diff options
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/chef/resource/openssl_ec_private_key.rb | 90 | ||||
| -rw-r--r-- | lib/chef/resource/openssl_ec_public_key.rb | 74 | ||||
| -rw-r--r-- | lib/chef/resource/openssl_x509_certificate.rb | 164 | ||||
| -rw-r--r-- | lib/chef/resource/openssl_x509_request.rb | 144 | ||||
| -rw-r--r-- | lib/chef/resources.rb | 4 |
5 files changed, 476 insertions, 0 deletions
diff --git a/lib/chef/resource/openssl_ec_private_key.rb b/lib/chef/resource/openssl_ec_private_key.rb new file mode 100644 index 0000000000..b0c509ac27 --- /dev/null +++ b/lib/chef/resource/openssl_ec_private_key.rb @@ -0,0 +1,90 @@ +# +# Copyright:: Copyright 2018, Chef Software Inc. +# License:: Apache License, Version 2.0 +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +require "chef/resource" + +class Chef + class Resource + class OpensslEcPrivateKey < Chef::Resource + require "chef/mixin/openssl_helper" + include Chef::Mixin::OpenSSLHelper + + resource_name :openssl_ec_private_key + provides(:openssl_ec_private_key) { true } + + description "Use the openssl_ec_private_key resource to generate..." + introduced "14.4" + + property :path, String, + description: "The path to write the file to it's different than the resource name.", + name_property: true + + property :key_curve, String, + equal_to: %w{secp384r1 secp521r1 prime256v1 secp224r1 secp256k1}, + description: "The desired curve of the generated key (if key_type is equal to 'ec'). Run openssl ecparam -list_curves to see available options.", + default: "prime256v1" + + property :key_pass, String, + description: "The desired passphrase for the key." + + property :key_cipher, String, + equal_to: OpenSSL::Cipher.ciphers, + validation_message: "key_cipher must be a cipher known to openssl. Run `openssl list-cipher-algorithms` to see available options.", + description: "The designed cipher to use when generating your key. Run `openssl list-cipher-algorithms` to see available options.", + default: "des3" + + property :owner, [String, nil], + description: "The owner of all files created by the resource." + + property :group, [String, nil], + description: "The group of all files created by the resource." + + property :mode, [Integer, String], + description: "The permission mode of all files created by the resource.", + default: "0600" + + property :force, [TrueClass, FalseClass], + description: "Force creating the key even if the existing key exists.", + default: false, desired_state: false + + action :create do + unless new_resource.force || priv_key_file_valid?(new_resource.path, new_resource.key_pass) + converge_by("Create an EC private key #{new_resource.path}") do + log "Generating an #{new_resource.key_curve} "\ + "EC key file at #{new_resource.name}, this may take some time" + + if new_resource.key_pass + unencrypted_ec_key = gen_ec_priv_key(new_resource.key_curve) + ec_key_content = encrypt_ec_key(unencrypted_ec_key, new_resource.key_pass, new_resource.key_cipher) + else + ec_key_content = gen_ec_priv_key(new_resource.key_curve).to_pem + end + + file new_resource.path do + action :create + owner new_resource.owner unless new_resource.owner.nil? + group new_resource.group unless new_resource.group.nil? + mode new_resource.mode + sensitive true + content ec_key_content + end + end + end + end + end + end +end diff --git a/lib/chef/resource/openssl_ec_public_key.rb b/lib/chef/resource/openssl_ec_public_key.rb new file mode 100644 index 0000000000..6a1b11548f --- /dev/null +++ b/lib/chef/resource/openssl_ec_public_key.rb @@ -0,0 +1,74 @@ +# +# Copyright:: Copyright 2018, Chef Software Inc. +# License:: Apache License, Version 2.0 +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +require "chef/resource" + +class Chef + class Resource + class OpensslEcPublicKey < Chef::Resource + require "chef/mixin/openssl_helper" + include Chef::Mixin::OpenSSLHelper + + resource_name :openssl_ec_public_key + provides(:openssl_ec_public_key) { true } + + description "Use the openssl_ec_public_key resource to..." + introduced "14.4" + + property :path, String, + description: "The path to write the file to if different than the resource's name.", + name_property: true + + property :private_key_path, String, + description: "The path to the private key." + + property :private_key_content, String, + description: "The content of the private key including new lines. Used instead of private_key_path to avoid having to first write a key to disk." + + property :private_key_pass, String, + description: "The passphrase of the provided private key." + + property :owner, [String, nil], + description: "The owner of all files created by the resource." + + property :group, [String, nil], + description: "The group of all files created by the resource." + + property :mode, [Integer, String], + description: "The permission mode of all files created by the resource.", + default: "0640" + + action :create do + description "" + + raise ArgumentError, "You cannot specify both 'private_key_path' and 'private_key_content' properties at the same time." if new_resource.private_key_path && new_resource.private_key_content + raise ArgumentError, "You must specify the private key with either 'private_key_path' or 'private_key_content' properties." unless new_resource.private_key_path || new_resource.private_key_content + raise "#{new_resource.private_key_path} not a valid private RSA key or password is invalid" unless priv_key_file_valid?((new_resource.private_key_path || new_resource.private_key_content), new_resource.private_key_pass) + + ec_key_content = gen_ec_public_key((new_resource.private_key_path || new_resource.private_key_content), new_resource.private_key_pass) + + file new_resource.path do + action :create + owner new_resource.owner unless new_resource.owner.nil? + group new_resource.group unless new_resource.group.nil? + mode new_resource.mode + content ec_key_content + end + end + end + end +end diff --git a/lib/chef/resource/openssl_x509_certificate.rb b/lib/chef/resource/openssl_x509_certificate.rb new file mode 100644 index 0000000000..cb50e60fca --- /dev/null +++ b/lib/chef/resource/openssl_x509_certificate.rb @@ -0,0 +1,164 @@ +# +# License:: Apache License, Version 2.0 +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +require "chef/resource" + +class Chef + class Resource + class OpensslX509Certificate < Chef::Resource + require "chef/mixin/openssl_helper" + include Chef::Mixin::OpenSSLHelper + + resource_name :openssl_x509_certificate + provides(:openssl_x509) { true } + provides(:openssl_x509_certificate) { true } + + property :path, String, name_property: true + + property :owner, [String, nil], + description: "The owner of all files created by the resource." + + property :group, [String, nil], + description: "The group of all files created by the resource." + + property :expire, Integer, default: 365 + property :mode, [Integer, String], default: "0644" + property :country, String + property :state, String + property :city, String + property :org, String + property :org_unit, String + property :common_name, String + property :email, String + property :extensions, Hash, default: {} + property :subject_alt_name, Array, default: [] + property :key_file, String + property :key_pass, String + property :key_type, equal_to: %w{rsa ec}, default: "rsa" + property :key_length, equal_to: [1024, 2048, 4096, 8192], default: 2048 + property :key_curve, equal_to: %w{secp384r1 secp521r1 prime256v1}, default: "prime256v1" + property :csr_file, String + property :ca_cert_file, String + property :ca_key_file, String + property :ca_key_pass, String + + action :create do + unless ::File.exist? new_resource.path + converge_by("Create #{@new_resource}") do + file new_resource.path do + action :create_if_missing + mode new_resource.mode + owner new_resource.owner unless new_resource.owner.nil? + group new_resource.group unless new_resource.group.nil? + sensitive true + content cert.to_pem + end + + if new_resource.csr_file.nil? + file new_resource.key_file do + action :create_if_missing + mode new_resource.mode + owner new_resource.owner unless new_resource.owner.nil? + group new_resource.group unless new_resource.group.nil? + sensitive true + content key.to_pem + end + end + end + end + end + + action_class do + def generate_key_file + unless new_resource.key_file + path, file = ::File.split(new_resource.path) + filename = ::File.basename(file, ::File.extname(file)) + new_resource.key_file path + "/" + filename + ".key" + end + new_resource.key_file + end + + def key + @key ||= if priv_key_file_valid?(generate_key_file, new_resource.key_pass) + OpenSSL::PKey.read ::File.read(generate_key_file), new_resource.key_pass + elsif new_resource.key_type == "rsa" + gen_rsa_priv_key(new_resource.key_length) + else + gen_ec_priv_key(new_resource.key_curve) + end + @key + end + + def request + request = if new_resource.csr_file.nil? + gen_x509_request(subject, key) + else + OpenSSL::X509::Request.new ::File.read(new_resource.csr_file) + end + request + end + + def subject + subject = OpenSSL::X509::Name.new() + subject.add_entry("C", new_resource.country) unless new_resource.country.nil? + subject.add_entry("ST", new_resource.state) unless new_resource.state.nil? + subject.add_entry("L", new_resource.city) unless new_resource.city.nil? + subject.add_entry("O", new_resource.org) unless new_resource.org.nil? + subject.add_entry("OU", new_resource.org_unit) unless new_resource.org_unit.nil? + subject.add_entry("CN", new_resource.common_name) + subject.add_entry("emailAddress", new_resource.email) unless new_resource.email.nil? + subject + end + + def ca_private_key + ca_private_key = if new_resource.csr_file.nil? + key + else + OpenSSL::PKey.read ::File.read(new_resource.ca_key_file), new_resource.ca_key_pass + end + ca_private_key + end + + def ca_info + # Will contain issuer (if any) & expiration + ca_info = {} + + unless new_resource.ca_cert_file.nil? + ca_info["issuer"] = OpenSSL::X509::Certificate.new ::File.read(new_resource.ca_cert_file) + end + ca_info["validity"] = new_resource.expire + + ca_info + end + + def extensions + extensions = gen_x509_extensions(new_resource.extensions) + + unless new_resource.subject_alt_name.empty? + extensions += gen_x509_extensions("subjectAltName" => { "values" => new_resource.subject_alt_name, "critical" => false }) + end + + extensions + end + + def cert + cert = gen_x509_cert(request, extensions, ca_info, ca_private_key) + cert + end + end + end + end +end diff --git a/lib/chef/resource/openssl_x509_request.rb b/lib/chef/resource/openssl_x509_request.rb new file mode 100644 index 0000000000..5357863122 --- /dev/null +++ b/lib/chef/resource/openssl_x509_request.rb @@ -0,0 +1,144 @@ +# +# License:: Apache License, Version 2.0 +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +require "chef/resource" + +class Chef + class Resource + class OpensslX509Certificate < Chef::Resource + require "chef/mixin/openssl_helper" + include Chef::Mixin::OpenSSLHelper + + resource_name :openssl_x509_request + provides(:openssl_x509_request) { true } + + property :path, String, name_property: true, + description: "The optional path to write the file to if you'd like to specify it here instead of in the resource name." + + property :owner, [String, nil], + description: "The owner of all files created by the resource." + + property :group, [String, nil], + description: "The group of all files created by the resource." + + property :mode, [Integer, String], default: "0644", + description: "" + + property :country, String, + description: "" + + property :state, String, + description: "" + + property :city, String, + description: "" + + property :org, String, + description: "" + + property :org_unit, String, + description: "" + + property :common_name, String, + required: true, + description: "" + + property :email, String, + description: "" + + property :key_file, String, + description: "" + + property :key_pass, String, + description: "" + + property :key_type, String, + equal_to: %w{rsa ec}, default: "ec", + description: "" + + property :key_length, Integer, + equal_to: [1024, 2048, 4096, 8192], default: 2048, + description: "" + + property :key_curve, String, + equal_to: %w{secp384r1 secp521r1 prime256v1}, default: "prime256v1", + description: "" + + default_action :create + + action :create do + unless ::File.exist? new_resource.path + converge_by("Create CSR #{@new_resource}") do + file new_resource.name do + owner new_resource.owner unless new_resource.owner.nil? + group new_resource.group unless new_resource.group.nil? + mode new_resource.mode + content csr.to_pem + action :create + end + + file new_resource.key_file do + mode new_resource.mode + owner new_resource.owner unless new_resource.owner.nil? + group new_resource.group unless new_resource.group.nil? + content key.to_pem + sensitive true + action :create_if_missing + end + end + end + end + + action_class do + def generate_key_file + unless new_resource.key_file + path, file = ::File.split(new_resource.path) + filename = ::File.basename(file, ::File.extname(file)) + new_resource.key_file path + "/" + filename + ".key" + end + new_resource.key_file + end + + def key + @key ||= if priv_key_file_valid?(generate_key_file, new_resource.key_pass) + OpenSSL::PKey.read ::File.read(generate_key_file), new_resource.key_pass + elsif new_resource.key_type == "rsa" + gen_rsa_priv_key(new_resource.key_length) + else + gen_ec_priv_key(new_resource.key_curve) + end + @key + end + + def subject + csr_subject = OpenSSL::X509::Name.new() + csr_subject.add_entry("C", new_resource.country) unless new_resource.country.nil? + csr_subject.add_entry("ST", new_resource.state) unless new_resource.state.nil? + csr_subject.add_entry("L", new_resource.city) unless new_resource.city.nil? + csr_subject.add_entry("O", new_resource.org) unless new_resource.org.nil? + csr_subject.add_entry("OU", new_resource.org_unit) unless new_resource.org_unit.nil? + csr_subject.add_entry("CN", new_resource.common_name) + csr_subject.add_entry("emailAddress", new_resource.email) unless new_resource.email.nil? + csr_subject + end + + def csr + gen_x509_request(subject, key) + end + end + end + end +end diff --git a/lib/chef/resources.rb b/lib/chef/resources.rb index 069c35691f..3a4822e8f4 100644 --- a/lib/chef/resources.rb +++ b/lib/chef/resources.rb @@ -66,8 +66,12 @@ require "chef/resource/ohai" require "chef/resource/ohai_hint" require "chef/resource/openbsd_package" require "chef/resource/openssl_dhparam" +require "chef/resource/openssl_ec_private_key" +require "chef/resource/openssl_ec_public_key" require "chef/resource/openssl_rsa_private_key" require "chef/resource/openssl_rsa_public_key" +require "chef/resource/openssl_x509_certificate" +require "chef/resource/openssl_x509_request" require "chef/resource/package" require "chef/resource/pacman_package" require "chef/resource/paludis_package" |