Merge pull request #552 from mattbostock/add_x509_rsa_key_pair

Add a function to validate an x509 RSA key pair

1 files changed, 47 insertions, 0 deletions

diff --git a/lib/puppet/parser/functions/validate_x509_rsa_key_pair.rb b/lib/puppet/parser/functions/validate_x509_rsa_key_pair.rb
new file mode 100644
index 0000000..fc9f23f
--- /dev/null
+++ b/lib/puppet/parser/functions/validate_x509_rsa_key_pair.rb
@@ -0,0 +1,47 @@
+module Puppet::Parser::Functions
+
+  newfunction(:validate_x509_rsa_key_pair, :doc => <<-ENDHEREDOC
+    Validates a PEM-formatted X.509 certificate and RSA private key using
+    OpenSSL. Verifies that the certficate's signature was created from the
+    supplied key.
+
+    Fail compilation if any value fails this check.
+
+    validate_x509_rsa_key_pair($cert, $key)
+
+    ENDHEREDOC
+  ) do |args|
+
+    require 'openssl'
+
+    NUM_ARGS = 2 unless defined? NUM_ARGS
+
+    unless args.length == NUM_ARGS then
+      raise Puppet::ParseError,
+        ("validate_x509_rsa_key_pair(): wrong number of arguments (#{args.length}; must be #{NUM_ARGS})")
+    end
+
+    args.each do |arg|
+      unless arg.is_a?(String)
+        raise Puppet::ParseError, "#{arg.inspect} is not a string."
+      end
+    end
+
+    begin
+      cert = OpenSSL::X509::Certificate.new(args[0])
+    rescue OpenSSL::X509::CertificateError => e
+      raise Puppet::ParseError, "Not a valid x509 certificate: #{e}"
+    end
+
+    begin
+      key = OpenSSL::PKey::RSA.new(args[1])
+    rescue OpenSSL::PKey::RSAError => e
+      raise Puppet::ParseError, "Not a valid RSA key: #{e}"
+    end
+
+    unless cert.verify(key)
+      raise Puppet::ParseError, "Certificate signature does not match supplied key"
+    end
+  end
+
+end