MCPcopy Index your code
hub / github.com/RustPython/RustPython / validate_cert_key_match

Function validate_cert_key_match

crates/stdlib/src/ssl/cert.rs:1258–1278  ·  view source on GitHub ↗

Validate that a certificate and private key match This function checks that the public key in the certificate matches the provided private key. This is a basic sanity check to prevent configuration errors. # Arguments `certs` - Certificate chain (first certificate is the leaf) `private_key` - Private key to validate against # Errors Returns error if: - Certificate chain is empty - Public key ex

(
    certs: &[CertificateDer<'_>],
    private_key: &PrivateKeyDer<'_>,
)

Source from the content-addressed store, hash-verified

1256/// Note: This is a simplified validation. Full validation would require
1257/// signing and verifying a test message, which is complex with rustls.
1258pub fn validate_cert_key_match(
1259 certs: &[CertificateDer<'_>],
1260 private_key: &PrivateKeyDer<'_>,
1261) -> Result<(), String> {
1262 if certs.is_empty() {
1263 return Err("Certificate chain is empty".to_string());
1264 }
1265
1266 // For rustls, the actual validation happens when creating CertifiedKey
1267 // We can attempt to create a signing key to verify the key is valid
1268 use rustls::crypto::aws_lc_rs::sign::any_supported_type;
1269
1270 match any_supported_type(private_key) {
1271 Ok(_signing_key) => {
1272 // If we can create a signing key, the private key is valid
1273 // Rustls will validate the cert-key match when building config
1274 Ok(())
1275 }
1276 Err(_) => Err("PEM lib".to_string()),
1277 }
1278}
1279
1280/// StrictCertVerifier: wraps a ServerCertVerifier and adds RFC 5280 strict validation
1281///

Callers 1

load_cert_chainMethod · 0.85

Calls 3

to_stringMethod · 0.80
ErrClass · 0.50
is_emptyMethod · 0.45

Tested by

no test coverage detected