diff options
author | David Schmitt <david.schmitt@puppetlabs.com> | 2016-01-08 11:13:16 +0000 |
---|---|---|
committer | David Schmitt <david.schmitt@puppetlabs.com> | 2016-01-08 11:13:16 +0000 |
commit | f875770245d6ce205dbf97f109d323a473d3e249 (patch) | |
tree | f0803545baa4ecab654d7f7347754f4b4cdd5621 /lib/puppet | |
parent | 9cce93054aaeafeddf38fa48d22d5f123b94adff (diff) | |
parent | 41f9319bbd96547f9c2226524918e4b748527048 (diff) |
Merge pull request #552 from mattbostock/add_x509_rsa_key_pair
Add a function to validate an x509 RSA key pair
Diffstat (limited to 'lib/puppet')
-rw-r--r-- | lib/puppet/parser/functions/validate_x509_rsa_key_pair.rb | 47 |
1 files changed, 47 insertions, 0 deletions
diff --git a/lib/puppet/parser/functions/validate_x509_rsa_key_pair.rb b/lib/puppet/parser/functions/validate_x509_rsa_key_pair.rb new file mode 100644 index 0000000..fc9f23f --- /dev/null +++ b/lib/puppet/parser/functions/validate_x509_rsa_key_pair.rb @@ -0,0 +1,47 @@ +module Puppet::Parser::Functions + + newfunction(:validate_x509_rsa_key_pair, :doc => <<-ENDHEREDOC + Validates a PEM-formatted X.509 certificate and RSA private key using + OpenSSL. Verifies that the certficate's signature was created from the + supplied key. + + Fail compilation if any value fails this check. + + validate_x509_rsa_key_pair($cert, $key) + + ENDHEREDOC + ) do |args| + + require 'openssl' + + NUM_ARGS = 2 unless defined? NUM_ARGS + + unless args.length == NUM_ARGS then + raise Puppet::ParseError, + ("validate_x509_rsa_key_pair(): wrong number of arguments (#{args.length}; must be #{NUM_ARGS})") + end + + args.each do |arg| + unless arg.is_a?(String) + raise Puppet::ParseError, "#{arg.inspect} is not a string." + end + end + + begin + cert = OpenSSL::X509::Certificate.new(args[0]) + rescue OpenSSL::X509::CertificateError => e + raise Puppet::ParseError, "Not a valid x509 certificate: #{e}" + end + + begin + key = OpenSSL::PKey::RSA.new(args[1]) + rescue OpenSSL::PKey::RSAError => e + raise Puppet::ParseError, "Not a valid RSA key: #{e}" + end + + unless cert.verify(key) + raise Puppet::ParseError, "Certificate signature does not match supplied key" + end + end + +end |