Module: Puppet_X::TlsInfo

Defined in:

lib/puppet_x/tlsinfo/x509_tools.rb

Class Method Summary

• .basename(cert) ⇒ Object
• .cert_hash(cert) ⇒ Object
• .cert_hash_old(cert) ⇒ Object
• .cert_issuer(cert) ⇒ Object
• .cert_issuer_hash(cert) ⇒ Object
• .cert_names(cert) ⇒ Object
• .cert_not_after(cert) ⇒ Object
• .cert_not_after_message(cert) ⇒ Object
• .cert_not_after_valid(cert) ⇒ Object
• .cert_not_before(cert) ⇒ Object
• .cert_not_before_message(cert) ⇒ Object
• .cert_not_before_valid(cert) ⇒ Object
• .cert_serial(cert) ⇒ Object
• .cert_valid(cert) ⇒ Object
• .normalize(name) ⇒ Object
• .read_rsa_key(value, password = nil) ⇒ Object
• .read_x509_cert(value) ⇒ Object
• .read_x509_chain(path) ⇒ Object
• .rsa_key_modulus(key) ⇒ Object
• .rsa_key_size(key) ⇒ Object
• .rsa_to_pem(key, password = nil) ⇒ Object

  openssl rsa -des3 -in <key> -passout pass:<@resource>.

• .x509_cert_modulus(cert) ⇒ Object

Class Method Details

.basename(cert) ⇒ Object

# File 'lib/puppet_x/tlsinfo/x509_tools.rb', line 40

def self.basename(cert)
  certobj = read_x509_cert(cert)

  basicconstraints, = certobj.extensions.select { |e| e.oid == 'basicConstraints' }.map { |e| e.to_h }
  # cn  and data could be nil in case if Common Name is absent
  cn, = certobj.subject.to_a.select { |name, _data, _type| name == 'CN' }
  _name, data, _type = cn

  # check also if data is empty string
  if basicconstraints && basicconstraints['value'].include?('CA:TRUE') || data.nil? || data.empty?
    # basename is Certificate subject hash
    i = certobj.subject.hash
    '%08x' % [i].pack('L').unpack('L').first
  else
    data.sub('*', 'wildcard')
  end
end

.cert_hash(cert) ⇒ Object

# File 'lib/puppet_x/tlsinfo/x509_tools.rb', line 74

def self.cert_hash(cert)
  '%08x' % cert.subject.hash
end

.cert_hash_old(cert) ⇒ Object

# File 'lib/puppet_x/tlsinfo/x509_tools.rb', line 78

def self.cert_hash_old(cert)
  '%08x' % cert.subject.hash_old
end

.cert_issuer(cert) ⇒ Object

# File 'lib/puppet_x/tlsinfo/x509_tools.rb', line 82

def self.cert_issuer(cert)
  cert.issuer.to_s
end

.cert_issuer_hash(cert) ⇒ Object

# File 'lib/puppet_x/tlsinfo/x509_tools.rb', line 86

def self.cert_issuer_hash(cert)
  '%08x' % cert.issuer.hash
end

.cert_names(cert) ⇒ Object

# File 'lib/puppet_x/tlsinfo/x509_tools.rb', line 62

def self.cert_names(cert)
  cn, = cert.subject.to_a.select { |name, _data, _type| name == 'CN' }
  _name, dns1, _type = cn

  altname, = cert.extensions.select { |e| e.oid == 'subjectAltName' }.map { |e| e.to_h }
  return [dns1].compact unless altname
  ([dns1] + altname['value'].split(',')
    .map { |san| san.strip.split(':') }
    .select { |m, _san| m == 'DNS' }
    .map { |_m, san| san }).uniq.compact
end

.cert_not_after(cert) ⇒ Object

# File 'lib/puppet_x/tlsinfo/x509_tools.rb', line 110

def self.cert_not_after(cert)
  cert.not_after
end

.cert_not_after_message(cert) ⇒ Object

# File 'lib/puppet_x/tlsinfo/x509_tools.rb', line 118

def self.cert_not_after_message(cert)
  cert.not_after.strftime('notAfter=%b %_d %T %Y %Z')
end

.cert_not_after_valid(cert) ⇒ Object

# File 'lib/puppet_x/tlsinfo/x509_tools.rb', line 114

def self.cert_not_after_valid(cert)
  cert.not_after > Time.now
end

.cert_not_before(cert) ⇒ Object

# File 'lib/puppet_x/tlsinfo/x509_tools.rb', line 98

def self.cert_not_before(cert)
  cert.not_before
end

.cert_not_before_message(cert) ⇒ Object

# File 'lib/puppet_x/tlsinfo/x509_tools.rb', line 106

def self.cert_not_before_message(cert)
  cert.not_before.strftime('notBefore=%b %_d %T %Y %Z')
end

.cert_not_before_valid(cert) ⇒ Object

# File 'lib/puppet_x/tlsinfo/x509_tools.rb', line 102

def self.cert_not_before_valid(cert)
  cert.not_before < Time.now
end

.cert_serial(cert) ⇒ Object

# File 'lib/puppet_x/tlsinfo/x509_tools.rb', line 94

def self.cert_serial(cert)
  cert.serial.to_s(16)
end

.cert_valid(cert) ⇒ Object

# File 'lib/puppet_x/tlsinfo/x509_tools.rb', line 122

def self.cert_valid(cert)
  cert_not_before_valid(cert) && cert_not_after_valid(cert)
end

.normalize(name) ⇒ Object

# File 'lib/puppet_x/tlsinfo/x509_tools.rb', line 58

def self.normalize(name)
  name.sub('*', 'wildcard').tr('.-', '_').tr("'", '_').tr(' ', '_')
end

.read_rsa_key(value, password = nil) ⇒ Object

# File 'lib/puppet_x/tlsinfo/x509_tools.rb', line 7

def self.read_rsa_key(value, password = nil)
  raw = value.is_a?(Puppet::Pops::Types::PBinaryType::Binary) ? value.binary_buffer : value
  password = SecureRandom.urlsafe_base64(10) unless password
  OpenSSL::PKey::RSA.new(raw, password)
rescue OpenSSL::PKey::RSAError => e
  Puppet.warning _('Can not create RSA PKey object (%{message})') % { message: e.message }
  nil
end

.read_x509_cert(value) ⇒ Object

# File 'lib/puppet_x/tlsinfo/x509_tools.rb', line 31

def self.read_x509_cert(value)
  # raw = value.is_a?(Puppet::Pops::Types::PBinaryType::Binary) ? value.binary_buffer : value
  # OpenSSL::X509::Certificate.new(raw)
  OpenSSL::X509::Certificate.new(value)
rescue OpenSSL::X509::CertificateError => e
  Puppet.warning(_('Can not create X509 Certificate object (%{message})') % { message: e.message })
  nil
end

.read_x509_chain(path) ⇒ Object

# File 'lib/puppet_x/tlsinfo/x509_tools.rb', line 126

def self.read_x509_chain(path)
  return nil unless File.exist?(path)
  cert = File.read(path)

  certobj = read_x509_cert(cert)
  return nil if certobj.nil?

  store = OpenSSL::X509::Store.new
  store.add_file(path)
  store.verify(certobj)

  store.chain
end

.rsa_key_modulus(key) ⇒ Object

# File 'lib/puppet_x/tlsinfo/x509_tools.rb', line 20

def self.rsa_key_modulus(key)
  key.params['n'].to_s(16)
end

.rsa_key_size(key) ⇒ Object

# File 'lib/puppet_x/tlsinfo/x509_tools.rb', line 16

def self.rsa_key_size(key)
  key.params['n'].num_bits
end

.rsa_to_pem(key, password = nil) ⇒ Object

openssl rsa -des3 -in <key> -passout pass:<@resource>

# File 'lib/puppet_x/tlsinfo/x509_tools.rb', line 25

def self.rsa_to_pem(key, password = nil)
  return key.to_pem unless password
  cipher = OpenSSL::Cipher.new('DES3')
  key.to_pem(cipher, password)
end

.x509_cert_modulus(cert) ⇒ Object

# File 'lib/puppet_x/tlsinfo/x509_tools.rb', line 90

def self.x509_cert_modulus(cert)
  cert.public_key.params['n'].to_s(16)
end