1 module Puppet::Parser::Functions
3 newfunction(:validate_x509_rsa_key_pair, :doc => <<-ENDHEREDOC
4 Validates a PEM-formatted X.509 certificate and RSA private key using
5 OpenSSL. Verifies that the certficate's signature was created from the
8 Fail compilation if any value fails this check.
10 validate_x509_rsa_key_pair($cert, $key)
17 NUM_ARGS = 2 unless defined? NUM_ARGS
19 unless args.length == NUM_ARGS then
20 raise Puppet::ParseError,
21 ("validate_x509_rsa_key_pair(): wrong number of arguments (#{args.length}; must be #{NUM_ARGS})")
25 unless arg.is_a?(String)
26 raise Puppet::ParseError, "#{arg.inspect} is not a string."
31 cert = OpenSSL::X509::Certificate.new(args[0])
32 rescue OpenSSL::X509::CertificateError => e
33 raise Puppet::ParseError, "Not a valid x509 certificate: #{e}"
37 key = OpenSSL::PKey::RSA.new(args[1])
38 rescue OpenSSL::PKey::RSAError => e
39 raise Puppet::ParseError, "Not a valid RSA key: #{e}"
42 unless cert.verify(key)
43 raise Puppet::ParseError, "Certificate signature does not match supplied key"