Jira (PUP-10234) Add ppAuthCertExt to custom_extensions

0 views
Skip to first unread message

Christopher Thorn (JIRA)

unread,
Jan 14, 2020, 2:14:04 PM1/14/20
to puppe...@googlegroups.com
Christopher Thorn created an issue
 
Puppet / Task PUP-10234
Add ppAuthCertExt to custom_extensions
Issue Type: Task Task
Assignee: Unassigned
Created: 2020/01/14 11:13 AM
Priority: Normal Normal
Reporter: Christopher Thorn

The custom_extensions method allows certificate extensions to be access in a manifest.
PUP-6258 introduced a new OID that was never added to the custom_extensions method.
This is causing what is documented here.

You can access certificate extensions in manifests as $trusted["extensions"]["<EXTENSION OID>"].
 
Select OIDs in the ppRegCertExt and ppAuthCertExt ranges.

The current state has it ppRegCertExt can access in the manifest $trusted['extension'], but not ppAuthCertExt.
Add Comment Add Comment
 
This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)
Atlassian logo

Melissa Stone (JIRA)

unread,
Jan 14, 2020, 5:29:04 PM1/14/20
to puppe...@googlegroups.com
Melissa Stone assigned an issue to Melissa Stone
Change By: Melissa Stone
Assignee: Melissa Stone

Melissa Stone (JIRA)

unread,
Jan 14, 2020, 5:30:05 PM1/14/20
to puppe...@googlegroups.com
Melissa Stone updated an issue
Change By: Melissa Stone
Sprint: Platform Core KANBAN

Melissa Stone (JIRA)

unread,
Jan 14, 2020, 6:27:04 PM1/14/20
to puppe...@googlegroups.com
Melissa Stone commented on Task PUP-10234
 
Re: Add ppAuthCertExt to custom_extensions

It looks like the documentation is correct for the expected results, but I just wanted to check to confirm https://puppet.com/docs/puppet/6.10/ssl_attributes_extensions.html doesn't need any updates to go along with this change.

Melissa Stone (JIRA)

unread,
Jan 14, 2020, 6:39:05 PM1/14/20
to puppe...@googlegroups.com
Melissa Stone updated an issue
Change By: Melissa Stone
Fix Version/s: PUP 6.12.0
Fix Version/s: PUP 6.4.z
Fix Version/s: PUP 5.5.z

Melissa Stone (JIRA)

unread,
Jan 14, 2020, 6:41:04 PM1/14/20
to puppe...@googlegroups.com
Melissa Stone updated an issue
Change By: Melissa Stone
Fix Version/s: PUP 6.4.z
Fix Version/s: PUP 5.5.z
Fix Version/s: PUP 6.4.5
Fix Version/s: PUP 5.5.18

Josh Cooper (JIRA)

unread,
Jan 14, 2020, 8:11:04 PM1/14/20
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Fix Version/s: PUP 6.12.0
Fix Version/s: PUP 6.4.5
Fix Version/s: PUP 5.5.18
Fix Version/s: PUP 6.13.0
Fix Version/s: PUP 6.4.6
Fix Version/s: PUP 5.5.19

Josh Cooper (JIRA)

unread,
Jan 14, 2020, 10:45:03 PM1/14/20
to puppe...@googlegroups.com
Josh Cooper commented on Task PUP-10234

Josh Cooper (JIRA)

unread,
Jan 14, 2020, 10:45:05 PM1/14/20
to puppe...@googlegroups.com
Josh Cooper commented on Task PUP-10234

Melissa Stone could you add release notes?

Maggie Dreyer (JIRA)

unread,
Jan 15, 2020, 10:59:05 AM1/15/20
to puppe...@googlegroups.com

Josh Cooper yeah I guess we do. I'd forgotten we had to duplicate that. I think we were hoping to be able to remove it from Puppet, but then of course they're needed agent-side.

Josh Cooper (JIRA)

unread,
Jan 15, 2020, 12:23:04 PM1/15/20
to puppe...@googlegroups.com
Josh Cooper commented on Task PUP-10234

Passed 5.5.x in ef456ef2ca

Melissa Stone (JIRA)

unread,
Jan 15, 2020, 1:29:04 PM1/15/20
to puppe...@googlegroups.com
Melissa Stone updated an issue
Change By: Melissa Stone
Release Notes Summary: This commit adds the missing ppAuthCertExt oid and updates docs to reference it.
Release Notes: Bug Fix

Josh Cooper (JIRA)

unread,
Jan 16, 2020, 12:29:04 PM1/16/20
to puppe...@googlegroups.com
Josh Cooper commented on Task PUP-10234

Passed master in ea14629e0f1d

Christopher Thorn (JIRA)

unread,
Jan 21, 2020, 12:24:05 PM1/21/20
to puppe...@googlegroups.com
Christopher Thorn updated an issue
Change By: Christopher Thorn
Attachment: genteel-drift.delivery.puppetlabs.net.pem

Josh Cooper (JIRA)

unread,
Jan 21, 2020, 9:23:04 PM1/21/20
to puppe...@googlegroups.com
Josh Cooper commented on Task PUP-10234

Puppet is correctly embedding the certificate extension and will return it provided the oids have been registered:

[root@ornate-micelle ~]# /opt/puppetlabs/puppet/bin/irb
 
irb(main):001:0> require 'puppet'
 
=> true
 
irb(main):002:0> Puppet.initialize_settings
 
=> [:debug, :info, :notice, :warning, :err, :alert, :emerg, :crit]
 
irb(main):003:0> x509 = Puppet::SSL::Certificate.from_s(File.read('/etc/puppetlabs/puppet/ssl/certs/ornate-micelle.delivery.puppetlabs.net.pem'))
 
=> #<Puppet::SSL::Certificate:0x0000000001de4d78 @name="ornate-micelle.delivery.puppetlabs.net", @content=#<OpenSSL::X509::Certificate: subject=#<OpenSSL::X509::Name CN=ornate-micelle.delivery.puppetlabs.net>, issuer=#<OpenSSL::X509::Name CN=Puppet Enterprise CA generated at \+2020-01-21 16:43:52 \+0000>, serial=#<OpenSSL::BN:0x0000000001de4968>, not_before=2020-01-21 01:43:17 UTC, not_after=2025-01-20 01:43:17 UTC>>
 
irb(main):004:0> x509.custom_extensions
 
=> []
 
irb(main):005:0> Puppet::SSL::Oids.register_puppet_oids
 
=> true
 
irb(main):006:0> x509.custom_extensions
 
=> [{"oid"=>"pp_auth_role", "value"=>"taketwo"}]

However, the problem is puppetserver provides its own Certificate class which doesn't have the same change that we made. https://github.com/puppetlabs/puppetserver/blob/master/src/ruby/puppetserver-lib/puppet/server/certificate.rb#L46-L49.

Given that I'm going to close this as resolved. I'll file a separate SERVER ticket.

Kate Medred (JIRA)

unread,
Feb 18, 2020, 12:13:06 PM2/18/20
to puppe...@googlegroups.com
Kate Medred updated an issue
Change By: Kate Medred
Labels: resolved-issue-added
Reply all
Reply to author
Forward
0 new messages