dh_params resource (proposed)

[4-20ma]

Description

I propose a dh_params resource to validate Diffie-Hellman parameters stored in a file.

InSpec and Platform Version

Current

Replication Case

Resource would be based on x509_certificate.

Possible Solutions

Proposed interface (feedback encouraged):

    describe dh_params('/path/to/file.dh_pem') do
      it { should be_dh_params }
      it { should be_valid }
      it { should be_prime }
      its('generator') { should eq 2 }
      its('modulus') { should eq 'large-hex-value' }
      its('num_bits') { should be 2048 }
      its('pem') { should eq '-----BEGIN DH PARAMETERS...' }
      its('prime') { should eq 'large-hex-value' }
      its('size') { should be 2048 }
      its('text') { should eq 'human-readable-text' }
    end # describe

Example output:

  dh_params /etc/pki/tls/private/example.dh_pem
     ✔  should be dh params
     ✔  should be valid
     ✔  should be prime
     ✔  generator should eq 2
     ✔  modulus should eq "B41B13694FADBA2B9AAC281A144544B680837DA6C391848E660AA9C2B9A252D1454F1245A4F45C2FD28C50DFDCF70B071629..43648D54BCAAEDB5A43958AB60BFD2710143CF43087E931D61E07060FF67FB9933C09702EE2FFAFF796A3EDFD89D99403ACB"
     ✔  num_bits should equal 2048
     ✔  pem should eq "-----BEGIN DH PARAMETERS..."
     ✔  prime should eq "B41B13694FADBA2B9AAC281A144544B680837DA6C391848E660AA9C2B9A252D1454F1245A4F45C2FD28C50DFDCF70B071629..43648D54BCAAEDB5A43958AB60BFD2710143CF43087E931D61E07060FF67FB9933C09702EE2FFAFF796A3EDFD89D99403ACB"
     ✔  size should equal 2048
     ✔  text should eq "
    DH Parameters: (2048 bit)
        prime:
            00:b4:1b:13:69:4f:ad:ba:2b:9a:ac:28:1a:14:45:
            44:b6:80:83:7d:a6:c3:91:84:8e:66:0a:a9:c2:b9:
            a2:52:d1:45:4f:12:45:a4:f4:5c:2f:d2:8c:50:df:
            dc:f7:0b:07:16:29:08:6b:5e:f7:db:25:72:43:af:
            5b:df:71:fc:27:f6:a9:61:20:6c:ae:a2:7f:0d:0b:
            dc:80:16:9c:b6:d3:a9:66:3a:77:68:ea:e3:7a:f4:
            8a:04:4a:89:aa:e7:b1:b6:84:30:a4:35:8d:87:b5:
            e9:01:d9:43:fb:e7:69:fd:cd:d3:9c:2f:21:27:b9:
            f8:67:32:ac:a1:81:64:9e:0f:54:fa:6f:16:0b:c2:
            de:82:45:67:30:ee:af:bb:30:16:8e:87:c5:e0:e1:
            74:58:42:3f:15:c4:3d:3b:33:a6:ac:78:a2:63:cc:
            d0:0d:bc:7b:2e:3e:42:ba:01:7a:42:f8:d4:01:fb:
            90:63:a9:3e:5d:23:fc:16:9d:18:76:df:92:31:07:
            e9:a7:92:0f:fa:a6:1b:5a:6a:7b:5c:a5:43:64:8d:
            54:bc:aa:ed:b5:a4:39:58:ab:60:bf:d2:71:01:43:
            cf:43:08:7e:93:1d:61:e0:70:60:ff:67:fb:99:33:
            c0:97:02:ee:2f:fa:ff:79:6a:3e:df:d8:9d:99:40:
            3a:cb
        generator: 2 (0x2)"

I've written a working resource for a private project; would a PR for this resource be considered for inclusion in InSpec? If so, I'll code up the unit tests/documentation and submit a PR.

[chris-rock]

@4-20ma This is a great addition for InSpec!

[adamleff]

I 100% support this, and since you already submitted a PR with this functionality, I'm going to close out this issue and we'll continue the discussion in #1618.

Again, thanks for your contribution!