gitweb.fluxo.info Git - puppet-stdlib.git/commit

author	Matt Bostock <matt@mattbostock.com>
	Mon, 23 Nov 2015 23:45:23 +0000 (23:45 +0000)
committer	Matt Bostock <matt@mattbostock.com>
	Fri, 8 Jan 2016 11:09:45 +0000 (11:09 +0000)
commit	97320ab42121a10b76c642b8378c82a888148e4b
tree	bf92502d1d5399d8e086be6b39d05552d0911168	tree \| snapshot
parent	ef0c13b1afdd5fd339083015d387d669acd67066	commit \| diff

Add a function to validate an x509 RSA key pair

Add a function to validate an x509 RSA certificate and key pair, as
commonly used for TLS certificates.

The rationale behind this is that we store our TLS certificates and
private keys in Hiera YAML files, and poor indentation or formatting in
the YAML file could cause a valid certificate to be considered invalid.

Will cause the Puppet run to fail if:

- an invalid certificate is detected
- an invalid RSA key is detected
- the certificate does not match the key, i.e. the certificate
  has not been signed by the supplied key

The test certificates I've used in the spec tests were generated using
the Go standard library:

    $ go run $GOROOT/src/crypto/tls/generate_cert.go -host localhost

Example output:

    ==> cache-1.router: Error: Not a valid RSA key: Neither PUB key nor PRIV key:: nested asn1 error at /var/govuk/puppet/modules/nginx/manifests/config/ssl.pp:30 on node cache-1.router.dev.gov.uk

README.markdown		diff \| blob \| history
lib/puppet/parser/functions/validate_x509_rsa_key_pair.rb	[new file with mode: 0644]	blob
spec/functions/validate_x509_rsa_key_pair_spec.rb	[new file with mode: 0755]	blob