lib/puppet/parser/functions/validate_x509_rsa_key_pair.rb


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47

module Puppet::Parser::Functions

  newfunction(:validate_x509_rsa_key_pair, :doc => <<-ENDHEREDOC
    Validates a PEM-formatted X.509 certificate and RSA private key using
    OpenSSL. Verifies that the certficate's signature was created from the
    supplied key.

    Fail compilation if any value fails this check.

    validate_x509_rsa_key_pair($cert, $key)

    ENDHEREDOC
  ) do |args|

    require 'openssl'

    NUM_ARGS = 2 unless defined? NUM_ARGS

    unless args.length == NUM_ARGS then
      raise Puppet::ParseError,
        ("validate_x509_rsa_key_pair(): wrong number of arguments (#{args.length}; must be #{NUM_ARGS})")
    end

    args.each do |arg|
      unless arg.is_a?(String)
        raise Puppet::ParseError, "#{arg.inspect} is not a string."
      end
    end

    begin
      cert = OpenSSL::X509::Certificate.new(args[0])
    rescue OpenSSL::X509::CertificateError => e
      raise Puppet::ParseError, "Not a valid x509 certificate: #{e}"
    end

    begin
      key = OpenSSL::PKey::RSA.new(args[1])
    rescue OpenSSL::PKey::RSAError => e
      raise Puppet::ParseError, "Not a valid RSA key: #{e}"
    end

    unless cert.verify(key)
      raise Puppet::ParseError, "Certificate signature does not match supplied key"
    end
  end

end