Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-2995

Allow certificate extensions to referenced by OID short name

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: PUP 4.0.0
    • Component/s: Docs
    • Labels:
      None
    • Template:

      Description

      Updated

      Currently, manifest authors can access trusted certificate extensions, but must reference the extension by its OID:

      if $trusted[extensions]['1.3.6.1.4.1.34380.1.2.1.1'] == 'some_value' { ... }
      

      This feature allows manifest authors to access trusted certificate extensions using a human friendly shortname:

      if $trusted[extensions]['myshortname'] == 'some_value' { ... }
      

      To use this feature, create an OID mapping file on the master in $confdir/custom_trusted_oid_mapping.yaml or override the trusted_oid_mapping_file setting. The OID file should contain (in YAML):

      ---
      oid_mapping:
        1.3.6.1.4.1.34380.1.2.1.1:
          shortname: 'myshortname'
          longname: 'My Long Name'
        1.3.6.1.4.1.34380.1.2.1.2:
          shortname: 'myothershortname'
          longname: 'My Other Long Name'
      

      The referenced OIDs should not conflict with puppet's OID range 1.3.6.1.4.1.34380.1.1 (aka ppRegCertExt)

      Note this feature will work with any certificate containing extensions, including certificates that were generated and issued prior to 4.0.

      Original

      Hi,

      I've been using trusted facts and custom OIDs and I realized that for non puppet-administrators (i.e puppet users) it could be quite confusing to deal with something like

      bare_trusted_oid

      if $trusted[extensions][1.3.6.1.4.1.34380.1.2.1.1] == 'some_value' { ... }
      

      My proposal is to introduce an external file that could allow puppet administrators to provide a user-friendly mapping like you did for your custom OIDs.

      For instance a mapping file such as

      example_trusted_oid_mapping_file.yaml

      # /etc/puppet/trusted_oid_mapping.yaml
      ---
      oid_mapping:
        - ['1.3.6.1.4.1.34380.1.2.1.1', 'shortname', 'Long name']
        - ['1.3.6.1.4.1.34380.1.2.1.2', 'othershortname', 'Other Long name']
      

      could be used to convert previous test example in something like:

      resolved_trusted_oid

      if $trusted[extensions][shortname] == 'some_value' { ... }
      

      which is quite more explicit and user-friendly.

      I've created a PR for this proposal here :: https://github.com/puppetlabs/puppet/pull/2919.

        Attachments

          Issue Links

            Activity

              jsd-sla-details-panel

                People

                • Assignee:
                  Unassigned
                  Reporter:
                  remi.ferrand Remi Ferrand
                  QA Contact:
                  Eric Thompson
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  5 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: