[pve-devel] [PATCH v2 common 1/2] certificate: add subroutine that checks if cert and key match

[Max Carrara]

This is done here in order to allow other packages to make use of
this subroutine.

Signed-off-by: Max Carrara <m.carrara at proxmox.com>
---
 src/PVE/Certificate.pm | 41 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 41 insertions(+)

diff --git a/src/PVE/Certificate.pm b/src/PVE/Certificate.pm
index 31a7722..22de762 100644
--- a/src/PVE/Certificate.pm
+++ b/src/PVE/Certificate.pm
@@ -228,6 +228,47 @@ sub get_certificate_fingerprint {
     return $fp;
 }
 
+sub certificate_matches_key {
+    my ($cert_path, $key_path) = @_;
+
+    die "No certificate path given!\n" if !$cert_path;
+    die "No certificate key path given!\n" if !$key_path;
+
+    die "Certificate at '$cert_path' does not exist!\n" if ! -e $cert_path;
+    die "Certificate key '$key_path' does not exist!\n" if ! -e $key_path;
+
+    my $ctx = Net::SSLeay::CTX_new()
+	or $ssl_die->(
+	    "Failed to create SSL context in order to verify private key"
+	);
+
+    eval {
+	my $filetype = &Net::SSLeay::FILETYPE_PEM;
+
+	Net::SSLeay::CTX_use_PrivateKey_file($ctx, $key_path, $filetype)
+	    or $ssl_die->(
+		"Failed to load private key from '$key_path' into SSL context"
+	    );
+
+	Net::SSLeay::CTX_use_certificate_file($ctx, $cert_path, $filetype)
+	    or $ssl_die->(
+		"Failed to load certificate from '$cert_path' into SSL context"
+	    );
+
+	Net::SSLeay::CTX_check_private_key($ctx)
+	    or $ssl_die->(
+		"Failed to validate private key and certificate"
+	    );
+    };
+    my $err = $@;
+
+    Net::SSLeay::CTX_free($ctx);
+
+    die $err if $err;
+
+    return 1;
+}
+
 sub get_certificate_info {
     my ($cert_path) = @_;
 
-- 
2.30.2