Puppet Function: validate_x509_rsa_key_pair

Defined in:
modules/stdlib/lib/puppet/parser/functions/validate_x509_rsa_key_pair.rb
Function type:
Ruby 3.x API

Overview

validate_x509_rsa_key_pair()Any

Validates a PEM-formatted X.509 certificate and RSA private key using OpenSSL. Verifies that the certficate's signature was created from the supplied key.

Fail compilation if any value fails this check.

validate_x509_rsa_key_pair($cert, $key)

Returns:

  • (Any)


5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
# File 'modules/stdlib/lib/puppet/parser/functions/validate_x509_rsa_key_pair.rb', line 5

newfunction(:validate_x509_rsa_key_pair, :doc => <<-DOC
  Validates a PEM-formatted X.509 certificate and RSA private key using
  OpenSSL. Verifies that the certficate's signature was created from the
  supplied key.

  Fail compilation if any value fails this check.

  validate_x509_rsa_key_pair($cert, $key)

  DOC
           ) do |args|

  require 'openssl'

  NUM_ARGS = 2 unless defined? NUM_ARGS

  unless args.length == NUM_ARGS
    raise Puppet::ParseError,
          "validate_x509_rsa_key_pair(): wrong number of arguments (#{args.length}; must be #{NUM_ARGS})"
  end

  args.each do |arg|
    unless arg.is_a?(String)
      raise Puppet::ParseError, "#{arg.inspect} is not a string."
    end
  end

  begin
    cert = OpenSSL::X509::Certificate.new(args[0])
  rescue OpenSSL::X509::CertificateError => e
    raise Puppet::ParseError, "Not a valid x509 certificate: #{e}"
  end

  begin
    key = OpenSSL::PKey::RSA.new(args[1])
  rescue OpenSSL::PKey::RSAError => e
    raise Puppet::ParseError, "Not a valid RSA key: #{e}"
  end

  unless cert.verify(key)
    raise Puppet::ParseError, 'Certificate signature does not match supplied key'
  end
end