x509_crl.rb 2.85 KB
Newer Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
#
# License:: Apache License, Version 2.0
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#

chef_version_for_provides '< 14.4' if respond_to?(:chef_version_for_provides)
resource_name :openssl_x509_crl

20
21
22
23
24
25
26
27
28
29
include OpenSSLCookbook::Helpers

property :path,              String, name_property: true
property :serial_to_revoke,  [Integer, String]
property :revocation_reason, Integer, default: 0
property :expire,            Integer, default: 8
property :renewal_threshold, Integer, default: 1
property :ca_cert_file,      String, required: true
property :ca_key_file,       String, required: true
property :ca_key_pass,       String
30
31
32
property :owner,             String
property :group,             String
property :mode,              String
33
34
35

action :create do
  file new_resource.path do
36
37
38
    owner new_resource.owner unless new_resource.owner.nil?
    group new_resource.group unless new_resource.group.nil?
    mode new_resource.mode unless new_resource.mode.nil?
39
40
41
42
43
44
45
46
47
48
    content crl.to_pem
    action :create
  end
end

action_class do
  def crl_info
    # Will contain issuer & expiration
    crl_info = {}

49
    crl_info['issuer'] = ::OpenSSL::X509::Certificate.new ::File.read(new_resource.ca_cert_file)
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
    crl_info['validity'] = new_resource.expire

    crl_info
  end

  def revoke_info
    # Will contain Serial to revoke & reason
    revoke_info = {}

    revoke_info['serial'] = new_resource.serial_to_revoke
    revoke_info['reason'] = new_resource.revocation_reason

    revoke_info
  end

  def ca_private_key
66
    ca_private_key = ::OpenSSL::PKey.read ::File.read(new_resource.ca_key_file), new_resource.ca_key_pass
67
68
69
70
71
    ca_private_key
  end

  def crl
    if crl_file_valid?(new_resource.path)
72
      crl = ::OpenSSL::X509::CRL.new ::File.read(new_resource.path)
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
    else
      log "Creating a CRL #{new_resource.path} for CA #{new_resource.ca_cert_file}"
      crl = gen_x509_crl(ca_private_key, crl_info)
    end

    if !new_resource.serial_to_revoke.nil? && serial_revoked?(crl, new_resource.serial_to_revoke) == false
      log "Revoking serial #{new_resource.serial_to_revoke} in CRL #{new_resource.path}"
      crl = revoke_x509_crl(revoke_info, crl, ca_private_key, crl_info)
    elsif crl.next_update <= Time.now + 3600 * 24 * new_resource.renewal_threshold
      log "Renewing CRL for CA #{new_resource.ca_cert_file}"
      crl = renew_x509_crl(crl, ca_private_key, crl_info)
    end

    crl
  end
end