Validate that a certificate and private key match This function checks that the public key in the certificate matches the provided private key. This is a basic sanity check to prevent configuration errors. # Arguments `certs` - Certificate chain (first certificate is the leaf) `private_key` - Private key to validate against # Errors Returns error if: - Certificate chain is empty - Public key ex
(
certs: &[CertificateDer<'_>],
private_key: &PrivateKeyDer<'_>,
)
| 1256 | /// Note: This is a simplified validation. Full validation would require |
| 1257 | /// signing and verifying a test message, which is complex with rustls. |
| 1258 | pub fn validate_cert_key_match( |
| 1259 | certs: &[CertificateDer<'_>], |
| 1260 | private_key: &PrivateKeyDer<'_>, |
| 1261 | ) -> Result<(), String> { |
| 1262 | if certs.is_empty() { |
| 1263 | return Err("Certificate chain is empty".to_string()); |
| 1264 | } |
| 1265 | |
| 1266 | // For rustls, the actual validation happens when creating CertifiedKey |
| 1267 | // We can attempt to create a signing key to verify the key is valid |
| 1268 | use rustls::crypto::aws_lc_rs::sign::any_supported_type; |
| 1269 | |
| 1270 | match any_supported_type(private_key) { |
| 1271 | Ok(_signing_key) => { |
| 1272 | // If we can create a signing key, the private key is valid |
| 1273 | // Rustls will validate the cert-key match when building config |
| 1274 | Ok(()) |
| 1275 | } |
| 1276 | Err(_) => Err("PEM lib".to_string()), |
| 1277 | } |
| 1278 | } |
| 1279 | |
| 1280 | /// StrictCertVerifier: wraps a ServerCertVerifier and adds RFC 5280 strict validation |
| 1281 | /// |
no test coverage detected