From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id C793385C3 for ; Fri, 3 Mar 2023 18:57:42 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id A5B661A82B for ; Fri, 3 Mar 2023 18:57:12 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Fri, 3 Mar 2023 18:57:11 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 8BC9348DBE for ; Fri, 3 Mar 2023 18:57:11 +0100 (CET) From: Max Carrara To: pve-devel@lists.proxmox.com Date: Fri, 3 Mar 2023 18:57:02 +0100 Message-Id: <20230303175705.214121-2-m.carrara@proxmox.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20230303175705.214121-1-m.carrara@proxmox.com> References: <20230303175705.214121-1-m.carrara@proxmox.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.035 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: [pve-devel] [PATCH v2 common 1/2] certificate: add subroutine that checks if cert and key match X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Mar 2023 17:57:42 -0000 This is done here in order to allow other packages to make use of this subroutine. Signed-off-by: Max Carrara --- src/PVE/Certificate.pm | 41 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/src/PVE/Certificate.pm b/src/PVE/Certificate.pm index 31a7722..22de762 100644 --- a/src/PVE/Certificate.pm +++ b/src/PVE/Certificate.pm @@ -228,6 +228,47 @@ sub get_certificate_fingerprint { return $fp; } +sub certificate_matches_key { + my ($cert_path, $key_path) = @_; + + die "No certificate path given!\n" if !$cert_path; + die "No certificate key path given!\n" if !$key_path; + + die "Certificate at '$cert_path' does not exist!\n" if ! -e $cert_path; + die "Certificate key '$key_path' does not exist!\n" if ! -e $key_path; + + my $ctx = Net::SSLeay::CTX_new() + or $ssl_die->( + "Failed to create SSL context in order to verify private key" + ); + + eval { + my $filetype = &Net::SSLeay::FILETYPE_PEM; + + Net::SSLeay::CTX_use_PrivateKey_file($ctx, $key_path, $filetype) + or $ssl_die->( + "Failed to load private key from '$key_path' into SSL context" + ); + + Net::SSLeay::CTX_use_certificate_file($ctx, $cert_path, $filetype) + or $ssl_die->( + "Failed to load certificate from '$cert_path' into SSL context" + ); + + Net::SSLeay::CTX_check_private_key($ctx) + or $ssl_die->( + "Failed to validate private key and certificate" + ); + }; + my $err = $@; + + Net::SSLeay::CTX_free($ctx); + + die $err if $err; + + return 1; +} + sub get_certificate_info { my ($cert_path) = @_; -- 2.30.2