2 # validate_x509_rsa_key_pair.rb
4 module Puppet::Parser::Functions
5 newfunction(:validate_x509_rsa_key_pair, :doc => <<-DOC
6 Validates a PEM-formatted X.509 certificate and RSA private key using
7 OpenSSL. Verifies that the certficate's signature was created from the
10 Fail compilation if any value fails this check.
12 validate_x509_rsa_key_pair($cert, $key)
19 NUM_ARGS = 2 unless defined? NUM_ARGS
21 unless args.length == NUM_ARGS
22 raise Puppet::ParseError,
23 "validate_x509_rsa_key_pair(): wrong number of arguments (#{args.length}; must be #{NUM_ARGS})"
27 unless arg.is_a?(String)
28 raise Puppet::ParseError, "#{arg.inspect} is not a string."
33 cert = OpenSSL::X509::Certificate.new(args[0])
34 rescue OpenSSL::X509::CertificateError => e
35 raise Puppet::ParseError, "Not a valid x509 certificate: #{e}"
39 key = OpenSSL::PKey::RSA.new(args[1])
40 rescue OpenSSL::PKey::RSAError => e
41 raise Puppet::ParseError, "Not a valid RSA key: #{e}"
44 unless cert.verify(key)
45 raise Puppet::ParseError, 'Certificate signature does not match supplied key'