Skip to content
Browse files

Don't allow the creation of SSL objects with invalid certnames

This ensures we catch invalid certnames earlier in the process, such as
when an agent is starting or making a certificate request, rather than
at the very last step of signing the request. This should make for
better error messages to the user.
  • Loading branch information...
1 parent dfedaa5 commit 0144e687b663a9ae170a4cdb55f8dcc1571128ea @nicklewis nicklewis committed Jun 21, 2012
View
8 lib/puppet/ssl/base.rb
@@ -5,6 +5,9 @@ class Puppet::SSL::Base
# For now, use the YAML separator.
SEPARATOR = "\n---\n"
+ # Only allow printing ascii characters, excluding /
+ VALID_CERTNAME = /\A[ -.0-~]+\Z/
+
def self.from_multiple_s(text)
text.split(SEPARATOR).collect { |inst| from_s(inst) }
end
@@ -22,6 +25,10 @@ def self.wrapped_class
@wrapped_class
end
+ def self.validate_certname(name)
+ raise "Certname #{name.inspect} must not contain unprintable or non-ASCII characters" unless name =~ VALID_CERTNAME
+ end
+
attr_accessor :name, :content
# Is this file for the CA?
@@ -35,6 +42,7 @@ def generate
def initialize(name)
@name = name.to_s.downcase
+ self.class.validate_certname(@name)
end
# Read content from disk appropriately.
View
3 lib/puppet/ssl/certificate_authority.rb
@@ -306,8 +306,7 @@ def check_internal_signing_policies(hostname, csr, allow_dns_alt_names)
raise CertificateSigningError.new(hostname), "CSR subject common name #{cn.inspect} does not match expected certname #{hostname.inspect}"
end
- # Only allow printing ascii characters, excluding /
- if hostname !~ /\A[ -.0-~]+\Z/
+ if hostname !~ Puppet::SSL::Base::VALID_CERTNAME
raise CertificateSigningError.new(hostname), "CSR #{hostname.inspect} subject contains unprintable or non-ASCII characters"
end
View
1 lib/puppet/ssl/host.rb
@@ -206,6 +206,7 @@ def generate
def initialize(name = nil)
@name = (name || Puppet[:certname]).downcase
+ Puppet::SSL::Base.validate_certname(@name)
@key = @certificate = @certificate_request = nil
@ca = (name == self.class.ca_name)
end
View
1 spec/unit/network/handler/ca_spec.rb
@@ -31,6 +31,7 @@
Puppet::SSL::CertificateAuthority.stubs(:ca?).returns false
csr = OpenSSL::X509::Request.new
+ csr.subject = OpenSSL::X509::Name.new([["CN", "anything"]])
subject.getcert(csr.to_pem).should == ''
end

0 comments on commit 0144e68

Please sign in to comment.
Something went wrong with that request. Please try again.