diff options
Diffstat (limited to 'lib/chef/resource/openssl_x509_certificate.rb')
-rw-r--r-- | lib/chef/resource/openssl_x509_certificate.rb | 267 |
1 files changed, 267 insertions, 0 deletions
diff --git a/lib/chef/resource/openssl_x509_certificate.rb b/lib/chef/resource/openssl_x509_certificate.rb new file mode 100644 index 0000000000..c723f47d61 --- /dev/null +++ b/lib/chef/resource/openssl_x509_certificate.rb @@ -0,0 +1,267 @@ +# +# License:: Apache License, Version 2.0 +# Author:: Julien Huon +# Copyright:: Copyright (c) Chef Software Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +require_relative "../resource" + +class Chef + class Resource + class OpensslX509Certificate < Chef::Resource + require_relative "../mixin/openssl_helper" + include Chef::Mixin::OpenSSLHelper + + unified_mode true + + provides :openssl_x509_certificate + provides(:openssl_x509) { true } # legacy cookbook name. + + description "Use the **openssl_x509_certificate** resource to generate signed or self-signed, PEM-formatted x509 certificates. If no existing key is specified, the resource will automatically generate a passwordless key with the certificate. If a CA private key and certificate are provided, the certificate will be signed with them. Note: This resource was renamed from openssl_x509 to openssl_x509_certificate. The legacy name will continue to function, but cookbook code should be updated for the new resource name." + introduced "14.4" + examples <<~DOC + Create a simple self-signed certificate file + + ```ruby + openssl_x509_certificate '/etc/httpd/ssl/mycert.pem' do + common_name 'www.f00bar.com' + org 'Foo Bar' + org_unit 'Lab' + country 'US' + end + ``` + + Create a certificate using additional options + + ```ruby + openssl_x509_certificate '/etc/ssl_files/my_signed_cert.crt' do + common_name 'www.f00bar.com' + ca_key_file '/etc/ssl_files/my_ca.key' + ca_cert_file '/etc/ssl_files/my_ca.crt' + expire 365 + extensions( + 'keyUsage' => { + 'values' => %w( + keyEncipherment + digitalSignature), + 'critical' => true, + }, + 'extendedKeyUsage' => { + 'values' => %w(serverAuth), + 'critical' => false, + } + ) + subject_alt_name ['IP:127.0.0.1', 'DNS:localhost.localdomain'] + end + ``` + DOC + + property :path, String, + description: "An optional property for specifying the path to write the file to if it differs from the resource block's name.", + name_property: true + + property :owner, [String, Integer], + description: "The owner applied to all files created by the resource." + + property :group, [String, Integer], + description: "The group ownership applied to all files created by the resource." + + property :expire, Integer, + description: "Value representing the number of days from now through which the issued certificate cert will remain valid. The certificate will expire after this period.", + default: 365 + + property :mode, [Integer, String], + description: "The permission mode applied to all files created by the resource." + + property :country, String, + description: "Value for the `C` certificate field." + + property :state, String, + description: "Value for the `ST` certificate field." + + property :city, String, + description: "Value for the `L` certificate field." + + property :org, String, + description: "Value for the `O` certificate field." + + property :org_unit, String, + description: "Value for the `OU` certificate field." + + property :common_name, String, + description: "Value for the `CN` certificate field." + + property :email, String, + description: "Value for the `email` certificate field." + + property :extensions, Hash, + description: "Hash of X509 Extensions entries, in format `{ 'keyUsage' => { 'values' => %w( keyEncipherment digitalSignature), 'critical' => true } }`.", + default: lazy { {} } + + property :subject_alt_name, Array, + description: "Array of Subject Alternative Name entries, in format `DNS:example.com` or `IP:1.2.3.4`.", + default: lazy { [] } + + property :key_file, String, + description: "The path to a certificate key file on the filesystem. If the key_file property is specified, the resource will attempt to source a key from this location. If no key file is found, the resource will generate a new key file at this location. If the key_file property is not specified, the resource will generate a key file in the same directory as the generated certificate, with the same name as the generated certificate." + + property :key_pass, String, + description: "The passphrase for an existing key's passphrase." + + property :key_type, String, + equal_to: %w{rsa ec}, + description: "The desired type of the generated key.", + default: "rsa" + + property :key_length, Integer, + equal_to: [1024, 2048, 4096, 8192], + description: "The desired bit length of the generated key (if key_type is equal to 'rsa').", + default: 2048 + + property :key_curve, String, + description: "The desired curve of the generated key (if key_type is equal to 'ec'). Run `openssl ecparam -list_curves` to see available options.", + equal_to: %w{secp384r1 secp521r1 prime256v1}, + default: "prime256v1" + + property :csr_file, String, + description: "The path to a X509 Certificate Request (CSR) on the filesystem. If the `csr_file` property is specified, the resource will attempt to source a CSR from this location. If no CSR file is found, the resource will generate a Self-Signed Certificate and the certificate fields must be specified (common_name at last)." + + property :ca_cert_file, String, + description: "The path to the CA X509 Certificate on the filesystem. If the `ca_cert_file` property is specified, the `ca_key_file` property must also be specified, the certificate will be signed with them." + + property :ca_key_file, String, + description: "The path to the CA private key on the filesystem. If the `ca_key_file` property is specified, the `ca_cert_file` property must also be specified, the certificate will be signed with them." + + property :ca_key_pass, String, + description: "The passphrase for CA private key's passphrase." + + property :renew_before_expiry, Integer, + description: "The number of days before the expiry. The certificate will be automatically renewed when the value is reached.", + introduced: "15.7" + + action :create do + description "Generate a certificate" + + file new_resource.path do + action :create_if_missing + owner new_resource.owner unless new_resource.owner.nil? + group new_resource.group unless new_resource.group.nil? + mode new_resource.mode unless new_resource.mode.nil? + sensitive true + content cert.to_pem + end + + if !new_resource.renew_before_expiry.nil? && cert_need_renewal?(new_resource.path, new_resource.renew_before_expiry) + file new_resource.path do + action :create + owner new_resource.owner unless new_resource.owner.nil? + group new_resource.group unless new_resource.group.nil? + mode new_resource.mode unless new_resource.mode.nil? + sensitive true + content cert.to_pem + end + end + + if new_resource.csr_file.nil? + file key_file do + action :create_if_missing + owner new_resource.owner unless new_resource.owner.nil? + group new_resource.group unless new_resource.group.nil? + mode new_resource.mode unless new_resource.mode.nil? + sensitive true + content key.to_pem + end + end + end + + action_class do + def key_file + @key_file ||= + if new_resource.key_file + new_resource.key_file + else + path, file = ::File.split(new_resource.path) + filename = ::File.basename(file, ::File.extname(file)) + path + "/" + filename + ".key" + end + end + + def key + @key ||= if priv_key_file_valid?(key_file, new_resource.key_pass) + OpenSSL::PKey.read ::File.read(key_file), new_resource.key_pass + elsif new_resource.key_type == "rsa" + gen_rsa_priv_key(new_resource.key_length) + else + gen_ec_priv_key(new_resource.key_curve) + end + end + + def request + if new_resource.csr_file.nil? + gen_x509_request(subject, key) + else + OpenSSL::X509::Request.new ::File.read(new_resource.csr_file) + end + end + + def subject + OpenSSL::X509::Name.new.tap do |csr_subject| + csr_subject.add_entry("C", new_resource.country) unless new_resource.country.nil? + csr_subject.add_entry("ST", new_resource.state) unless new_resource.state.nil? + csr_subject.add_entry("L", new_resource.city) unless new_resource.city.nil? + csr_subject.add_entry("O", new_resource.org) unless new_resource.org.nil? + csr_subject.add_entry("OU", new_resource.org_unit) unless new_resource.org_unit.nil? + csr_subject.add_entry("CN", new_resource.common_name) + csr_subject.add_entry("emailAddress", new_resource.email) unless new_resource.email.nil? + end + end + + def ca_private_key + if new_resource.csr_file.nil? + key + else + OpenSSL::PKey.read ::File.read(new_resource.ca_key_file), new_resource.ca_key_pass + end + end + + def ca_info + # Will contain issuer (if any) & expiration + ca_info = {} + + unless new_resource.ca_cert_file.nil? + ca_info["issuer"] = OpenSSL::X509::Certificate.new ::File.read(new_resource.ca_cert_file) + end + ca_info["validity"] = new_resource.expire + + ca_info + end + + def extensions + extensions = gen_x509_extensions(new_resource.extensions) + + unless new_resource.subject_alt_name.empty? + extensions += gen_x509_extensions("subjectAltName" => { "values" => new_resource.subject_alt_name, "critical" => false }) + end + + extensions + end + + def cert + gen_x509_cert(request, extensions, ca_info, ca_private_key) + end + end + end + end +end |