48 lines
1.2 KiB
Ruby
48 lines
1.2 KiB
Ruby
module Puppet::Parser::Functions
|
|
|
|
newfunction(:validate_x509_rsa_key_pair, :doc => <<-ENDHEREDOC
|
|
Validates a PEM-formatted X.509 certificate and RSA private key using
|
|
OpenSSL. Verifies that the certficate's signature was created from the
|
|
supplied key.
|
|
|
|
Fail compilation if any value fails this check.
|
|
|
|
validate_x509_rsa_key_pair($cert, $key)
|
|
|
|
ENDHEREDOC
|
|
) do |args|
|
|
|
|
require 'openssl'
|
|
|
|
NUM_ARGS = 2 unless defined? NUM_ARGS
|
|
|
|
unless args.length == NUM_ARGS then
|
|
raise Puppet::ParseError,
|
|
("validate_x509_rsa_key_pair(): wrong number of arguments (#{args.length}; must be #{NUM_ARGS})")
|
|
end
|
|
|
|
args.each do |arg|
|
|
unless arg.is_a?(String)
|
|
raise Puppet::ParseError, "#{arg.inspect} is not a string."
|
|
end
|
|
end
|
|
|
|
begin
|
|
cert = OpenSSL::X509::Certificate.new(args[0])
|
|
rescue OpenSSL::X509::CertificateError => e
|
|
raise Puppet::ParseError, "Not a valid x509 certificate: #{e}"
|
|
end
|
|
|
|
begin
|
|
key = OpenSSL::PKey::RSA.new(args[1])
|
|
rescue OpenSSL::PKey::RSAError => e
|
|
raise Puppet::ParseError, "Not a valid RSA key: #{e}"
|
|
end
|
|
|
|
unless cert.verify(key)
|
|
raise Puppet::ParseError, "Certificate signature does not match supplied key"
|
|
end
|
|
end
|
|
|
|
end
|