Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow to generate pkcs12 containing cert and private key #17

Merged
merged 3 commits into from
Sep 3, 2015
Merged

Allow to generate pkcs12 containing cert and private key #17

merged 3 commits into from
Sep 3, 2015

Conversation

Annih
Copy link
Contributor

@Annih Annih commented Sep 2, 2015

Hello,

This is a small PR to allow generation of a p12 file containing both certificate and private key.
Again I tried to add useful tests and a bit of documentation, but let me know if you want me to add more.

@zuazo this one should already follow rubocop normally :)

cc. @aboten

Annih added 2 commits September 2, 2015 15:21
@Annih
Add support for pkcs12
b7853d5 
Add new ssl_certificate attribute to allow PKCS12 file generation:
* `pkcs12_path` set the path to the generated PKCS12 file
* `pkcs12_passphrase` set an optional passphrase on the PKCS12 file
@Annih
Add test for pkcs12 generation
40cf888
zuazo
zuazo reviewed Sep 2, 2015
View reviewed changes
libraries/resource_ssl_certificate_pkcs12.rb
end

def default_pkcs12_passphrase
lazy { read_namespace(%w(pkcs12_passphrase)) }
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We also need to update the README namespace documentation with these:

| `namespace['pkcs12_path']`                   | Optional PKCS12 full path.
| `namespace['pkcs12_passphrase']`             | Optional PKCS12 passphrase.

@zuazo
Copy link
Owner

zuazo commented Sep 2, 2015

Thanks again @Annih. Your PRs are really complete 😉 Aside from what I've told you about the documentation, everything is perfect.

@Annih Annih force-pushed the pkcs12_generation_support branch from 179c867 to bb0e41d Compare September 3, 2015 08:06
zuazo
zuazo reviewed Sep 3, 2015
View reviewed changes
README.md
@@ -407,6 +409,8 @@ When a namespace is set in the resource, it will try to read the following attri
| `namespace['ssl_chain']['content']` | Intermediate certificate chain content used when reading from attributes.
| `namespace['ca_cert_path']` | Certificate Authority full path.
| `namespace['ca_key_path']` | Key Authority full path.
| `namespace[pkcs12_path']` | Optional PKCS12 full path.
| `namespace[pkcs12_passphrase']` | Optional PKCS12 passphrase.
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Opening single quotes are missing here.

@Annih Annih force-pushed the pkcs12_generation_support branch from bb0e41d to 34718d2 Compare September 3, 2015 08:42
@Annih
Copy link
Contributor Author

Annih commented Sep 3, 2015

Sorry, I was not very focus on my last fix =]

@zuazo
Copy link
Owner

zuazo commented Sep 3, 2015

Awesome! Thank you @Annih.

zuazo added a commit that referenced this pull request Sep 3, 2015
@zuazo
Merge pull request #17 from criteo-forks/pkcs12_generation_support
95fa07c 
Allow to generate pkcs12 containing cert and private key
@zuazo zuazo merged commit 95fa07c into zuazo:master Sep 3, 2015
@Annih Annih deleted the pkcs12_generation_support branch September 3, 2015 10:25
zuazo added a commit that referenced this pull request Sep 4, 2015
@zuazo
Fix PKCS12 generation (related to #17)
a634a0c
@zuazo
Copy link
Owner

zuazo commented Sep 4, 2015

It seems that this implementation does not work properly, I tried to fix it in a634a0c. Let me know if I broke something.

@Annih
Copy link
Contributor Author

Annih commented Sep 4, 2015

Hello @zuazo,

What was the issue you tried to fix? I didn't get it with your patch, maybe something wrong with the passphrase?
I let you a comment on your commit, because I think you might have change this behavior.

I won't be able to test, or update the other PR before 16th of september, sorry for the bug :(

@zuazo
Copy link
Owner

zuazo commented Sep 4, 2015

For example, running your kitchen tests gave me the following error:

$ git checkout 95fa07c
HEAD is now at 95fa07c... Merge pull request #17 from criteo-forks/pkcs12_generation_support
$ kitchen test default-debian-78
[...]
       Recipe: ssl_certificate_test::default
         * ssl_certificate[ssl-certificate.local] action create
         Recipe: <Dynamically Defined Resource>
           * file[ssl-certificate.local SSL certificate key] action create
             - create new file /etc/ssl/private/ssl-certificate.local.key
             - update content in file /etc/ssl/private/ssl-certificate.local.key from none to 78c502
             - suppressed sensitive resource
             - change mode from '' to '0600'
             - change owner from '' to 'root'
             - change group from '' to 'root'
           * file[ssl-certificate.local SSL public certificate] action create
             - create new file /etc/ssl/certs/ssl-certificate.local.pem
             - update content in file /etc/ssl/certs/ssl-certificate.local.pem from none to da85aa
             - suppressed sensitive resource
             - change mode from '' to '0644'
             - change owner from '' to 'root'
             - change group from '' to 'root'
           * file[ssl-certificate.local SSL intermediary chain combined certificate] action create
             - create new file /etc/ssl/certs/ssl-certificate.local.pem.chained.pem
             - update content in file /etc/ssl/certs/ssl-certificate.local.pem.chained.pem from none to da85aa
             - suppressed sensitive resource
             - change mode from '' to '0644'
             - change owner from '' to 'root'
             - change group from '' to 'root'

         * file[ssl-certificate.local SSL certificate key] action nothing (skipped due to action :nothing)
         * file[ssl-certificate.local SSL public certificate] action nothing (skipped due to action :nothing)
         * file[ssl-certificate.local SSL intermediary chain combined certificate] action nothing (skipped due to action :nothing)
[...]
-----> Running bats test suite
 ✓ creates dummy1 certificate
 ✓ creates dummy1 certificate key
 ✓ creates dummy2 certificate
 ✓ creates dummy2 certificate key
 ✓ creates dummy3 certificate
 ✓ creates dummy3 certificate key
 ✓ sets dummy4 certificate country
 ✓ creates dummy4 certificate key
 ✓ creates dummy5 certificate from a data bag
 ✓ creates dummy5 certificate key from a data bag
 ✓ creates dummy6 certificate from node attributes
 ✓ creates dummy6 certificate key from node attributes
 ✓ creates dummy8 certificate
 ✓ creates dummy8 certificate key
 ✗ creates dummy8 PKCS12 file
          (in test file /tmp/verifier/suites/bats/certificates.bats, line 99)
            `openssl pkcs12 -in "${CERT_PATH}/dummy8.p12" -noout -passin pass:' failed
          Error opening input file /etc/ssl/certs/dummy8.p12
          /etc/ssl/certs/dummy8.p12: No such file or directory
 ✓ creates the apache2 virtualhost
 ✓ sets default web ssl protocol
 ✓ sets default web ssl cipher suite

As you can see, the PKCS12 was not generated.

Don't worry about it. You have done a great job. Someday I have to refactor the libraries or document them properly because currently it is very difficult to contribute to this cookbook code.

@zuazo
Copy link
Owner

zuazo commented Sep 6, 2015

Released in 1.9.0.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Annih @zuazo