diff --git a/lib/puppet/provider/x509_cert/openssl.rb b/lib/puppet/provider/x509_cert/openssl.rb index 91793a1..05d146d 100644 --- a/lib/puppet/provider/x509_cert/openssl.rb +++ b/lib/puppet/provider/x509_cert/openssl.rb @@ -57,6 +57,8 @@ def exists? end def create + env = {} + if resource[:csr] options = [ 'x509', @@ -92,9 +94,12 @@ def create password = resource[:cakey_password] || resource[:password] - options << ['-passin', "pass:#{password}"] if password + if password + options << ['-passin', 'env:CERTIFICATE_PASSIN'] + env['CERTIFICATE_PASSIN'] = password + end options << ['-extensions', 'v3_req'] if resource[:req_ext] != :false - openssl options + openssl options, environment: env end def destroy diff --git a/lib/puppet/provider/x509_request/openssl.rb b/lib/puppet/provider/x509_request/openssl.rb index 732330a..131bf30 100644 --- a/lib/puppet/provider/x509_request/openssl.rb +++ b/lib/puppet/provider/x509_request/openssl.rb @@ -28,6 +28,7 @@ def exists? end def create + env = {} options = [ 'req', '-new', '-key', resource[:private_key], @@ -35,10 +36,13 @@ def create '-out', resource[:path] ] - options << ['-passin', "pass:#{resource[:password]}"] if resource[:password] + if resource[:password] + options << ['-passin', 'env:CERTIFICATE_PASSIN'] + env['CERTIFICATE_PASSIN'] = resource[:password] + end options << ['-nodes'] unless resource[:encrypted] - openssl options + openssl options, environment: env end def destroy diff --git a/manifests/export/pem_cert.pp b/manifests/export/pem_cert.pp index 826fa44..fe5de3f 100644 --- a/manifests/export/pem_cert.pp +++ b/manifests/export/pem_cert.pp @@ -44,9 +44,12 @@ $in_cert = $pfx_cert } - $passin_opt = $in_pass ? { - undef => [], - default => ['-nokeys', '-passin', "pass:${in_pass}"], + if $in_pass { + $passin_opt = ['-nokeys', '-passin', 'env:CERTIFICATE_PASSIN'] + $passin_env = ["CERTIFICATE_PASSIN=${in_pass}"] + } else { + $passin_opt = [] + $passin_env = [] } if $ensure == 'present' { @@ -62,9 +65,10 @@ } exec { "Export ${in_cert} to ${pem_cert}": - command => $cmd, - path => $facts['path'], - * => $exec_params, + command => $cmd, + environment => $passin_env + path => $facts['path'], + * => $exec_params, } } else { file { $pem_cert: diff --git a/manifests/export/pem_key.pp b/manifests/export/pem_key.pp index efbb9e7..390b8b1 100644 --- a/manifests/export/pem_key.pp +++ b/manifests/export/pem_key.pp @@ -25,14 +25,20 @@ Optional[String] $out_pass = undef, ) { if $ensure == 'present' { - $passin_opt = $in_pass ? { - undef => [], - default => ['-passin', "pass:${in_pass}"], + if $in_pass { + $passin_opt = ['-nokeys', '-passin', 'env:CERTIFICATE_PASSIN'] + $passin_env = ["CERTIFICATE_PASSIN=${in_pass}"] + } else { + $passin_opt = [] + $passin_env = [] } - $passout_opt = $out_pass ? { - undef => ['-nodes'], - default => ['-passout', "pass:${out_pass}"], + if $out_pass { + $passout_opt = ['-nokeys', '-passout', 'env:CERTIFICATE_PASSOUT'] + $passout_env = ["CERTIFICATE_PASSOUT=${out_pass}"] + } else { + $passout_opt = [] + $passout_env = [] } $cmd = [ @@ -52,9 +58,10 @@ } exec { "Export ${pfx_cert} to ${pem_key}": - command => $cmd, - path => $facts['path'], - * => $exec_params, + command => $cmd, + environment => $passin_env + $passout_env, + path => $facts['path'], + * => $exec_params, } } else { file { $pem_key: diff --git a/manifests/export/pkcs12.pp b/manifests/export/pkcs12.pp index ea3bace..ccef3f3 100644 --- a/manifests/export/pkcs12.pp +++ b/manifests/export/pkcs12.pp @@ -33,14 +33,20 @@ $full_path = "${basedir}/${name}.p12" if $ensure == 'present' { - $pass_opt = $in_pass ? { - undef => [], - default => ['-passin', "pass:${in_pass}"], + if $in_pass { + $passin_opt = ['-nokeys', '-passin', 'env:CERTIFICATE_PASSIN'] + $passin_env = ["CERTIFICATE_PASSIN=${in_pass}"] + } else { + $passin_opt = [] + $passin_env = [] } - $passout_opt = $out_pass ? { - undef => [], - default => ['-passout', "pass:${out_pass}"], + if $out_pass { + $passout_opt = ['-nokeys', '-passout', 'env:CERTIFICATE_PASSOUT'] + $passout_env = ["CERTIFICATE_PASSOUT=${out_pass}"] + } else { + $passout_opt = [] + $passout_env = [] } $chain_opt = $chaincert ? { @@ -55,7 +61,7 @@ '-out', $full_path, '-name', $name, '-nodes', '-noiter', - ] + $chain_opt + $pass_opt + $passout_opt + ] + $chain_opt + $passin_opt + $passout_opt if $dynamic { $exec_params = { @@ -67,9 +73,10 @@ } exec { "Export ${name} to ${full_path}": - command => $cmd, - path => $facts['path'], - * => $exec_params, + command => $cmd, + environment => $passin_env + $passout_env, + path => $facts['path'], + * => $exec_params, } } else { file { $full_path: diff --git a/spec/defines/openssl_export_pem_cert_spec.rb b/spec/defines/openssl_export_pem_cert_spec.rb index d5cf277..f04c649 100644 --- a/spec/defines/openssl_export_pem_cert_spec.rb +++ b/spec/defines/openssl_export_pem_cert_spec.rb @@ -79,7 +79,8 @@ it { is_expected.to contain_exec('Export /etc/ssl/certs/foo.pfx to /etc/ssl/certs/foo.pem').with( - command: ['openssl', 'pkcs12', '-in', '/etc/ssl/certs/foo.pfx', '-out', '/etc/ssl/certs/foo.pem', '-nokeys', '-passin', 'pass:5r$}^'], + command: ['openssl', 'pkcs12', '-in', '/etc/ssl/certs/foo.pfx', '-out', '/etc/ssl/certs/foo.pem', '-nokeys', '-passin', 'env:CERTIFICATE_PASSIN'], + environment: ['CERTIFICATE_PASSIN=5r$}^'], creates: '/etc/ssl/certs/foo.pem', path: '/usr/bin:/bin:/usr/sbin:/sbin' )