key_rsa resource
Use the key_rsa
Chef InSpec audit resource to test RSA public/private keypairs.
This resource is mainly useful when used in conjunction with the x509_certificate resource, but it can also be used for checking RSA-based SSH keys.
Availability
Install
This resource is distributed with Chef InSpec and is automatically available for use.Version
This resource first became available in v1.18.0 of InSpec.
Syntax
An key_rsa
resource block declares a key file
to be tested.
describe key_rsa('certificate.key') do
it { should be_private }
it { should be_public }
its('public_key') { should match "PUBLIC_KEY" }
its('key_length') { should eq 2048 }
end
You can use an optional passphrase with key_rsa
describe key_rsa('certificate.key', 'passphrase') do
it { should be_private }
end
Properties
public_key (String)
The public_key
property returns the public part of the RSA key pair
describe key_rsa('/etc/pki/www.example.com.key') do
its('public_key') { should match "RSA_PUBLIC_KEY" }
end
private_key (String)
The private_key
property returns the private key or the RSA key pair.
describe key_rsa('/etc/pki/www.example.com.key') do
its('private_key') { should match "RSA_PRIVATE_KEY" }
end
key_length
The key_length
property allows testing the number of bits in the key pair.
describe key_rsa('/etc/pki/www.example.com.key') do
its('key_length') { should eq 2048 }
end
Matchers
For a full list of available matchers, see our Universal Matchers page.This resource has the following special matchers.
public?
To verify if a key is public use the following:
describe key_rsa('/etc/pki/www.example.com.key') do
it { should be_public }
end
private?
This property verifies that the key includes a private key:
describe key_rsa('/etc/pki/www.example.com.key') do
it { should be_private }
end