Class: Puppet::SSL::CertificateRevocationList

Inherits:
Base
  • Object
show all
Extended by:
Indirector
Defined in:
lib/vendor/puppet/ssl/certificate_revocation_list.rb

Overview

Manage the CRL.

Defined Under Namespace

Classes: Ca, DisabledCa, File, Rest

Constant Summary

Constants included from Indirector

Indirector::BadNameRegexp

Constants inherited from Base

Base::SEPARATOR, Base::VALID_CERTNAME

Instance Attribute Summary

Attributes inherited from Base

#content, #name

Class Method Summary collapse

Instance Method Summary collapse

Methods included from Indirector

configure_routes, indirects

Methods inherited from Base

#ca?, #fingerprint, from_multiple_s, #read, to_multiple_s, #to_s, #to_text, validate_certname, wrapped_class, wraps

Constructor Details

#initialize(fakename) ⇒ CertificateRevocationList

The name doesn’t actually matter; there’s only one CRL. We just need the name so our Indirector stuff all works more easily.



48
49
50
 
# File 'lib/vendor/puppet/ssl/certificate_revocation_list.rb', line 48

def initialize(fakename)
  @name = "crl"
end

Class Method Details

.from_s(string) ⇒ Object

Convert a string into an instance.



12
13
14
15
16
17
 
# File 'lib/vendor/puppet/ssl/certificate_revocation_list.rb', line 12

def self.from_s(string)
  instance = wrapped_class.new(string)
  result = new('foo') # The name doesn't matter
  result.content = instance
  result
end

.supported_formatsObject

Because of how the format handler class is included, this can’t be in the base class.



21
22
23
 
# File 'lib/vendor/puppet/ssl/certificate_revocation_list.rb', line 21

def self.supported_formats
  [:s]
end

Instance Method Details

#generate(cert, cakey) ⇒ Object

Knows how to create a CRL with our system defaults.



26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
 
# File 'lib/vendor/puppet/ssl/certificate_revocation_list.rb', line 26

def generate(cert, cakey)
  Puppet.info "Creating a new certificate revocation list"
  @content = wrapped_class.new
  @content.issuer = cert.subject
  @content.version = 1

  # Init the CRL number.
  crlNum = OpenSSL::ASN1::Integer(0)
  @content.extensions = [OpenSSL::X509::Extension.new("crlNumber", crlNum)]

  # Set last/next update
  @content.last_update = Time.now
  # Keep CRL valid for 5 years
  @content.next_update = Time.now + 5 * 365*24*60*60

  @content.sign(cakey, OpenSSL::Digest::SHA1.new)

  @content
end

#revoke(serial, cakey, reason = OpenSSL::OCSP::REVOKED_STATUS_KEYCOMPROMISE) ⇒ Object

Revoke the certificate with serial number SERIAL issued by this CA, then write the CRL back to disk. The REASON must be one of the OpenSSL::OCSP::REVOKED_* reasons



55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
 
# File 'lib/vendor/puppet/ssl/certificate_revocation_list.rb', line 55

def revoke(serial, cakey, reason = OpenSSL::OCSP::REVOKED_STATUS_KEYCOMPROMISE)
  Puppet.notice "Revoked certificate with serial #{serial}"
  time = Time.now

  # Add our revocation to the CRL.
  revoked = OpenSSL::X509::Revoked.new
  revoked.serial = serial
  revoked.time = time
  enum = OpenSSL::ASN1::Enumerated(reason)
  ext = OpenSSL::X509::Extension.new("CRLReason", enum)
  revoked.add_extension(ext)
  @content.add_revoked(revoked)

  # Increment the crlNumber
  e = @content.extensions.find { |e| e.oid == 'crlNumber' }
  ext = @content.extensions.reject { |e| e.oid == 'crlNumber' }
  crlNum = OpenSSL::ASN1::Integer(e ? e.value.to_i + 1 : 0)
  ext << OpenSSL::X509::Extension.new("crlNumber", crlNum)
  @content.extensions = ext

  # Set last/next update
  @content.last_update = time
  # Keep CRL valid for 5 years
  @content.next_update = time + 5 * 365*24*60*60

  @content.sign(cakey, OpenSSL::Digest::SHA1.new)

  Puppet::SSL::CertificateRevocationList.indirection.save(self)
end