Class: Inspec::Resources::X509PrivateKey

Inherits:

Object

• Object
• Inspec::Resources::X509PrivateKey

Defined in:

lib/inspec/resources/x509_private_key.rb

Instance Attribute Summary

• #openssl_utility ⇒ Object readonly

  Resource initialization.

• #passphrase ⇒ Object readonly

  Resource initialization.

• #secret_key_path ⇒ Object readonly

  Resource initialization.

Instance Method Summary

• #encrypted? ⇒ Boolean

  Matcher to check if the given key is encrypted.

• #has_matching_certificate?(cert_file_or_path) ⇒ Boolean

  Matcher to verify if the private key maatches the certificate.

• #initialize(secret_key_path, passphrase = nil) ⇒ X509PrivateKey constructor

  A new instance of X509PrivateKey.

• #to_s ⇒ Object

  Resource appearance in test reports.

• #valid? ⇒ Boolean

  Matcher to check if the given key is valid.

Constructor Details

#initialize(secret_key_path, passphrase = nil) ⇒ X509PrivateKey

Returns a new instance of X509PrivateKey.

# File 'lib/inspec/resources/x509_private_key.rb', line 34

def initialize(secret_key_path, passphrase = nil)
  @openssl_utility = check_openssl_or_error
  @secret_key_path = secret_key_path
  @passphrase = passphrase
end

Instance Attribute Details

#openssl_utility ⇒ Object (readonly)

Resource initialization.

# File 'lib/inspec/resources/x509_private_key.rb', line 32

def openssl_utility
  @openssl_utility
end

#passphrase ⇒ Object (readonly)

Resource initialization.

# File 'lib/inspec/resources/x509_private_key.rb', line 32

def passphrase
  @passphrase
end

#secret_key_path ⇒ Object (readonly)

Resource initialization.

# File 'lib/inspec/resources/x509_private_key.rb', line 32

def secret_key_path
  @secret_key_path
end

Instance Method Details

#encrypted? ⇒ Boolean

Matcher to check if the given key is encrypted.

Returns:

• (Boolean)

Raises:

• (Inspec::Exceptions::ResourceFailed)

# File 'lib/inspec/resources/x509_private_key.rb', line 58

def encrypted?
  raise Inspec::Exceptions::ResourceFailed, "The given secret key #{secret_key_path} does not exist." unless inspec.file(secret_key_path).exist?

  # All encrypted keys have the header of Proc-Type: 4,ENCRYPTED
  key_file = inspec.file(secret_key_path)
  key_file.content =~ /Proc-Type: 4,ENCRYPTED/
end

#has_matching_certificate?(cert_file_or_path) ⇒ Boolean

Matcher to verify if the private key maatches the certificate

Returns:

• (Boolean)

Raises:

• (Inspec::Exceptions::ResourceFailed)

# File 'lib/inspec/resources/x509_private_key.rb', line 67

def has_matching_certificate?(cert_file_or_path)
  cert_hash_cmd = "openssl x509 -noout -modulus -in #{cert_file_or_path} | openssl md5"
  cert_hash = inspec.command(cert_hash_cmd)

  raise Inspec::Exceptions::ResourceFailed, "Executing #{cert_hash_cmd} failed: #{cert_hash.stderr}" if cert_hash.exit_status.to_i != 0

  key_hash_cmd = "openssl rsa -noout -modulus -in #{secret_key_path}"
  passphrase ? key_hash_cmd.concat(" -passin pass:#{passphrase} | openssl md5") : key_hash_cmd.concat(" | openssl md5")
  key_hash = inspec.command(key_hash_cmd)

  raise Inspec::Exceptions::ResourceFailed, "Executing #{key_hash_cmd} failed: #{key_hash.stderr}" if key_hash.exit_status.to_i != 0

  cert_hash.stdout == key_hash.stdout
end

#to_s ⇒ Object

Resource appearance in test reports.

# File 'lib/inspec/resources/x509_private_key.rb', line 41

def to_s
  "x509_private_key"
end

#valid? ⇒ Boolean

Matcher to check if the given key is valid.

Returns:

• (Boolean)

# File 'lib/inspec/resources/x509_private_key.rb', line 46

def valid?
  # Below is the command to check if the key is valid.
  openssl_key_validity_cmd = "#{openssl_utility} rsa -in #{secret_key_path} -check -noout"

  # Additionally, if key is password protected, passphrase needs to be given with -passin argument
  openssl_key_validity_cmd.concat(" -passin pass:#{passphrase}") if passphrase

  openssl_key_validity = inspec.command(openssl_key_validity_cmd)
  openssl_key_validity.exit_status.to_i == 0
end