[Puppet-dev] [PATCH/puppet 2/2] Further fix for #7243 - Added certdnsnames to CSR

Wed, 29 Jun 2011 17:48:28 -0700 

This patch adds the contents of certdnsnames to the CSR being generated
on the Puppet agent as Extensions.

Signed-off-by: James Turnbull <ja...@lovedthanlost.net>
---
Local-branch: tickets/master/7243
 lib/puppet/ssl/certificate_request.rb     |   20 ++++++++++++++++++++
 spec/unit/ssl/certificate_request_spec.rb |    1 +
 2 files changed, 21 insertions(+), 0 deletions(-)

diff --git a/lib/puppet/ssl/certificate_request.rb 
b/lib/puppet/ssl/certificate_request.rb
index ecdebe1..15eadf3 100644
--- a/lib/puppet/ssl/certificate_request.rb
+++ b/lib/puppet/ssl/certificate_request.rb
@@ -1,4 +1,5 @@
 require 'puppet/ssl/base'
+require 'pp'
 
 # Manage certificate requests.
 class Puppet::SSL::CertificateRequest < Puppet::SSL::Base
@@ -52,6 +53,25 @@ class Puppet::SSL::CertificateRequest < Puppet::SSL::Base
     csr.subject = OpenSSL::X509::Name.new([["CN", common_name]])
     csr.public_key = key.public_key
 
+    dnsnames = Puppet[:certdnsnames]
+    subject_alt_name = []
+    if dnsnames != ""
+      dnsnames.split(':').each { |d| subject_alt_name << 'DNS:' + d }
+    end
+    subject_alt_name << 'DNS:' + Facter["fqdn"].value
+
+    ef = OpenSSL::X509::ExtensionFactory.new
+  
+    names = subject_alt_name.collect{|e| ef.create_extension("subjectAltName", 
e, "false") }
+    names = OpenSSL::ASN1::Set([OpenSSL::ASN1::Sequence(names)])
+
+    attrs = [
+      OpenSSL::X509::Attribute.new("extReq", names),
+      OpenSSL::X509::Attribute.new("msExtReq", names),
+    ]
+
+    attrs.each{|attr| csr.add_attribute(attr) }
+
     if Puppet[:allow_csr_attributes]
       @csrattributes = Puppet[:csr_attributes_file]
       unless FileTest.exists?(@csrattributes)
diff --git a/spec/unit/ssl/certificate_request_spec.rb 
b/spec/unit/ssl/certificate_request_spec.rb
index 8b64a28..e616c76 100755
--- a/spec/unit/ssl/certificate_request_spec.rb
+++ b/spec/unit/ssl/certificate_request_spec.rb
@@ -127,6 +127,7 @@ describe Puppet::SSL::CertificateRequest do
       subject = mock 'subject'
       Puppet.settings.expects(:value).with(:ca_name).returns "mycertname"
       Puppet.settings.expects(:value).with(:allow_csr_attributes).returns false
+      Puppet.settings.expects(:value).with(:certdnsnames).returns 
"othercertname"
       OpenSSL::X509::Name.expects(:new).with { |subject| subject[0][1] == 
"mycertname" }.returns(subject)
       @request.expects(:subject=).with(subject)
       Puppet::SSL::CertificateRequest.new(Puppet::SSL::CA_NAME).generate(@key)
-- 
1.7.4.1

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Developers" group.
To post to this group, send email to puppet-dev@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-dev+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-dev?hl=en.

Reply via email to