/usr/share/puppet/modules.available/puppetlabs-stdlib/lib/puppet/parser/functions/validate_x509_rsa_key_pair.rb is in puppet-module-puppetlabs-stdlib 4.14.0-1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 | module Puppet::Parser::Functions
newfunction(:validate_x509_rsa_key_pair, :doc => <<-ENDHEREDOC
Validates a PEM-formatted X.509 certificate and RSA private key using
OpenSSL. Verifies that the certficate's signature was created from the
supplied key.
Fail compilation if any value fails this check.
validate_x509_rsa_key_pair($cert, $key)
ENDHEREDOC
) do |args|
require 'openssl'
NUM_ARGS = 2 unless defined? NUM_ARGS
unless args.length == NUM_ARGS then
raise Puppet::ParseError,
("validate_x509_rsa_key_pair(): wrong number of arguments (#{args.length}; must be #{NUM_ARGS})")
end
args.each do |arg|
unless arg.is_a?(String)
raise Puppet::ParseError, "#{arg.inspect} is not a string."
end
end
begin
cert = OpenSSL::X509::Certificate.new(args[0])
rescue OpenSSL::X509::CertificateError => e
raise Puppet::ParseError, "Not a valid x509 certificate: #{e}"
end
begin
key = OpenSSL::PKey::RSA.new(args[1])
rescue OpenSSL::PKey::RSAError => e
raise Puppet::ParseError, "Not a valid RSA key: #{e}"
end
unless cert.verify(key)
raise Puppet::ParseError, "Certificate signature does not match supplied key"
end
end
end
|