Commit 72d608b5 authored by Tim Smith's avatar Tim Smith
Browse files

Allow passing private key content to rsa_public_key resource via property



This allows you to store it securely and retrieve it however you wish w/o writing it to disk
Signed-off-by: default avatarTim Smith <tsmith@chef.io>
parent 199efede
......@@ -181,14 +181,21 @@ This resource generates rsa public key files given a private key.
#### Properties
Name | Type | Description
------------------ | ---------------------------- | ---------------------------------------------------------------------------------------------------
`path` | String (Optional) | Optional path to write the file to if you'd like to specify it here instead of in the resource name
`private_key_path` | String | The path to the private key to generate the public key from
`private_key_pass` | String (Optional) | The passphrase of the provided private key
`owner` | String (optional) | The owner of all files created by the resource. _Default: "root"_
`group` | String (optional) | The group of all files created by the resource. _Default: "root or wheel depending on platform"_
`mode` | String or Integer (Optional) | The permission mode of all files created by the resource. _Default: "0640"_
Name | Type | Description
--------------------- | ------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------
`path` | String (Optional) | Optional path to write the file to if you'd like to specify it here instead of in the resource name
`private_key_path` | String (Required unless private_key_content used) | The path to the private key to generate the public key from
`private_key_content` | String (Required unless private_key_path used) | The content of the private key including new lines. Used if you don't want to write a private key to disk and use `private_key_path`.
`private_key_pass` | String (Optional) | The passphrase of the provided private key
`owner` | String (optional) | The owner of all files created by the resource. _Default: "root"_
`group` | String (optional) | The group of all files created by the resource. _Default: "root or wheel depending on platform"_
`mode` | String or Integer (Optional) | The permission mode of all files created by the resource. _Default: "0640"_
**Note**: To use `private_key_content` the private key string must be properly formatted including new lines. The easiest way to get the right string is to run the following from irb (/opt/chefdk/embedded/bin/irb from ChefDK)
```ruby
File.read('/foo/bar/private.pem')
```
#### Example Usage
......
......@@ -25,14 +25,22 @@ module OpenSSLCookbook
dhparam.params_ok?
end
def priv_key_file_valid?(key_file_path, key_password = nil)
# Check if the key file exists
# Verify the key file contains a private key
return false unless ::File.exist?(key_file_path)
key = OpenSSL::PKey::RSA.new File.read(key_file_path), key_password
# given either a key file path or key file content see if it's actually
# a private key
def priv_key_file_valid?(key_file, key_password = nil)
# if the file exists try to read the content
# if not assume we were passed the key and set the string to the content
key_content = ::File.exist?(key_file) ? File.read(key_file) : key_file
begin
key = OpenSSL::PKey::RSA.new key_content, key_password
rescue OpenSSL::PKey::RSAError
return false
end
key.private?
end
# return an array of all valid openssl ciphers on this host
def valid_ciphers
OpenSSL::Cipher.ciphers
end
......@@ -52,8 +60,11 @@ module OpenSSLCookbook
OpenSSL::PKey::RSA.new(key_length)
end
def gen_rsa_pub_key(priv_key_path, priv_key_password = nil)
key = OpenSSL::PKey::RSA.new File.read(priv_key_path), priv_key_password
def gen_rsa_pub_key(priv_key, priv_key_password = nil)
# if the file exists try to read the content
# if not assume we were passed the key and set the string to the content
key_content = ::File.exist?(priv_key) ? File.read(priv_key) : priv_key
key = OpenSSL::PKey::RSA.new key_content, priv_key_password
key.public_key.to_pem
end
......
include OpenSSLCookbook::Helpers
property :path, String, name_property: true
property :private_key_path, String, required: true
property :private_key_pass, String
property :owner, String, default: 'root'
property :group, String, default: node['root_group']
property :mode, [Integer, String], default: '0640'
property :path, String, name_property: true
property :private_key_path, String
property :private_key_content, String
property :private_key_pass, String
property :owner, String, default: 'root'
property :group, String, default: node['root_group']
property :mode, [Integer, String], default: '0640'
action :create do
raise ArgumentError, "You cannot specify both 'private_key_path' and 'private_key_content' properties at the same time." if new_resource.private_key_path && new_resource.private_key_content
raise ArgumentError, "You must specify the private key with either 'private_key_path' or 'private_key_content' properties." unless new_resource.private_key_path || new_resource.private_key_content
converge_by("Create an RSA public key #{new_resource.path} from #{new_resource.private_key_path}") do
raise "#{new_resource.private_key_path} not a valid private RSA key or password is invalid" unless priv_key_file_valid?(new_resource.private_key_path, new_resource.private_key_pass)
raise "#{new_resource.private_key_path} not a valid private RSA key or password is invalid" unless priv_key_file_valid?((new_resource.private_key_path || new_resource.private_key_content), new_resource.private_key_pass)
rsa_key_content = gen_rsa_pub_key(new_resource.private_key_path, new_resource.private_key_pass)
rsa_key_content = gen_rsa_pub_key((new_resource.private_key_path || new_resource.private_key_content), new_resource.private_key_pass)
file new_resource.path do
action :create
......
......@@ -76,6 +76,12 @@ openssl_rsa_public_key '/etc/ssl_test/rsakey_des3.pub' do
action :create
end
openssl_rsa_public_key '/etc/ssl_test/rsakey_2.pub' do
private_key_pass 'something'
private_key_content "-----BEGIN RSA PRIVATE KEY-----\nProc-Type: 4,ENCRYPTED\nDEK-Info: DES-EDE3-CBC,5EE0AE9A5FE3342E\n\nyb930kj5/4/nd738dPx6XdbDrMCvqkldaz0rHNw8xsWvwARrl/QSPwROG3WY7ROl\nEUttVlLaeVaqRPfQbmTUfzGI8kTMmDWKjw52gJUx2YJTYRgMHAB0dzYIRjeZAaeS\nypXnEfouVav+jKTmmehr1WuVKbzRhQDBSalzeUwsPi2+fb3Bfuo1dRW6xt8yFuc4\nAkv1hCglymPzPHE2L0nSGjcgA2DZu+/S8/wZ4E63442NHPzO4VlLvpNvJrYpEWq9\nB5mJzcdXPeOTjqd13olNTlOZMaKxu9QShu50GreCTVsl8VRkK8NtwbWuPGBZlIFa\njzlS/RaLuzNzfajaKMkcIYco9t7gN2DwnsACHKqEYT8248Ii3NQ+9/M5YcmpywQj\nWGr0UFCSAdCky1lRjwT+zGQKohr+dVR1GaLem+rSZH94df4YBxDYw4rjsKoEhvXB\nv2Vlx+G7Vl2NFiZzxUKh3MvQLr/NDElpG1pYWDiE0DIG13UqEG++cS870mcEyfFh\nSF2SXYHLWyAhDK0viRDChJyFMduC4E7a2P9DJhL3ZvM0KZ1SLMwROc1XuZ704GwO\nYUqtCX5OOIsTti1Z74jQm9uWFikhgWByhVtu6sYL1YTqtiPJDMFhA560zp/k/qLO\nFKiM4eUWV8AI8AVwT6A4o45N2Ru8S48NQyvh/ADFNrgJbVSeDoYE23+DYKpzbaW9\n00BD/EmUQqaQMc670vmI+CIdcdE7L1zqD6MZN7wtPaRIjx4FJBGsFoeDShr+LoTD\nrwbadwrbc2Rf4DWlvFwLJ4pvNvdtY3wtBu79UCOol0+t8DVVSPVASsh+tp8XncDE\nKRljj88WwBjX7/YlRWvQpe5y2UrsHI0pNy8TA1Xkf6GPr6aS2TvQD5gOrAVReSse\n/kktCzZQotjmY1odvo90Zi6A9NCzkI4ZLgAuhiKDPhxZg61IeLppnfFw0v3H4331\nV9SMYgr1Ftov0++x7q9hFPIHwZp6NHHOhdHNI80XkHqtY/hEvsh7MhFMYCgSY1pa\nK/gMcZ/5Wdg9LwOK6nYRmtPtg6fuqj+jB3Rue5/p9dt4kfom4etCSeJPdvP1Mx2I\neNmyQ/7JN9N87FsfZsIj5OK9OB0fPdj0N0m1mlHM/mFt5UM5x39u13QkCt7skEF+\nyOptXcL629/xwm8eg4EXnKFk330WcYSw+sYmAQ9ZTsBxpCMkz0K4PBTPWWXx63XS\nc4J0r88kbCkMCNv41of8ceeGzFrC74dG7i3IUqZzMzRP8cFeps8auhweUHD2hULs\nXwwtII0YQ6/Fw4hgGQ5//0ASdvAicvH0l1jOQScHzXC2QWNg3GttueB/kmhMeGGm\nsHOJ1rXQ4oEckFvBHOvzjP3kuRHSWFYDx35RjWLAwLCG9odQUApHjLBgFNg9yOR0\njW9a2SGxRvBAfdjTa9ZBBrbjlaF57hq7mXws90P88RpAL+xxCAZUElqeW2Rb2rQ6\nCbz4/AtPekV1CYVodGkPutOsew2zjNqlNH+M8XzfonA60UAH20TEqAgLKwgfgr+a\nc+rXp1AupBxat4EHYJiwXBB9XcVwyp5Z+/dXsYmLXzoMOnp8OFyQ9H8R7y9Y0PEu\n-----END RSA PRIVATE KEY-----\n"
action :create
end
#
# X509 HERE
#
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment