file, [Symbol]) 111 rescue => err 112 raise Puppet::Error, _("Error loading ssl custom OIDs mapping file from '%{custom_oid_file}': %{err}") % { custom_oid_file: custom_oid_file, err: err }, err.backtrace 113 end 114 115 unless mapping.has_key?(map_key) 116 raise Puppet::Error, _("Error loading ssl custom OIDs mapping file from '%{custom_oid_file}': no such index '%{map_key}'") % { custom_oid_file: custom_oid_file, map_key: map_key } 117 end 118 119 unless mapping[map_key].is_a?(Hash) 120 raise Puppet::Error, _("Error loading ssl custom OIDs mapping file from '%{custom_oid_file}': data under index '%{map_key}' must be a Hash") % { custom_oid_file: custom_oid_file, map_key: map_key } 121 end 122 123 oid_defns = [] 124 mapping[map_key].keys.each do |oid| 125 shortname, longname = mapping[map_key][oid].values_at("shortname","longname") 126 if shortname.nil? || longname.nil? 127 raise Puppet::Error, _("Error loading ssl custom OIDs mapping file from '%{custom_oid_file}': incomplete definition of oid '%{oid}'") % { custom_oid_file: custom_oid_file, oid: oid } 128 end 129 oid_defns << [oid, shortname, longname] 130 end 131 132 oid_defns 133 end 134 end
Register our custom Puppet
OIDs with OpenSSL
so they can be used as CSR extensions. Without registering these OIDs, OpenSSL
will fail when it encounters such an extension in a CSR.
# File lib/puppet/ssl/oids.rb 81 def self.register_puppet_oids() 82 if !@did_register_puppet_oids 83 PUPPET_OIDS.each do |oid_defn| 84 OpenSSL::ASN1::ObjectId.register(*oid_defn) 85 end 86 87 @did_register_puppet_oids = true 88 end 89 end
Determine if the first OID contains the second OID
@param first [String] The containing OID, in dotted form or as the short name @param second [String] The contained OID, in dotted form or as the short name @param exclusive [true, false] If an OID should not be considered as a subtree of itself
@example Comparing two dotted OIDs
Puppet::SSL::Oids.subtree_of?('1.3.6.1', '1.3.6.1.4.1') #=> true Puppet::SSL::Oids.subtree_of?('1.3.6.1', '1.3.6') #=> false
@example Comparing an OID short name with a dotted OID
Puppet::SSL::Oids.subtree_of?('IANA', '1.3.6.1.4.1') #=> true Puppet::SSL::Oids.subtree_of?('1.3.6.1', 'enterprises') #=> true
@example Comparing an OID against itself
Puppet::SSL::Oids.subtree_of?('IANA', 'IANA') #=> true Puppet::SSL::Oids.subtree_of?('IANA', 'IANA', true) #=> false
@return [true, false]
# File lib/puppet/ssl/oids.rb 183 def self.subtree_of?(first, second, exclusive = false) 184 first_oid = OpenSSL::ASN1::ObjectId.new(first).oid 185 second_oid = OpenSSL::ASN1::ObjectId.new(second).oid 186 187 188 if exclusive and first_oid == second_oid 189 false 190 else 191 second_oid.index(first_oid) == 0 192 end 193 rescue OpenSSL::ASN1::ASN1Error, TypeError 194 false 195 end