(PUP-11522) DRY client cert and private key validation

joshcooper · joshcooper · commit e4bb4733ceb4 · 2022-05-10T16:20:07.000-07:00
Add private method to check client cert and private key, and resolve the client
chain (all certs leading to the trusted root).
diff --git a/lib/puppet/ssl/ssl_provider.rb b/lib/puppet/ssl/ssl_provider.rb
@@ -80,15 +80,7 @@ def create_system_context(cacerts:, path: Puppet[:ssl_trust_store], include_clie
       client_cert = cert_provider.load_client_cert(Puppet[:certname], required: false)
 
       if private_key && client_cert
-        client_chain = verify_cert_with_store(store, client_cert)
-
-        if !private_key.is_a?(OpenSSL::PKey::RSA) && !private_key.is_a?(OpenSSL::PKey::EC)
-          raise Puppet::SSL::SSLError, _("Unsupported key '%{type}'") % { type: private_key.class.name }
-        end
-
-        unless client_cert.check_private_key(private_key)
-          raise Puppet::SSL::SSLError, _("The certificate for '%{name}' does not match its private key") % { name: subject(client_cert) }
-        end
+        client_chain = resolve_client_chain(store, client_cert, private_key)
 
         return Puppet::SSL::SSLContext.new(
           store: store, cacerts: cacerts, crls: [],
@@ -134,15 +126,7 @@ def create_context(cacerts:, crls:, private_key:, client_cert:, revocation: Pupp
     raise ArgumentError, _("Client cert is missing") unless client_cert
 
     store = create_x509_store(cacerts, crls, revocation, include_system_store: include_system_store)
-    client_chain = verify_cert_with_store(store, client_cert)
-
-    if !private_key.is_a?(OpenSSL::PKey::RSA) && !private_key.is_a?(OpenSSL::PKey::EC)
-      raise Puppet::SSL::SSLError, _("Unsupported key '%{type}'") % { type: private_key.class.name }
-    end
-
-    unless client_cert.check_private_key(private_key)
-      raise Puppet::SSL::SSLError, _("The certificate for '%{name}' does not match its private key") % { name: subject(client_cert) }
-    end
+    client_chain = resolve_client_chain(store, client_cert, private_key)
 
     Puppet::SSL::SSLContext.new(
       store: store, cacerts: cacerts, crls: crls,
@@ -268,6 +252,20 @@ def revocation_mode(mode)
     end
   end
 
+  def resolve_client_chain(store, client_cert, private_key)
+    client_chain = verify_cert_with_store(store, client_cert)
+
+    if !private_key.is_a?(OpenSSL::PKey::RSA) && !private_key.is_a?(OpenSSL::PKey::EC)
+      raise Puppet::SSL::SSLError, _("Unsupported key '%{type}'") % { type: private_key.class.name }
+    end
+
+    unless client_cert.check_private_key(private_key)
+      raise Puppet::SSL::SSLError, _("The certificate for '%{name}' does not match its private key") % { name: subject(client_cert) }
+    end
+
+    client_chain
+  end
+
   def verify_cert_with_store(store, cert)
     # StoreContext#initialize accepts a chain argument, but it's set to [] because
     # puppet requires any intermediate CA certs needed to complete the client's
