class Puppet::SSL::Certificate

Manage certificates themselves. This class has no 'generate' method because the CA is responsible for turning CSRs into certificates; we can only retrieve them from the CA (or not, as is often the case).

@deprecated Use {Puppet::SSL::SSLProvider} instead.

Public Class Methods

subject_alt_names_for(cert) click to toggle source

   # File lib/puppet/ssl/certificate.rb
21 def self.subject_alt_names_for(cert)
22   alts = cert.extensions.find{|ext| ext.oid == "subjectAltName"}
23   return [] unless alts
24   alts.value.split(/\s*,\s*/)
25 end

supported_formats() click to toggle source

Because of how the format handler class is included, this can't be in the base class.

   # File lib/puppet/ssl/certificate.rb
17 def self.supported_formats
18   [:s]
19 end

Public Instance Methods

custom_extensions() click to toggle source

Any extensions registered with custom OIDs as defined in module Puppet::SSL::Oids may be looked up here.

A cert with a 'pp_uuid' extension having the value 'abcd' would return:

{ 'oid' => 'pp_uuid', 'value' => 'abcd'}: @return [Array<Hash{String => String}>] An array of two element hashes, with key/value pairs for the extension's oid, and its value.

   # File lib/puppet/ssl/certificate.rb
51 def custom_extensions
52   custom_exts = content.extensions.select do |ext|
53     Puppet::SSL::Oids.subtree_of?('ppRegCertExt', ext.oid) or
54       Puppet::SSL::Oids.subtree_of?('ppPrivCertExt', ext.oid) or
55       Puppet::SSL::Oids.subtree_of?('ppAuthCertExt', ext.oid)
56   end
57 
58   custom_exts.map do |ext|
59     {'oid' => ext.oid, 'value' => get_ext_val(ext.oid)}
60   end
61 end

expiration() click to toggle source

   # File lib/puppet/ssl/certificate.rb
31 def expiration
32   return nil unless content
33   content.not_after
34 end

subject_alt_names() click to toggle source

   # File lib/puppet/ssl/certificate.rb
27 def subject_alt_names
28   self.class.subject_alt_names_for(content)
29 end

unmunged_name() click to toggle source

This name is what gets extracted from the subject before being passed to the constructor, so it's not downcased

   # File lib/puppet/ssl/certificate.rb
38 def unmunged_name
39   self.class.name_from_subject(content.subject.to_utf8)
40 end

Private Instance Methods

exts_seq() click to toggle source

Extract the extensions sequence from the wrapped certificate's raw ASN.1 form

   # File lib/puppet/ssl/certificate.rb
67 def exts_seq
68   # See RFC-2459 section 4.1 (https://tools.ietf.org/html/rfc2459#section-4.1)
69   # to see where this is defined. Essentially this is saying "in the first
70   # sequence in the certificate, find the item that's tagged with 3. This
71   # is where the extensions are stored."
72   @extensions_tag ||= 3
73 
74   @exts_seq ||= OpenSSL::ASN1.decode(content.to_der).value[0].value.find do |data|
75     (data.tag == @extensions_tag) && (data.tag_class == :CONTEXT_SPECIFIC)
76   end.value[0]
77 end

get_ext_val(oid) click to toggle source

Get the DER parsed value of an X.509 extension by it's OID, or short name if one has been registered with OpenSSL.

   # File lib/puppet/ssl/certificate.rb
81 def get_ext_val(oid)
82   ext_obj = exts_seq.value.find do |ext_seq|
83     ext_seq.value[0].value == oid
84   end
85 
86   raw_val = ext_obj.value.last.value
87 
88   begin
89     OpenSSL::ASN1.decode(raw_val).value
90   rescue OpenSSL::ASN1::ASN1Error
91     # This is required to maintain backward compatibility with the previous
92     # way trusted facts were signed. See PUP-3560
93     raw_val
94   end
95 end