forked from puppetlabs/puppet
/
oids.rb
111 lines (99 loc) · 4.13 KB
/
oids.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
require 'puppet/ssl'
# This module defines OIDs for use within Puppet.
#
# == ASN.1 Definition
#
# The following is the formal definition of OIDs specified in this file.
#
# puppetCertExtensions OBJECT IDENTIFIER ::= {iso(1) identified-organization(3)
# dod(6) internet(1) private(4) enterprise(1) 34380 1}
#
# -- the tree under registeredExtensions 'belongs' to puppetlabs
# -- privateExtensions can be extended by enterprises to suit their own needs
# registeredExtensions OBJECT IDENTIFIER ::= { puppetCertExtensions 1 }
# privateExtensions OBJECT IDENTIFIER ::= { puppetCertExtensions 2 }
#
# -- subtree of common registered extensions
# -- The short names for these OIDs are intentionally lowercased and formatted
# -- since they may be exposed inside the Puppet DSL as variables.
# pp_uuid OBJECT IDENTIFIER ::= { registeredExtensions 1 }
# pp_instance_id OBJECT IDENTIFIER ::= { registeredExtensions 2 }
# pp_image_name OBJECT IDENTIFIER ::= { registeredExtensions 3 }
# pp_preshared_key OBJECT IDENTIFIER ::= { registeredExtensions 4 }
#
# @api private
module Puppet::SSL::Oids
PUPPET_OIDS = [
["1.3.6.1.4.1.34380", 'puppetlabs', 'Puppet Labs'],
["1.3.6.1.4.1.34380.1", 'ppCertExt', 'Puppet Certificate Extension'],
["1.3.6.1.4.1.34380.1.1", 'ppRegCertExt', 'Puppet Registered Certificate Extension'],
["1.3.6.1.4.1.34380.1.1.1", 'pp_uuid', 'Puppet Node UUID'],
["1.3.6.1.4.1.34380.1.1.2", 'pp_instance_id', 'Puppet Node Instance ID'],
["1.3.6.1.4.1.34380.1.1.3", 'pp_image_name', 'Puppet Node Image Name'],
["1.3.6.1.4.1.34380.1.1.4", 'pp_preshared_key', 'Puppet Node Preshared Key'],
["1.3.6.1.4.1.34380.1.2", 'ppPrivCertExt', 'Puppet Private Certificate Extension'],
]
PUPPET_OIDS.each do |oid_defn|
OpenSSL::ASN1::ObjectId.register(*oid_defn)
end
# Parse and load custom OID mapping file that enables custom OIDs to be resolved
# into user-friendly names.
#
# @param f_map [String] File to obtain custom OIDs mapping from
#
# @example Custom OID mapping file
# ---
# oid_mapping:
# - ['1.3.6.1.4.1.34380.1.2.1.1', 'myshortname', 'Long name']
# - ['1.3.6.1.4.1.34380.1.2.1.2', 'myothershortname', 'Other Long name']
def self.load_custom_oid_file(f_map)
if File.exists?(f_map)
mapping = nil
begin
mapping = YAML.load_file(f_map)
rescue StandardError => err
raise ParseError, "Error loading custom OIDs mapping file from '#{f_map}': #{err}", err.backtrace
end
unless (not mapping.nil?) and (mapping.has_key? 'oid_mapping')
raise ParseError, "Error loading custom OIDs mapping file from '#{f_map}': Invalid format"
end
begin
mapping['oid_mapping'].each do |oid_defn|
OpenSSL::ASN1::ObjectId.register(*oid_defn)
end
rescue StandardError => err
raise ArgumentError, "Error registering custom OIDs mapping from file '#{f_map}': #{err}", err.backtrace
end
end
end
# Determine if the first OID contains the second OID
#
# @param first [String] The containing OID, in dotted form or as the short name
# @param second [String] The contained OID, in dotted form or as the short name
# @param exclusive [true, false] If an OID should not be considered as a subtree of itself
#
# @example Comparing two dotted OIDs
# Puppet::SSL::Oids.subtree_of?('1.3.6.1', '1.3.6.1.4.1') #=> true
# Puppet::SSL::Oids.subtree_of?('1.3.6.1', '1.3.6') #=> false
#
# @example Comparing an OID short name with a dotted OID
# Puppet::SSL::Oids.subtree_of?('IANA', '1.3.6.1.4.1') #=> true
# Puppet::SSL::Oids.subtree_of?('1.3.6.1', 'enterprises') #=> true
#
# @example Comparing an OID against itself
# Puppet::SSL::Oids.subtree_of?('IANA', 'IANA') #=> true
# Puppet::SSL::Oids.subtree_of?('IANA', 'IANA', true) #=> false
#
# @return [true, false]
def self.subtree_of?(first, second, exclusive = false)
first_oid = OpenSSL::ASN1::ObjectId.new(first).oid
second_oid = OpenSSL::ASN1::ObjectId.new(second).oid
if exclusive and first_oid == second_oid
false
else
second_oid.index(first_oid) == 0
end
rescue OpenSSL::ASN1::ASN1Error
false
end
end