key_rsa
Use the key_rsa
Chef InSpec audit resource to test RSA public/private keypairs.
This resource is mainly useful when used in conjunction with the x509_certificate resource but it can also be used for checking SSH keys.
Availability
Installation
This resource is distributed along with Chef InSpec itself. You can use it automatically.
Version
This resource first became available in v1.18.0 of InSpec.
Syntax
An key_rsa
resource block declares a key file
to be tested.
describe key_rsa('mycertificate.key') do
it { should be_private }
it { should be_public }
its('public_key') { should match "-----BEGIN PUBLIC KEY-----\n3597459df9f3982" }
its('key_length') { should eq 2048 }
end
You can use an optional passphrase with key_rsa
describe key_rsa('mycertificate.key', 'passphrase') do
it { should be_private }
end
Properties
public_key
,private_key
,key_length
Property Examples
public_key (String)
The public_key
property returns the public part of the RSA key pair
describe key_rsa('/etc/pki/www.mywebsite.com.key') do
its('public_key') { should match "-----BEGIN PUBLIC KEY-----\n3597459df9f3982......" }
end
private_key (String)
The private_key
property returns the private key or the RSA key pair.
describe key_rsa('/etc/pki/www.mywebsite.com.key') do
its('private_key') { should match "-----BEGIN RSA PRIVATE KEY-----\nMIIJJwIBAAK......" }
end
key_length
The key_length
property allows testing the number of bits in the key pair.
describe key_rsa('/etc/pki/www.mywebsite.com.key') do
its('key_length') { should eq 2048 }
end
Matchers
For a full list of available matchers, please visit our matchers page.
public?
To verify if a key is public use the following:
describe key_rsa('/etc/pki/www.mywebsite.com.key') do
it { should be_public }
end
private?
This property verifies that the key includes a private key:
describe key_rsa('/etc/pki/www.mywebsite.com.key') do
it { should be_private }
end