Puppet Function: validate_x509_rsa_key_pair

Defined in:
vendor_modules/stdlib/lib/puppet/parser/functions/validate_x509_rsa_key_pair.rb
Function type:
Ruby 3.x API

Summary

Validates a PEM-formatted X.509 certificate and RSA private key using OpenSSL.

Overview

validate_x509_rsa_key_pair()Any

Verifies that the certficate's signature was created from the supplied key.

“`validate_x509_rsa_key_pair($cert, $key)“`

Returns:

  • (Any)

    Fail compilation if any value fails this check.



7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
 
# File 'vendor_modules/stdlib/lib/puppet/parser/functions/validate_x509_rsa_key_pair.rb', line 7

newfunction(:validate_x509_rsa_key_pair, doc: <<-DOC
  @summary
    Validates a PEM-formatted X.509 certificate and RSA private key using
    OpenSSL.

  Verifies that the certficate's signature was created from the
  supplied key.

  @return
    Fail compilation if any value fails this check.

  ```validate_x509_rsa_key_pair($cert, $key)```

  DOC
) do |args|
  require 'openssl'

  NUM_ARGS = 2 unless defined? NUM_ARGS

  unless args.length == NUM_ARGS
    raise Puppet::ParseError,
          "validate_x509_rsa_key_pair(): wrong number of arguments (#{args.length}; must be #{NUM_ARGS})"
  end

  args.each do |arg|
    unless arg.is_a?(String)
      raise Puppet::ParseError, "#{arg.inspect} is not a string."
    end
  end

  begin
    cert = OpenSSL::X509::Certificate.new(args[0])
  rescue OpenSSL::X509::CertificateError => e
    raise Puppet::ParseError, "Not a valid x509 certificate: #{e}"
  end

  begin
    key = OpenSSL::PKey::RSA.new(args[1])
  rescue OpenSSL::PKey::RSAError => e
    raise Puppet::ParseError, "Not a valid RSA key: #{e}"
  end

  unless cert.verify(key)
    raise Puppet::ParseError, 'Certificate signature does not match supplied key'
  end
end