summaryrefslogtreecommitdiff
path: root/lib/puppet/parser/functions
diff options
context:
space:
mode:
authorDavid Schmitt <david.schmitt@puppetlabs.com>2016-01-08 11:13:16 +0000
committerDavid Schmitt <david.schmitt@puppetlabs.com>2016-01-08 11:13:16 +0000
commitf875770245d6ce205dbf97f109d323a473d3e249 (patch)
treef0803545baa4ecab654d7f7347754f4b4cdd5621 /lib/puppet/parser/functions
parent9cce93054aaeafeddf38fa48d22d5f123b94adff (diff)
parent41f9319bbd96547f9c2226524918e4b748527048 (diff)
Merge pull request #552 from mattbostock/add_x509_rsa_key_pair
Add a function to validate an x509 RSA key pair
Diffstat (limited to 'lib/puppet/parser/functions')
-rw-r--r--lib/puppet/parser/functions/validate_x509_rsa_key_pair.rb47
1 files changed, 47 insertions, 0 deletions
diff --git a/lib/puppet/parser/functions/validate_x509_rsa_key_pair.rb b/lib/puppet/parser/functions/validate_x509_rsa_key_pair.rb
new file mode 100644
index 0000000..fc9f23f
--- /dev/null
+++ b/lib/puppet/parser/functions/validate_x509_rsa_key_pair.rb
@@ -0,0 +1,47 @@
+module Puppet::Parser::Functions
+
+ newfunction(:validate_x509_rsa_key_pair, :doc => <<-ENDHEREDOC
+ Validates a PEM-formatted X.509 certificate and RSA private key using
+ OpenSSL. Verifies that the certficate's signature was created from the
+ supplied key.
+
+ Fail compilation if any value fails this check.
+
+ validate_x509_rsa_key_pair($cert, $key)
+
+ ENDHEREDOC
+ ) do |args|
+
+ require 'openssl'
+
+ NUM_ARGS = 2 unless defined? NUM_ARGS
+
+ unless args.length == NUM_ARGS then
+ raise Puppet::ParseError,
+ ("validate_x509_rsa_key_pair(): wrong number of arguments (#{args.length}; must be #{NUM_ARGS})")
+ end
+
+ args.each do |arg|
+ unless arg.is_a?(String)
+ raise Puppet::ParseError, "#{arg.inspect} is not a string."
+ end
+ end
+
+ begin
+ cert = OpenSSL::X509::Certificate.new(args[0])
+ rescue OpenSSL::X509::CertificateError => e
+ raise Puppet::ParseError, "Not a valid x509 certificate: #{e}"
+ end
+
+ begin
+ key = OpenSSL::PKey::RSA.new(args[1])
+ rescue OpenSSL::PKey::RSAError => e
+ raise Puppet::ParseError, "Not a valid RSA key: #{e}"
+ end
+
+ unless cert.verify(key)
+ raise Puppet::ParseError, "Certificate signature does not match supplied key"
+ end
+ end
+
+end