module Puppet::SSL::Oids
This module defines OIDs for use within Puppet.
# ASN.1 Definition
The following is the formal definition of OIDs specified in this file.
“` puppetCertExtensions OBJECT IDENTIFIER ::= {iso(1) identified-organization(3)
dod(6) internet(1) private(4) enterprise(1) 34380 1}
– the tree under registeredExtensions 'belongs' to puppetlabs – privateExtensions can be extended by enterprises to suit their own needs registeredExtensions OBJECT IDENTIFIER ::= { puppetCertExtensions 1 } privateExtensions OBJECT IDENTIFIER ::= { puppetCertExtensions 2 } authorizationExtensions OBJECT IDENTIFIER ::= { puppetCertExtensions 3 }
– subtree of common registered extensions – The short names for these OIDs are intentionally lowercased and formatted – since they may be exposed inside the Puppet DSL as variables. pp_uuid OBJECT IDENTIFIER ::= { registeredExtensions 1 } pp_instance_id OBJECT IDENTIFIER ::= { registeredExtensions 2 } pp_image_name OBJECT IDENTIFIER ::= { registeredExtensions 3 } pp_preshared_key OBJECT IDENTIFIER ::= { registeredExtensions 4 } “`
@api private
Constants
- PUPPET_OIDS
Note: When updating the following OIDs make sure to also update the OID definitions here: github.com/puppetlabs/puppetserver/blob/master/src/clj/puppetlabs/puppetserver/certificate_authority.clj#L122-L159
Public Class Methods
Load custom OID mapping file that enables custom OIDs to be resolved into user-friendly names.
@param custom_oid_file [String] File to obtain custom OIDs mapping from @param map_key [String] Hash key in which custom OIDs mapping is stored
@example Custom OID mapping file
oid_mapping:
'1.3.6.1.4.1.34380.1.2.1.1': shortname : 'myshortname' longname : 'Long name' '1.3.6.1.4.1.34380.1.2.1.2': shortname: 'myothershortname' longname: 'Other Long name'
# File lib/puppet/ssl/oids.rb 152 def self.load_custom_oid_file(custom_oid_file, map_key='oid_mapping') 153 oid_defns = parse_custom_oid_file(custom_oid_file, map_key) 154 unless oid_defns.nil? 155 begin 156 oid_defns.each do |oid_defn| 157 OpenSSL::ASN1::ObjectId.register(*oid_defn) 158 end 159 rescue => err 160 raise ArgumentError, _("Error registering ssl custom OIDs mapping from file '%{custom_oid_file}': %{err}") % { custom_oid_file: custom_oid_file, err: err }, err.backtrace 161 end 162 end 163 end
Parse custom OID mapping file that enables custom OIDs to be resolved into user-friendly names.
@param custom_oid_file [String] File to obtain custom OIDs mapping from @param map_key [String] Hash key in which custom OIDs mapping is stored
@example Custom OID mapping file
oid_mapping:
'1.3.6.1.4.1.34380.1.2.1.1': shortname : 'myshortname' longname : 'Long name' '1.3.6.1.4.1.34380.1.2.1.2': shortname: 'myothershortname' longname: 'Other Long name'
# File lib/puppet/ssl/oids.rb 107 def self.parse_custom_oid_file(custom_oid_file, map_key='oid_mapping') 108 if File.exist?(custom_oid_file) && File.readable?(custom_oid_file) 109 mapping = nil 110 begin 111 mapping = Puppet::Util::Yaml.safe_load_file(custom_oid_file, [Symbol]) 112 rescue => err 113 raise Puppet::Error, _("Error loading ssl custom OIDs mapping file from '%{custom_oid_file}': %{err}") % { custom_oid_file: custom_oid_file, err: err }, err.backtrace 114 end 115 116 unless mapping.has_key?(map_key) 117 raise Puppet::Error, _("Error loading ssl custom OIDs mapping file from '%{custom_oid_file}': no such index '%{map_key}'") % { custom_oid_file: custom_oid_file, map_key: map_key } 118 end 119 120 unless mapping[map_key].is_a?(Hash) 121 raise Puppet::Error, _("Error loading ssl custom OIDs mapping file from '%{custom_oid_file}': data under index '%{map_key}' must be a Hash") % { custom_oid_file: custom_oid_file, map_key: map_key } 122 end 123 124 oid_defns = [] 125 mapping[map_key].keys.each do |oid| 126 shortname, longname = mapping[map_key][oid].values_at("shortname","longname") 127 if shortname.nil? || longname.nil? 128 raise Puppet::Error, _("Error loading ssl custom OIDs mapping file from '%{custom_oid_file}': incomplete definition of oid '%{oid}'") % { custom_oid_file: custom_oid_file, oid: oid } 129 end 130 oid_defns << [oid, shortname, longname] 131 end 132 133 oid_defns 134 end 135 end
Register our custom Puppet OIDs with OpenSSL so they can be used as CSR extensions. Without registering these OIDs, OpenSSL will fail when it encounters such an extension in a CSR.
# File lib/puppet/ssl/oids.rb 82 def self.register_puppet_oids() 83 if !@did_register_puppet_oids 84 PUPPET_OIDS.each do |oid_defn| 85 OpenSSL::ASN1::ObjectId.register(*oid_defn) 86 end 87 88 @did_register_puppet_oids = true 89 end 90 end
Determine if the first OID contains the second OID
@param first [String] The containing OID, in dotted form or as the short name @param second [String] The contained OID, in dotted form or as the short name @param exclusive [true, false] If an OID should not be considered as a subtree of itself
@example Comparing two dotted OIDs
Puppet::SSL::Oids.subtree_of?('1.3.6.1', '1.3.6.1.4.1') #=> true Puppet::SSL::Oids.subtree_of?('1.3.6.1', '1.3.6') #=> false
@example Comparing an OID short name with a dotted OID
Puppet::SSL::Oids.subtree_of?('IANA', '1.3.6.1.4.1') #=> true Puppet::SSL::Oids.subtree_of?('1.3.6.1', 'enterprises') #=> true
@example Comparing an OID against itself
Puppet::SSL::Oids.subtree_of?('IANA', 'IANA') #=> true Puppet::SSL::Oids.subtree_of?('IANA', 'IANA', true) #=> false
@return [true, false]
# File lib/puppet/ssl/oids.rb 184 def self.subtree_of?(first, second, exclusive = false) 185 first_oid = OpenSSL::ASN1::ObjectId.new(first).oid 186 second_oid = OpenSSL::ASN1::ObjectId.new(second).oid 187 188 189 if exclusive and first_oid == second_oid 190 false 191 else 192 second_oid.index(first_oid) == 0 193 end 194 rescue OpenSSL::ASN1::ASN1Error, TypeError 195 false 196 end