(#2848) Rewrite SSL Certificate Factory, fixing subjectAltName leak.
This is a major rewrite of the SSL CertificateFactory, which transforms the
way that we build the certificate we are about to sign in response to a CSR.
The main body of rework is to clean up the code and make it easier to manage
and validate, but there are two essential changes:
- We no longer inject subjectAltName from local certdnsnames configuration option into every certificate we generate. This fixes CVE-2011-3872, and prevents issuing client certificates that can impersonate the master.
- *All* request extensions from the CSR are transported into the final certificate. This includes basicConstraints; we rely on other layers of the Puppet stack having validated the code to this point.
Signed-off-by: Daniel Pittman <daniel@puppetlabs.com>