[PUP-2995] Allow certificate extensions to referenced by OID short name Created: 2014/07/31  Updated: 2019/04/04  Resolved: 2014/11/04

Status: Closed
Project: Puppet
Component/s: Docs
Affects Version/s: None
Fix Version/s: PUP 4.0.0

Type: Improvement Priority: Normal
Reporter: Remi Ferrand Assignee: Unassigned
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Relates
relates to SERVER-1150 custom_trusted_oid_mapping does not work Closed
relates to PUP-4617 puppet cert list should display long ... Closed
Template:
QA Contact: Eric Thompson

 Description   

Updated

Currently, manifest authors can access trusted certificate extensions, but must reference the extension by its OID:

if $trusted[extensions]['1.3.6.1.4.1.34380.1.2.1.1'] == 'some_value' { ... }

This feature allows manifest authors to access trusted certificate extensions using a human friendly shortname:

if $trusted[extensions]['myshortname'] == 'some_value' { ... }

To use this feature, create an OID mapping file on the master in $confdir/custom_trusted_oid_mapping.yaml or override the trusted_oid_mapping_file setting. The OID file should contain (in YAML):

---
oid_mapping:
  1.3.6.1.4.1.34380.1.2.1.1:
    shortname: 'myshortname'
    longname: 'My Long Name'
  1.3.6.1.4.1.34380.1.2.1.2:
    shortname: 'myothershortname'
    longname: 'My Other Long Name'

The referenced OIDs should not conflict with puppet's OID range 1.3.6.1.4.1.34380.1.1 (aka ppRegCertExt)

Note this feature will work with any certificate containing extensions, including certificates that were generated and issued prior to 4.0.

Original

Hi,

I've been using trusted facts and custom OIDs and I realized that for non puppet-administrators (i.e puppet users) it could be quite confusing to deal with something like

bare_trusted_oid

if $trusted[extensions][1.3.6.1.4.1.34380.1.2.1.1] == 'some_value' { ... }

My proposal is to introduce an external file that could allow puppet administrators to provide a user-friendly mapping like you did for your custom OIDs.

For instance a mapping file such as

example_trusted_oid_mapping_file.yaml

# /etc/puppet/trusted_oid_mapping.yaml
---
oid_mapping:
  - ['1.3.6.1.4.1.34380.1.2.1.1', 'shortname', 'Long name']
  - ['1.3.6.1.4.1.34380.1.2.1.2', 'othershortname', 'Other Long name']

could be used to convert previous test example in something like:

resolved_trusted_oid

if $trusted[extensions][shortname] == 'some_value' { ... }

which is quite more explicit and user-friendly.

I've created a PR for this proposal here :: https://github.com/puppetlabs/puppet/pull/2919.



 Comments   
Comment by Remi Ferrand [ 2014/08/05 ]

I've just pushed a new version of the code as suggested by Adrien Thebo.

This new version allow puppet administrators to specify the path to the mapping file with parameter trusted_oid_map_file and review could be made here :: https://github.com/ccin2p3/puppet/commit/f082ea12a3535d81354177887bcb32458e28dd66.

Comment by Henrik Lindberg [ 2014/10/15 ]

Merged to master at fa24c6bbc01f5ca9c1daf3fe105649f59aa8d032 with a small touch up of ParseError.

Comment by Josh Cooper [ 2014/11/04 ]

Verified that you can reference certificate extensions using the short name as specified in the custom oid mapping file:

Created attributes.yaml on agent to add permanent extensions:

---
extension_requests:
  1.3.6.1.4.1.34380.1.2.1.1: somedata
  1.3.6.1.4.1.34380.1.2.1.2: someotherdata

Ran agent with csr_attributes option.

$ bundle exec puppet agent -td --server $(bundle exec facter fqdn) --csr_attributes ./attributes.yaml

In site.pp:

notice $trusted[extensions]

In oid.yaml:

---
oid_mapping:
  1.3.6.1.4.1.34380.1.2.1.1:
    shortname: 'myshortname'
    longname: 'My Long Name'
  1.3.6.1.4.1.34380.1.2.1.2:
    shortname: 'myothershortname'
    longname: 'My Other Long Name'

Ran master enabling trusted facts and using oid mapping file, and ran agent:

$ bundle exec puppet master --no-daemonize --dns_alt_names $(bundle exec facter fqdn) --autosign --debug --trusted_node_data --trusted_oid_mapping_file oids.yaml
...
Notice: Scope(Class[main]): {"myshortname"=>"somedata", "myothershortname"=>"someotherdata"}

When the oid mapping file is not specified, extensions are indexed by their oids in the trusted extensions hash:

$ bundle exec puppet master --no-daemonize --dns_alt_names $(bundle exec facter fqdn) --debug --trusted_node_data
...
Notice: Scope(Class[main]): {"1.3.6.1.4.1.34380.1.2.1.1"=>"somedata", "1.3.6.1.4.1.34380.1.2.1.2"=>"someotherdata"}

Also verified the setting is documented:

# man puppet.conf
...
   trusted_oid_mapping_file
       File that provides mapping between custom SSL oids and user-friendly names
 
   ยท   Default: $confdir/custom_trusted_oid_mapping.yaml

Comment by Zach Leslie [ 2015/02/18 ]

Is this documentation planned to make it into a release? Looking at master, it looks like the option is documented, but in 3.7.4 it doesn't seem to be present.

Comment by Zach Leslie [ 2015/02/18 ]

Ah, well looking at the PR has the information I was looking for. Just eagerly awaiting this feature.

Comment by Henrik Lindberg [ 2015/02/18 ]

For DOCS, is what is in this ticket enough?

Comment by Henrik Lindberg [ 2016/02/10 ]

How horrible - there are no unit tests. How could I have let that through :-o

Generated at Mon Aug 10 23:06:40 PDT 2020 using Jira 8.5.2#805002-sha1:a66f9354b9e12ac788984e5d84669c903a370049.