From ba661c14b433292668b444a7fa4f949abbf8b947 Mon Sep 17 00:00:00 2001 From: markuszilch Date: Wed, 3 May 2023 14:55:40 +0200 Subject: [PATCH 01/13] manage certificate::x509 conf file with proper type and remove now unused cert.cnf.erb template --- manifests/certificate/x509.pp | 28 ++++++++++++--------- templates/cert.cnf.erb | 46 ----------------------------------- 2 files changed, 16 insertions(+), 58 deletions(-) delete mode 100644 templates/cert.cnf.erb diff --git a/manifests/certificate/x509.pp b/manifests/certificate/x509.pp index 44b5d276..5aa4ee0c 100644 --- a/manifests/certificate/x509.pp +++ b/manifests/certificate/x509.pp @@ -146,7 +146,6 @@ String $key_mode = '0600', Optional[String] $password = undef, Boolean $force = true, - String $cnf_tpl = 'openssl/cert.cnf.erb', Boolean $encrypted = true, Optional[Stdlib::Absolutepath] $ca = undef, Optional[Stdlib::Absolutepath] $cakey = undef, @@ -168,11 +167,19 @@ $req_ext = false } - file { $_cnf: - ensure => $ensure, - owner => $owner, - group => $group, - content => template($cnf_tpl), + openssl::config { $_cnf: + ensure => $ensure, + owner => $owner, + group => $group, + commonname => $commonname, + country => $country, + state => $state, + locality => $locality, + organization => $organization, + unit => $unit, + email => $email, + extendedkeyusages => $extkeyusage, + subjectaltnames => $altnames, } ssl_pkey { $_key: @@ -189,10 +196,7 @@ password => $password, req_ext => $req_ext, force => $force, - require => File[$_cnf], - ca => $ca, - cakey => $cakey, - csr => $csr, + require => Openssl::Config[$_cnf], } x509_request { $_csr: @@ -202,8 +206,8 @@ password => $password, force => $force, encrypted => $encrypted, - require => File[$_cnf], - subscribe => File[$_cnf], + require => Openssl::Config[$_cnf], + subscribe => Openssl::Config[$_cnf], notify => X509_cert[$_crt], } diff --git a/templates/cert.cnf.erb b/templates/cert.cnf.erb deleted file mode 100644 index 5f1fed13..00000000 --- a/templates/cert.cnf.erb +++ /dev/null @@ -1,46 +0,0 @@ -# file managed by puppet -# -# SSLeay example configuration file. -# - -# This definition stops the following lines choking if HOME isn't -# defined. -HOME = . -RANDFILE = $ENV::HOME/.rnd - -[ req ] -default_bits = 2048 -default_md = sha256 -default_keyfile = privkey.pem -distinguished_name = req_distinguished_name -prompt = no -<% if @req_ext == true -%> -req_extensions = req_ext -<% end -%> - -[ req_distinguished_name ] -countryName = <%= @country %> -<% unless @state.nil? -%> -stateOrProvinceName = <%= @state %> -<% end -%> -<% unless @locality.nil? -%> -localityName = <%= @locality %> -<% end -%> -organizationName = <%= @organization %> -<% unless @unit.nil? -%> -organizationalUnitName = <%= @unit %> -<% end -%> -commonName = <%= @commonname %> -<% unless @email.nil? -%> -emailAddress = <%= @email %> -<% end -%> - -<% if @req_ext == true -%> -[ req_ext ] -<% unless @altnames.empty? -%> -subjectAltName = "<%= @altnames.collect! {|i| "DNS: #{i}" }.join(', ') -%>" -<% end -%> -<% unless @extkeyusage.empty? -%> -extendedKeyUsage = "<%= @extkeyusage.collect! {|x| "#{x}" }.join(', ') -%>" -<% end -%> -<% end -%> From 44373d0f5389b852b508b08f6c4aa9dbc70073a6 Mon Sep 17 00:00:00 2001 From: markuszilch Date: Wed, 3 May 2023 15:56:58 +0200 Subject: [PATCH 02/13] fix altname and extkeyusage handling in certificate::x509 --- manifests/certificate/x509.pp | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/manifests/certificate/x509.pp b/manifests/certificate/x509.pp index 5aa4ee0c..bd10a1cc 100644 --- a/manifests/certificate/x509.pp +++ b/manifests/certificate/x509.pp @@ -125,8 +125,8 @@ Optional[String] $state = undef, Optional[String] $locality = undef, Optional[String] $unit = undef, - Array $altnames = [], - Array $extkeyusage = [], + Optional[Array] $altnames = undef, + Optional[Array] $extkeyusage = undef, Optional[String] $email = undef, Integer $days = 365, Stdlib::Absolutepath $base_dir = '/etc/ssl/certs', @@ -161,7 +161,7 @@ $_csr = pick($csr, "${_csr_dir}/${name}.csr") $_key = pick($key, "${_key_dir}/${name}.key") - if !empty($altnames+$extkeyusage) { + if ($altnames or $extkeyusage) { $req_ext = true } else { $req_ext = false From c5f7de1e19ade8b095233c35780f6d6898048582 Mon Sep 17 00:00:00 2001 From: markuszilch Date: Sun, 21 May 2023 22:10:36 +0200 Subject: [PATCH 03/13] ordering added and template path parameter removed --- REFERENCE.md | 17 ++++------------- manifests/certificate/x509.pp | 34 ++++++++++++++-------------------- 2 files changed, 18 insertions(+), 33 deletions(-) diff --git a/REFERENCE.md b/REFERENCE.md index 8dcb94a6..0d95f9ef 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -358,7 +358,6 @@ The following parameters are available in the `openssl::certificate::x509` defin * [`key_mode`](#-openssl--certificate--x509--key_mode) * [`password`](#-openssl--certificate--x509--password) * [`force`](#-openssl--certificate--x509--force) -* [`cnf_tpl`](#-openssl--certificate--x509--cnf_tpl) * [`cnf_dir`](#-openssl--certificate--x509--cnf_dir) * [`crt_dir`](#-openssl--certificate--x509--crt_dir) * [`csr_dir`](#-openssl--certificate--x509--csr_dir) @@ -409,16 +408,16 @@ certificate CommonName ##### `altnames` -Data type: `Array` +Data type: `Optional[Array]` certificate subjectAltName. Can be an array or a single string. -Default value: `[]` +Default value: `undef` ##### `extkeyusage` -Data type: `Array` +Data type: `Optional[Array]` certificate extended key usage Value | Meaning @@ -435,7 +434,7 @@ msCodeCom | Microsoft Commercial Code Signing (authenticode) msCTLSign | Microsoft Trust List Signing msEFS | Microsoft Encrypted File System -Default value: `[]` +Default value: `undef` ##### `organization` @@ -542,14 +541,6 @@ if private key changes Default value: `true` -##### `cnf_tpl` - -Data type: `String` - -Specify an other template to generate ".cnf" file. - -Default value: `'openssl/cert.cnf.erb'` - ##### `cnf_dir` Data type: `Optional[Stdlib::Absolutepath]` diff --git a/manifests/certificate/x509.pp b/manifests/certificate/x509.pp index bd10a1cc..882d58c1 100644 --- a/manifests/certificate/x509.pp +++ b/manifests/certificate/x509.pp @@ -58,8 +58,6 @@ # @param force # whether to override certificate and request # if private key changes -# @param cnf_tpl -# Specify an other template to generate ".cnf" file. # @param cnf_dir # where cnf should be placed. # Directory must exist, defaults to $base_dir. @@ -167,7 +165,12 @@ $req_ext = false } - openssl::config { $_cnf: + ssl_pkey { $_key: + ensure => $ensure, + password => $password, + size => $key_size, + } + ~> openssl::config { $_cnf: ensure => $ensure, owner => $owner, group => $group, @@ -181,34 +184,25 @@ extendedkeyusages => $extkeyusage, subjectaltnames => $altnames, } - - ssl_pkey { $_key: - ensure => $ensure, - password => $password, - size => $key_size, - } - - x509_cert { $_crt: + ~> x509_request { $_csr: ensure => $ensure, template => $_cnf, private_key => $_key, - days => $days, password => $password, - req_ext => $req_ext, force => $force, - require => Openssl::Config[$_cnf], + encrypted => $encrypted, } - - x509_request { $_csr: + ~> x509_cert { $_crt: ensure => $ensure, template => $_cnf, private_key => $_key, + days => $days, password => $password, + req_ext => $req_ext, force => $force, - encrypted => $encrypted, - require => Openssl::Config[$_cnf], - subscribe => Openssl::Config[$_cnf], - notify => X509_cert[$_crt], + ca => $ca, + cakey => $cakey, + csr => $csr, } # Set owner of all files From 5c2cd01e2809f4fbf18d62d753ed4d3de9b5abe2 Mon Sep 17 00:00:00 2001 From: markuszilch Date: Sun, 21 May 2023 23:48:44 +0200 Subject: [PATCH 04/13] allow integers as group and owner --- manifests/config.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/manifests/config.pp b/manifests/config.pp index 7ee64d48..ba70064c 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -51,8 +51,8 @@ String[1] $country, String[1] $organization, Enum['absent','present'] $ensure = 'present', - String[1] $owner = 'root', - String[1] $group = 'root', + Variant[String[1],Integer] $owner = 'root', + Variant[String[1],Integer] $group = 'root', String[1] $mode = '0640', Optional[String[1]] $state = undef, Optional[String[1]] $locality = undef, From 058582fee222380aca1f036db9e3971b2e408f60 Mon Sep 17 00:00:00 2001 From: markuszilch Date: Sun, 21 May 2023 23:49:41 +0200 Subject: [PATCH 05/13] use v3_req for ext key usage --- lib/puppet/provider/x509_cert/openssl.rb | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/lib/puppet/provider/x509_cert/openssl.rb b/lib/puppet/provider/x509_cert/openssl.rb index f1c40f16..affb2c24 100644 --- a/lib/puppet/provider/x509_cert/openssl.rb +++ b/lib/puppet/provider/x509_cert/openssl.rb @@ -73,7 +73,8 @@ def create '-req', '-days', resource[:days], '-in', resource[:csr], - '-out', resource[:path] + '-out', resource[:path], + '-extfile', resource[:template] ] if resource[:ca] options << ['-CAcreateserial'] @@ -91,7 +92,7 @@ def create ] end options << ['-passin', "pass:#{resource[:password]}"] if resource[:password] - options << ['-extensions', 'req_ext'] if resource[:req_ext] != :false + options << ['-extensions', 'v3_req'] if resource[:req_ext] != :false openssl options end From a8a98cfa494e1945f798a3d34445826686e26575 Mon Sep 17 00:00:00 2001 From: markuszilch Date: Sun, 21 May 2023 23:50:05 +0200 Subject: [PATCH 06/13] removed duplicate parameter --- manifests/certificate/x509.pp | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/manifests/certificate/x509.pp b/manifests/certificate/x509.pp index 882d58c1..feeb6455 100644 --- a/manifests/certificate/x509.pp +++ b/manifests/certificate/x509.pp @@ -193,16 +193,15 @@ encrypted => $encrypted, } ~> x509_cert { $_crt: - ensure => $ensure, - template => $_cnf, - private_key => $_key, - days => $days, - password => $password, - req_ext => $req_ext, - force => $force, - ca => $ca, - cakey => $cakey, - csr => $csr, + ensure => $ensure, + template => $_cnf, + csr => $_csr, + days => $days, + password => $password, + req_ext => $req_ext, + force => $force, + ca => $ca, + cakey => $cakey, } # Set owner of all files From 8184bda5b8ba545c55c74a95a581913adadecc25 Mon Sep 17 00:00:00 2001 From: markuszilch Date: Sun, 21 May 2023 23:52:56 +0200 Subject: [PATCH 07/13] reference regenerated --- REFERENCE.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/REFERENCE.md b/REFERENCE.md index 0d95f9ef..7c7baa3c 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -710,7 +710,7 @@ value for organization ##### `owner` -Data type: `String[1]` +Data type: `Variant[String[1],Integer]` owner for the configuration file @@ -718,7 +718,7 @@ Default value: `'root'` ##### `group` -Data type: `String[1]` +Data type: `Variant[String[1],Integer]` group for the configuration file From 7f5feeb45918d94876c63d65937629a55dc445e0 Mon Sep 17 00:00:00 2001 From: markuszilch Date: Mon, 22 May 2023 00:17:38 +0200 Subject: [PATCH 08/13] fix unit tests as certificate is now built from a csr and not a private key --- spec/defines/openssl_certificate_x509_spec.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/spec/defines/openssl_certificate_x509_spec.rb b/spec/defines/openssl_certificate_x509_spec.rb index bec4434d..7c0dd8d0 100644 --- a/spec/defines/openssl_certificate_x509_spec.rb +++ b/spec/defines/openssl_certificate_x509_spec.rb @@ -407,7 +407,7 @@ is_expected.to contain_x509_cert('/etc/ssl/certs/foo.crt').with( ensure: 'present', template: '/etc/ssl/certs/foo.cnf', - private_key: '/etc/ssl/certs/foo.key', + csr: '/etc/ssl/certs/foo.csr', days: 365, password: nil, force: true @@ -504,7 +504,7 @@ is_expected.to contain_x509_cert('/tmp/foobar/foo.crt').with( ensure: 'present', template: '/tmp/foobar/foo.cnf', - private_key: '/tmp/foobar/foo.key', + csr: '/tmp/foobar/foo.csr', days: 4567, password: '5r$}^', force: false From 299bc2615637735df36cf3f1afbb192918044b5e Mon Sep 17 00:00:00 2001 From: markuszilch Date: Mon, 22 May 2023 01:22:36 +0200 Subject: [PATCH 09/13] fix tests to accomodate provider and template changes --- spec/defines/openssl_certificate_x509_spec.rb | 10 ++++++++-- spec/unit/puppet/provider/x509_cert/openssl_spec.rb | 7 ++++--- 2 files changed, 12 insertions(+), 5 deletions(-) diff --git a/spec/defines/openssl_certificate_x509_spec.rb b/spec/defines/openssl_certificate_x509_spec.rb index 7c0dd8d0..5947988e 100644 --- a/spec/defines/openssl_certificate_x509_spec.rb +++ b/spec/defines/openssl_certificate_x509_spec.rb @@ -486,9 +486,15 @@ ).with_content( %r{emailAddress\s+=\s+contact@foo\.com} ).with_content( - %r{subjectAltName\s+=\s+"DNS: a\.com, DNS: b\.com, DNS: c\.com"} + %r{extendedKeyUsage\s+=\s+serverAuth,\s+clientAuth} ).with_content( - %r{extendedKeyUsage\s+=\s+"serverAuth, clientAuth"} + %r{subjectAltName\s+=\s+@alt_names} + ).with_content( + %r{DNS\.0\s+=\s+a\.com} + ).with_content( + %r{DNS\.1\s+=\s+b\.com} + ).with_content( + %r{DNS\.2\s+=\s+c\.com} ) } diff --git a/spec/unit/puppet/provider/x509_cert/openssl_spec.rb b/spec/unit/puppet/provider/x509_cert/openssl_spec.rb index 7cc759c7..2ce29fb9 100644 --- a/spec/unit/puppet/provider/x509_cert/openssl_spec.rb +++ b/spec/unit/puppet/provider/x509_cert/openssl_spec.rb @@ -34,7 +34,7 @@ '-days', 3650, '-key', '/tmp/foo.key', '-out', '/tmp/foo.crt', - ['-extensions', 'req_ext'] + ['-extensions', 'v3_req'] ]) resource.provider.create end @@ -51,7 +51,7 @@ '-key', '/tmp/foo.key', '-out', '/tmp/foo.crt', ['-passin', 'pass:2x6${'], - ['-extensions', 'req_ext'] + ['-extensions', 'v3_req'] ]) resource.provider.create end @@ -69,10 +69,11 @@ '-days', 3650, '-in', '/tmp/foo.csr', '-out', '/tmp/foo.crt', + '-extfile', '/tmp/foo.cnf', ['-CAcreateserial'], ['-CA', '/tmp/foo-ca.crt'], ['-CAkey', '/tmp/foo-ca.key'], - ['-extensions', 'req_ext'] + ['-extensions', 'v3_req'] ]) resource.provider.create end From ce71434137fd21d22c9eae2cf22b37fd5e217fb1 Mon Sep 17 00:00:00 2001 From: markuszilch Date: Mon, 22 May 2023 10:50:17 +0200 Subject: [PATCH 10/13] rubocop whitespace fix --- spec/defines/openssl_certificate_x509_spec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/spec/defines/openssl_certificate_x509_spec.rb b/spec/defines/openssl_certificate_x509_spec.rb index 5947988e..48119b22 100644 --- a/spec/defines/openssl_certificate_x509_spec.rb +++ b/spec/defines/openssl_certificate_x509_spec.rb @@ -492,7 +492,7 @@ ).with_content( %r{DNS\.0\s+=\s+a\.com} ).with_content( - %r{DNS\.1\s+=\s+b\.com} + %r{DNS\.1\s+=\s+b\.com} ).with_content( %r{DNS\.2\s+=\s+c\.com} ) From 4611317896855fb745892b30b20d90047b7c8a6a Mon Sep 17 00:00:00 2001 From: markuszilch Date: Mon, 22 May 2023 23:22:16 +0200 Subject: [PATCH 11/13] revert array handling to recommended defaults --- manifests/certificate/x509.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/manifests/certificate/x509.pp b/manifests/certificate/x509.pp index feeb6455..d637951f 100644 --- a/manifests/certificate/x509.pp +++ b/manifests/certificate/x509.pp @@ -123,8 +123,8 @@ Optional[String] $state = undef, Optional[String] $locality = undef, Optional[String] $unit = undef, - Optional[Array] $altnames = undef, - Optional[Array] $extkeyusage = undef, + Array $altnames = [], + Array $extkeyusage = [], Optional[String] $email = undef, Integer $days = 365, Stdlib::Absolutepath $base_dir = '/etc/ssl/certs', From 04df8896c2ebe48b0fe721f7f407b46cb4da88ef Mon Sep 17 00:00:00 2001 From: markuszilch Date: Mon, 22 May 2023 23:23:32 +0200 Subject: [PATCH 12/13] update REFERENCE --- REFERENCE.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/REFERENCE.md b/REFERENCE.md index 7c7baa3c..4cbbdf3d 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -408,16 +408,16 @@ certificate CommonName ##### `altnames` -Data type: `Optional[Array]` +Data type: `Array` certificate subjectAltName. Can be an array or a single string. -Default value: `undef` +Default value: `[]` ##### `extkeyusage` -Data type: `Optional[Array]` +Data type: `Array` certificate extended key usage Value | Meaning @@ -434,7 +434,7 @@ msCodeCom | Microsoft Commercial Code Signing (authenticode) msCTLSign | Microsoft Trust List Signing msEFS | Microsoft Encrypted File System -Default value: `undef` +Default value: `[]` ##### `organization` From 7c55199e9c4774b3b55592dbf514fea59c2b3a68 Mon Sep 17 00:00:00 2001 From: markuszilch Date: Mon, 22 May 2023 23:34:31 +0200 Subject: [PATCH 13/13] revert req_ext check to go with default array value --- manifests/certificate/x509.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/certificate/x509.pp b/manifests/certificate/x509.pp index d637951f..566b6ae2 100644 --- a/manifests/certificate/x509.pp +++ b/manifests/certificate/x509.pp @@ -159,7 +159,7 @@ $_csr = pick($csr, "${_csr_dir}/${name}.csr") $_key = pick($key, "${_key_dir}/${name}.key") - if ($altnames or $extkeyusage) { + if !empty($altnames+$extkeyusage) { $req_ext = true } else { $req_ext = false