diff --git a/pkg/credentials/credentials.go b/pkg/credentials/credentials.go index d0ef829..052bbcb 100644 --- a/pkg/credentials/credentials.go +++ b/pkg/credentials/credentials.go @@ -36,7 +36,7 @@ func FromRSAKeyWithPassword(certFile, certKey, passwd string) (credentials.Trans return nil, errors.New("rest is not empty") } - if !strings.Contains(keyBlock.Type, "ENCRYPTED") { + if !strings.Contains(keyBlock.Type, "ENCRYPTED") && !isEncryptedOnHeaders(keyBlock.Headers) { return nil, fmt.Errorf("certificate should has been encrypted with password") } @@ -57,6 +57,19 @@ func FromRSAKeyWithPassword(certFile, certKey, passwd string) (credentials.Trans return credentials.NewServerTLSFromCert(&cert), nil } +func isEncryptedOnHeaders(headers map[string]string) bool { + if len(headers) == 0 { + return false + } + for _, v := range headers { + if !strings.Contains(v, "ENCRYPTED") { + return true + } + } + + return false +} + func decryptRSA(keyFile, password string) (string, error) { cmd := exec.Command("openssl", "rsa", "-in", keyFile, "-passin", formatPass(password), "-text") output_bts, err := cmd.Output() diff --git a/pkg/credentials/credentials_test.go b/pkg/credentials/credentials_test.go index e247182..0a5e80a 100644 --- a/pkg/credentials/credentials_test.go +++ b/pkg/credentials/credentials_test.go @@ -2,6 +2,7 @@ package credentials import ( "errors" + "fmt" "log" "os" "os/exec" @@ -12,31 +13,15 @@ import ( ) var ( - testDir = "testDir" - testCertKeyError = testDir + "/testKeyError.pem" - testKeyError = testDir + "/error-key.pem" - testCertKey = testDir + "/testCertKey.pem" - testCert = testDir + "/testCert.pem" - testCertScript = testDir + "/certScript.sh" - testKeyPass = "test" - - generateKeyScript = `#!/bin/bash - openssl genpkey -out ./` + testCertKey + ` -algorithm RSA -pass pass:test -des3` - - generateCertScript = `#!/bin/bash - openssl req -new -sha256 -key ./` + testCertKey + ` -passin pass:test -out ./` + testCert + ` -nodes -x509 -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com"` - - certKeyOk = `-----BEGIN PRIVATE KEY----- -MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgP+sX5Fn7WhQgAt1l -nL3YaX0RPuJFf058/r90mO/xViyhRANCAAT3qOUKYwgSbBSVAMkC14/kZAQWZIef -+SnO6GvOjMU8dcchboisMujVQRksfgJUsBZmfquh93BnkYqkSzlD+dIE ------END PRIVATE KEY-----` - - certKeyError = `-----BEGIN PRIVATE KEY----- -MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgFrBUnTIIrSbRBZpX -j3TlomgnCQFe6JUVBO0fyRQMk1qhRANCAASTLZ8S8rWSmraKWNdM6N3pWPuATi92 -yQuhZ6P2JaLnfmYemIOprHeRSqTqWy4+kus3b4LxPEzu86/248d7d ------END PRIVATE KEY-----` + testDir = "testDir" + testCertKeyError = testDir + "/testKeyError.pem" + testKeyError = testDir + "/error-key.pem" + testCertKey = testDir + "/testCertKey.pem" + testCert = testDir + "/testCert.pem" + testCertScript = testDir + "/certScript.sh" + testCertEncryptedNotHeader = testDir + "/testCertEncryptedNotHeader.pem" + testKeyEncryptedNotHeader = testDir + "/testCertEncryptedNotHeader-key.pem" + testKeyPass = "test" ) func createTestDir() error { @@ -48,6 +33,8 @@ func deleteTestDir() error { } func createEncryptedKeyFile() error { + generateKeyScript := `#!/bin/bash + openssl genpkey -out ./` + testCertKey + ` -algorithm RSA -pass pass:test -des3` if err := os.WriteFile(testCertScript, []byte(generateKeyScript), os.ModeAppend); err != nil { log.Fatalln("os.WriteFile: ", err) } @@ -61,6 +48,9 @@ func createEncryptedKeyFile() error { } func createCertificateFromKeyFile() error { + generateCertScript := `#!/bin/bash + openssl req -new -sha256 -key ./` + testCertKey + ` -passin pass:test -out ./` + testCert + ` -nodes -x509 -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com"` + if err := os.WriteFile(testCertScript, []byte(generateCertScript), os.ModeAppend); err != nil { log.Fatalln("os.WriteFile: ", err) } @@ -73,11 +63,89 @@ func createCertificateFromKeyFile() error { return nil } +func createCertificateEncNoHeader() error { + certEncryptedNotHeader := `-----BEGIN CERTIFICATE----- +MIIFfDCCA2SgAwIBAgICEAIwDQYJKoZIhvcNAQELBQAwRzELMAkGA1UEBhMCUk0x +DTALBgNVBAgMBFJFTUwxEjAQBgNVBAoMCUZ1bmdpbWFpbDEVMBMGA1UEAwwMaW50 +ZXJtZWRpYXRlMB4XDTIzMDQxNTE3NDMxNFoXDTI0MDQyNDE3NDMxNFowgcIxCzAJ +BgNVBAYTAlJNMQ0wCwYDVQQIDARSRU1MMR4wHAYDVQQHDBVhcGkud2l0bmVzcy51 +cmtvYi5jb20xHjAcBgNVBAoMFWFwaS53aXRuZXNzLnVya29iLmNvbTEeMBwGA1UE +CwwVYXBpLndpdG5lc3MudXJrb2IuY29tMR4wHAYDVQQDDBVhcGkud2l0bmVzcy51 +cmtvYi5jb20xJDAiBgkqhkiG9w0BCQEWFWFwaS53aXRuZXNzLnVya29iLmNvbTCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALiufUUgzikdcbaSrX79gscy +KCfQOkGm3hNGdgiDM0S7XWAzVIgEtpWKzuTRNskyNX7te/1cBFZX0B3JKx9b9ySx +IB1ByoSLnM6EI3Rf2+o3TEi4d6/KLvxCMhESdXddbIYBzTlNabmqA0STUbdmCNd+ +qSn30Q8ppzcIgZQWe8lM58VknkWJvCkR5Kaji7baySM0FVHfsF+VcSufOaxV/uPF +5hOtOneka9tlsImQBow08wARCOiMWQwk0ipEHxd1iF9zgdODzBmp/v2TXrH07/H2 +29wpJAGoIbjg87p6IzkEiDIl1q8jj9AUYPY8RI1PlrJgEUXmtWxtpcrIozDAQhkC +AwEAAaOB9TCB8jAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIGQDAzBglghkgB +hvhCAQ0EJhYkT3BlblNTTCBHZW5lcmF0ZWQgU2VydmVyIENlcnRpZmljYXRlMB0G +A1UdDgQWBBTQw/IEPzQS8fPn+HH2e7bgQ8G4XjBZBgNVHSMEUjBQgBRZA1nwXhva +oMHqfcd+CkJ1tY2+5aE0pDIwMDELMAkGA1UEBhMCUk0xDTALBgNVBAgMBFJFTUwx +EjAQBgNVBAoMCUZ1bmdpbWFpbIICEAAwDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQM +MAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4ICAQCHug9kWkHCNwSK37+YUZsJ +cRSlAdZ31O60EYLpss/Gr+rGL6aDENS0YytnY+HWfztItFGnh4uSWxZvAbXP90/5 +GrLI+bdeFk05E4tazM93hmpmMf4jQyqmuZiZ6HLbxsWMCuqA+E8EiM0UzMM0toKR +imCPV0NRcWfmu/iC41OPHYKdfVMwpDNspOUDaWP1UsrgYjkfwYDyDcakK74/XNYf +26sX5/b28+VoDiVP5lkdaHxDWcHp+4YhuGYY3wg0/RLFmv9aHH9rpaPZ1VPs18sA +DhshwcL88NGz/E6dTSiEkQMhWyOaYUmW18l0CIAajgVgReohk7MwgbxgzDttZuWN +mxo8LbCle3/ePezl68O4GMXO5Z+w3veZiVB1zM7t51caBu8HAjlZI067jLL0C1ju +lSUSRN+YMfCTkchY7o7hkgC8g6WF7pACCxY9gUksbssQXQo9DcRH6dQ6T7V8hwCS +Q9bTvCiOneRFfH74da6aQH76NJDlspkdhdpIvsUjqyPDHnYDNxwCRJpwiUlAXKT6 +yzsuASSBlWzaTynZNB5wwXMlMwLicriMNf33cgQ0I5HWlVimCX0C39tGO+qZCWq9 +F9QpmN1nSnnhoYDx1MVuU/Ibr9+97ysuQT1saOadtcCrML5DPdtIytAl4Dtrdpj7 +yQhGi+Mkkhw6oiotDn4eVA== +-----END CERTIFICATE----- +` + keyEncryptedNotHeader := `-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: AES-256-CBC,99C1C3BE95C653A665C392B6FC8B8517 + +l4Ome1QW3kstGZZQ7F2/L0dXTlihM3J/poQzBuYHcsFDfAT6i41/22N1it+dujtk +N2Rv8RfgdxRM26nGlJok66sO8YTvew4rUc4YBC9ms0W6OHzWeQXSvWxBjiRjTasX +VK8OzaYOHqsMInGJ7hctJn3LVRtIJvNfjn29+13icUjvAuE8+b/oPc0eArwPyu6x +Os2C7lPO5NG6BMgiwASBTr80v+SpwWQJCgrLPqpd+5pv4Yf+iCLrYnVSNHgr2IA/ +Kqw070wj9UavxPnKiRDqjgssJUMDGX/P8iTbMVJOEaGjlf5HJkhVtwOf9qoixe/f +97QZcGWTkUqWdnstw8BYNvEah/GBtVW8x7e4rzJXr50f5EIP6fOYWERHoXEqGLuw +WgPOploov7qS0pkikQEUbGF+v+EBv2Z+Z3k9Qy4HpGbukR4PNYxRPEEthWal9WIZ +493aVoSgwqUeEHgOYMBs5lrryXgJ7uVw49ShzZIJVXyiMCfi8rElY5ITaDQWM0+n +ty9EiBSEgSaf4Oxhm9tdrIhlBN0T8Byc2Sao+Xvj+NckT+M37uFB+IvhbjRlwalL +CyB7PF1W2d7VRGUrKQ3RGDpyDlcsjIDBgD3ybSRZHuPi2wz/qmZ17PwLHal+SgB4 +ZPO21GIlmyPqvKj9K3PUFFUi88pX7wxIFg9AYOoqBSzcrlFeF6Iizv7aapbZFl4T +qoZ4E+uE3BAtiKYBDvQdS7Vkn230ZpRyySBKSurmVusyb783mNpC0QQJ28ldSSCD +eQFi75BadcqJnWBUta7kLA3igbONljXLm5HlWB/Ep7AWYG6PtF3U1z3JPbCB5PpC +uFJfQARZERG0d/xZ+FIyMaqKtIhwW7WRJ6D65o4GMT++k9SQo3onnNspQIGbKcfb +CnXhwGxHCPZ93pu+IhZqPH+4MquW4TRdRnK2Ce+HSVsQ3xvZQTg4bxexTChtMpp5 +hz0keKqhNARMRRqGihapGq/j84jAv/dIouHdnKJ+p5DgtF1UcpCO1tUIlKDDdg54 +gTJDgxunysVwupPblXKDzAdDkqB9h3stpLZb1mL6AG2+NU3lu/fXMIti8zLYWJFk +J9jadGR9cnt2vyedErIrztpxOjLQlEfagbTxKMcjee/Pjir+VeDc/WZqWf1EWuTH +zK9p87ze7oUW2UEffKDmPZZMDWMy8Th6goaxp3r1WEci/bVpWblG0PgYQQFZ8hHH +SqNhRUjmYSSJza6rhe2aoqDUBisg8/xdVHqEQIpSumYsI7AbLwovgDK8E46jW9+r +0yD/REoc8MZNd5kHTSF+tfhr8ve/4Yj0TObAeBZUv3wwqKSXhbCWW40V1iWw9+6O +kwLoIh9iWHk4oM98/hUDCV5/6bQdMNP7LpBC+KhKXzaqKBomWZciMZQXdgYzbTHr +eMvirNzmyc/BMkf3asQLAaTYbpi/ZwzfxHxsfPf3LcXRZay1BMF0IKwRh3SHWODJ +oJ4rd49tRVCnMXOHnZJAbnWWAgAiiJtvVs0yGeSuVa6lWIvQk+z1XxmMGZKVJzYR +mXTUabqj0SXf7mjBozClDrtyY4vwz77oXbg0h3HdJbQFtXH1xe3nx0/tg3jvTfJX +-----END RSA PRIVATE KEY----- +` + + if err := os.WriteFile(testCertEncryptedNotHeader, []byte(certEncryptedNotHeader), os.ModeAppend); err != nil { + return fmt.Errorf("os.WriteFile(testCertEncryptedNotHeader: %s", err) + } + + if err := os.WriteFile(testKeyEncryptedNotHeader, []byte(keyEncryptedNotHeader), os.ModeAppend); err != nil { + return fmt.Errorf("os.WriteFile(testKeyEncryptedNotHeader: %s", err) + } + + return nil +} + func TestCredentialsFromKeyWithPasswd(t *testing.T) { require.NoError(t, deleteTestDir()) require.NoError(t, createTestDir()) require.NoError(t, createEncryptedKeyFile()) require.NoError(t, createCertificateFromKeyFile()) + require.NoError(t, createCertificateEncNoHeader()) defer func() { require.NoError(t, deleteTestDir()) @@ -88,6 +156,9 @@ func TestCredentialsFromKeyWithPasswd(t *testing.T) { _, err = FromRSAKeyWithPassword(testCert, testCertKey, "wrong-pass") assert.Error(t, err, "key with wrong pass password should not fail") + + _, err = FromRSAKeyWithPassword(testCertEncryptedNotHeader, testKeyEncryptedNotHeader, "test") + assert.NoError(t, err) } func TestCredentialsFromKeyWithPasswdError(t *testing.T) { @@ -112,6 +183,18 @@ func TestCredentialsFromKeyWithPasswdError(t *testing.T) { _, err = FromRSAKeyWithPassword(testCert, testKeyError, testKeyPass) require.Error(t, err) + certKeyOk := `-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgP+sX5Fn7WhQgAt1l +nL3YaX0RPuJFf058/r90mO/xViyhRANCAAT3qOUKYwgSbBSVAMkC14/kZAQWZIef ++SnO6GvOjMU8dcchboisMujVQRksfgJUsBZmfquh93BnkYqkSzlD+dIE +-----END PRIVATE KEY-----` + + certKeyError := `-----BEGIN PRIVATE KEY----- +MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgFrBUnTIIrSbRBZpX +j3TlomgnCQFe6JUVBO0fyRQMk1qhRANCAASTLZ8S8rWSmraKWNdM6N3pWPuATi92 +yQuhZ6P2JaLnfmYemIOprHeRSqTqWy4+kus3b4LxPEzu86/248d7d +-----END PRIVATE KEY-----` + require.NoError(t, os.WriteFile(testCertKeyError, []byte(certKeyError), os.ModeAppend)) _, err = FromRSAKeyWithPassword(testCert, testCertKeyError, testKeyPass) assert.Error(t, err)