puppetlabs-stdlib
puppetlabs-stdlib copied to clipboard
puppetlabs
stdlib::ssl: add new stdlib::ssl functions
@kjetilho pointed out out me recently that validate_x509_rsa_key_pair validates that the certificate is signed by the private key. It doesn't validate that the certificate and key are part of the same key pair. As such i have created two new functions
stdlib::ssl::validate_key_pairThis vaidates that a public pkey and a private pkey are from the same pairstdlib::ssl::extract_pkeyThis functions extracts the pkey as a pem from an x509 certificate.
As most users will work directly with x509 certificates the expected use case would be
stdlib::ssl::validate_key_pair(
file('ssl/private/key.pem'),
stdlib::ssl::extract_pkey(file('ssl/public/key.pem')),
)
stdlib::ssl::extract_pkey is a function
that may have no external impact to Forge modules.
stdlib::ssl::validate_key_pair is a function
that may have no external impact to Forge modules.
This module is declared in 318 of 579 indexed public Puppetfiles.
These results were generated with Rangefinder, a tool that helps predict the downstream impact of breaking changes to elements used in Puppet modules. You can run this on the command line to get a full report.
Exact matches are those that we can positively identify via namespace and the declaring modules' metadata. Non-namespaced items, such as Puppet 3.x functions, will always be reported as near matches only.
![puppet-community-rangefinder[bot] avatar](https://avatars.githubusercontent.com/in/22507?v=4 "Published by a pub.dev verified publisher"){kind=small}
FWIW, we've got almost exactly the same 2 functions implemented in one of our (my company's) internal modules. They work great, but hadn't quite got round to submitting them.
One we've called validate_x509_key_match and it either returns or raises a ParseError, the other is called get_rsa_public_key.
I have updated with some feature creep adding a bunch of pem custom types, however i still need to add some tests, and improve the docs.
There seems to be a lot of changes in this PR.
Given that you (@alexjfisher @bastelfreak) have both been active here, what are you thoughts? What can @b4ldr do to move this forward?
@chelnak I did say as soon as the CI pass I can give it another review, but mostly this looks good already.
@bastelfreak thanks. There is a bigger issue with the spec tests that we are going to look in to.. but I'll take a look at the validation failures tomorrow.
Sorry all i came down with covid so this got put on the back burner, i should be able to take a new look at this towards the end of the week
Hello! 👋
This pull request has been open for a while and has had no recent activity. We've labelled it with attention-needed so that we can get a clear view of which PRs need our attention.
If you are waiting on a response from us we will try and address your comments on a future Community Day.
Alternatively, if it is no longer relevant to you please close the PR with a comment.
Please note that if a pull request receives no update for 7 after it has been labelled, it will be closed. We are always happy to re-open pull request if they have been closed in error.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
stdlib::ssl::extract_pkey is a function
that may have no external impact to Forge modules.
stdlib::ssl::validate_key_pair is a function
that may have no external impact to Forge modules.
This module is declared in 318 of 579 indexed public Puppetfiles.
These results were generated with Rangefinder, a tool that helps predict the downstream impact of breaking changes to elements used in Puppet modules. You can run this on the command line to get a full report.
Exact matches are those that we can positively identify via namespace and the declaring modules' metadata. Non-namespaced items, such as Puppet 3.x functions, will always be reported as near matches only.