key_rsa

Use the key_rsa InSpec audit resource to test RSA public/private keypairs.

This resource is mainly useful when used in conjunction with the x509_certificate resource but it can also be used for checking SSH keys.


Availability

Installation

This resource is distributed along with InSpec itself. You can use it automatically.

Version

This resource first became available in v1.18.0 of InSpec.

Syntax

An key_rsa resource block declares a key file to be tested.

describe key_rsa('mycertificate.key') do
  it { should be_private }
  it { should be_public }
  its('public_key') { should match "-----BEGIN PUBLIC KEY-----\n3597459df9f3982" }
  its('key_length') { should eq 2048 }
end

You can use an optional passphrase with key_rsa

describe key_rsa('mycertificate.key', 'passphrase') do
  it { should be_private }
end


Properties

  • public_key, private_key, key_length


Property Examples

public_key (String)

The public_key property returns the public part of the RSA key pair

describe key_rsa('/etc/pki/www.mywebsite.com.key') do
  its('public_key') { should match "-----BEGIN PUBLIC KEY-----\n3597459df9f3982......" }
end

private_key (String)

The private_key property returns the private key or the RSA key pair.

describe key_rsa('/etc/pki/www.mywebsite.com.key') do
  its('private_key') { should match "-----BEGIN RSA PRIVATE KEY-----\nMIIJJwIBAAK......" }
end

key_length

The key_length property allows testing the number of bits in the key pair.

describe key_rsa('/etc/pki/www.mywebsite.com.key') do
  its('key_length') { should eq 2048 }
end


Matchers

For a full list of available matchers, please visit our matchers page.

public?

To verify if a key is public use the following:

describe key_rsa('/etc/pki/www.mywebsite.com.key') do
  it { should be_public }
end

private?

This property verifies that the key includes a private key:

describe key_rsa('/etc/pki/www.mywebsite.com.key') do
  it { should be_private }
end