diff --git a/lib/fog/aws/requests/iam/upload_server_certificate.rb b/lib/fog/aws/requests/iam/upload_server_certificate.rb index 0fde3858c..4f7927871 100644 --- a/lib/fog/aws/requests/iam/upload_server_certificate.rb +++ b/lib/fog/aws/requests/iam/upload_server_certificate.rb @@ -51,6 +51,9 @@ module Fog # Validate cert and key begin + # must be an RSA private key + raise OpenSSL::PKey::RSAError unless private_key =~ /BEGIN RSA PRIVATE KEY/ + cert = OpenSSL::X509::Certificate.new(certificate) chain = OpenSSL::X509::Certificate.new(options['CertificateChain']) if options['CertificateChain'] key = OpenSSL::PKey::RSA.new(private_key) diff --git a/tests/aws/requests/iam/helper.rb b/tests/aws/requests/iam/helper.rb index 80942bb8c..7a4ca3017 100644 --- a/tests/aws/requests/iam/helper.rb +++ b/tests/aws/requests/iam/helper.rb @@ -41,6 +41,25 @@ c0AQtoYBTJePxiYyd8i32ypkkK83ar+sFoxKO9jYwD1IkZax2xZ0aoTdMindQPR7 Yjs+QiLmOHcbPqX+GHcCQERsSn0RjzKmKirDntseMB59BB/cEN32+gMDVsZuCfb+ fOy2ZavFl13afnhbh2/AjKeDhnb19x/uXjF7JCUtwpA= -----END RSA PRIVATE KEY----- +} + + # openssl pkcs8 -nocrypt -topk8 -in SERVER_CERT_PRIVATE_KEY.key -outform pem + SERVER_CERT_PRIVATE_KEY_PKCS8 = %{-----BEGIN PRIVATE KEY----- +MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBALQJHvqyi+N2alZG +YRp/xdob6cZ7tzOGl0sqRq7ZvXpW1KOQ9y3E8vlTi9ozFBRugs+v72gv719Jg3fV +XMMPiHJp4ah4jl+GcZ6qTvWSrm4c40E5BQxtlsFDw9V31J2T7L0knoTl8L4aEsvk +j7LYMruzIHPLKarVaLqs+nVdcXsBAgMBAAECgYA2ONEFvCR5ez6HgWbZbkYObH25 +86S3df+2+aKUIqv4XpJoOM7ZEAoFoW3rZ5rSlH39QwWdoWI8lo1r1+y6KsFzAh35 +GLOu4Sn7sUbOIz2YLmRwTtYpmteAYacu2qDjHm3BUsCuCnSOLtMDXyr/vi5Osjhr +PwfmJNjifb05GUuaaQJBAOwYy4sSAYeA3ljVz1rHUNP+tRcrGeqwiuKNGSBuJOdw +cACsUnzxzfLKRaoa9idIXAxLwNJaI/I9oAic02Vv988CQQDDNngJ+8n46UT76tM8 +f2N6YLz12fELsQUa5YmbB1p2d6/wRiC6+95x0Z0a20PtCxkqlzPmYOeA5SCFtWby +8EQvAkAwd86hWCr0NGJw/kO5MR3Ix4tJnFGPunpok+rKm5H76Ts1CCtO9xz+cMPo +beyGl/Y9l/eXt2WVv0zxN7C2LExFAkEAh1dzQBC2hgFMl4/GJjJ3yLfbKmSQrzdq +v6wWjEo72NjAPUiRlrHbFnRqhN0yKd1A9HtiOz5CIuY4dxs+pf4YdwJARGxKfRGP +MqYqKsOe2x4wHn0EH9wQ3fb6AwNWxm4J9v587LZlq8WXXdp+eFuHb8CMp4OGdvX3 +H+5eMXskJS3CkA== +-----END PRIVATE KEY----- } SERVER_CERT_PRIVATE_KEY_MISMATCHED = %{-----BEGIN RSA PRIVATE KEY----- diff --git a/tests/aws/requests/iam/server_certificate_tests.rb b/tests/aws/requests/iam/server_certificate_tests.rb index 229696f67..6f835863d 100644 --- a/tests/aws/requests/iam/server_certificate_tests.rb +++ b/tests/aws/requests/iam/server_certificate_tests.rb @@ -24,6 +24,7 @@ Shindo.tests('AWS::IAM | server certificate requests', ['aws']) do tests('#upload_server_certificate') do public_key = AWS::IAM::SERVER_CERT_PUBLIC_KEY private_key = AWS::IAM::SERVER_CERT_PRIVATE_KEY + private_key_pkcs8 = AWS::IAM::SERVER_CERT_PRIVATE_KEY_PKCS8 private_key_mismatch = AWS::IAM::SERVER_CERT_PRIVATE_KEY_MISMATCHED tests('empty public key').raises(Fog::AWS::IAM::ValidationError) do @@ -42,6 +43,10 @@ Shindo.tests('AWS::IAM | server certificate requests', ['aws']) do Fog::AWS::IAM.new.upload_server_certificate(public_key, 'abcde', @key_name) end + tests('non-RSA private key').raises(Fog::AWS::IAM::MalformedCertificate) do + Fog::AWS::IAM.new.upload_server_certificate(public_key, private_key_pkcs8, @key_name) + end + tests('mismatched private key').raises(Fog::AWS::IAM::KeyPairMismatch) do Fog::AWS::IAM.new.upload_server_certificate(public_key, private_key_mismatch, @key_name) end