feat: handle key encrypted looking at headers too
This commit is contained in:
parent
aa713af153
commit
ee967277d4
|
@ -36,7 +36,7 @@ func FromRSAKeyWithPassword(certFile, certKey, passwd string) (credentials.Trans
|
|||
return nil, errors.New("rest is not empty")
|
||||
}
|
||||
|
||||
if !strings.Contains(keyBlock.Type, "ENCRYPTED") {
|
||||
if !strings.Contains(keyBlock.Type, "ENCRYPTED") && !isEncryptedOnHeaders(keyBlock.Headers) {
|
||||
return nil, fmt.Errorf("certificate should has been encrypted with password")
|
||||
}
|
||||
|
||||
|
@ -57,6 +57,19 @@ func FromRSAKeyWithPassword(certFile, certKey, passwd string) (credentials.Trans
|
|||
return credentials.NewServerTLSFromCert(&cert), nil
|
||||
}
|
||||
|
||||
func isEncryptedOnHeaders(headers map[string]string) bool {
|
||||
if len(headers) == 0 {
|
||||
return false
|
||||
}
|
||||
for _, v := range headers {
|
||||
if !strings.Contains(v, "ENCRYPTED") {
|
||||
return true
|
||||
}
|
||||
}
|
||||
|
||||
return false
|
||||
}
|
||||
|
||||
func decryptRSA(keyFile, password string) (string, error) {
|
||||
cmd := exec.Command("openssl", "rsa", "-in", keyFile, "-passin", formatPass(password), "-text")
|
||||
output_bts, err := cmd.Output()
|
||||
|
|
|
@ -2,6 +2,7 @@ package credentials
|
|||
|
||||
import (
|
||||
"errors"
|
||||
"fmt"
|
||||
"log"
|
||||
"os"
|
||||
"os/exec"
|
||||
|
@ -18,25 +19,9 @@ var (
|
|||
testCertKey = testDir + "/testCertKey.pem"
|
||||
testCert = testDir + "/testCert.pem"
|
||||
testCertScript = testDir + "/certScript.sh"
|
||||
testCertEncryptedNotHeader = testDir + "/testCertEncryptedNotHeader.pem"
|
||||
testKeyEncryptedNotHeader = testDir + "/testCertEncryptedNotHeader-key.pem"
|
||||
testKeyPass = "test"
|
||||
|
||||
generateKeyScript = `#!/bin/bash
|
||||
openssl genpkey -out ./` + testCertKey + ` -algorithm RSA -pass pass:test -des3`
|
||||
|
||||
generateCertScript = `#!/bin/bash
|
||||
openssl req -new -sha256 -key ./` + testCertKey + ` -passin pass:test -out ./` + testCert + ` -nodes -x509 -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com"`
|
||||
|
||||
certKeyOk = `-----BEGIN PRIVATE KEY-----
|
||||
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgP+sX5Fn7WhQgAt1l
|
||||
nL3YaX0RPuJFf058/r90mO/xViyhRANCAAT3qOUKYwgSbBSVAMkC14/kZAQWZIef
|
||||
+SnO6GvOjMU8dcchboisMujVQRksfgJUsBZmfquh93BnkYqkSzlD+dIE
|
||||
-----END PRIVATE KEY-----`
|
||||
|
||||
certKeyError = `-----BEGIN PRIVATE KEY-----
|
||||
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgFrBUnTIIrSbRBZpX
|
||||
j3TlomgnCQFe6JUVBO0fyRQMk1qhRANCAASTLZ8S8rWSmraKWNdM6N3pWPuATi92
|
||||
yQuhZ6P2JaLnfmYemIOprHeRSqTqWy4+kus3b4LxPEzu86/248d7d
|
||||
-----END PRIVATE KEY-----`
|
||||
)
|
||||
|
||||
func createTestDir() error {
|
||||
|
@ -48,6 +33,8 @@ func deleteTestDir() error {
|
|||
}
|
||||
|
||||
func createEncryptedKeyFile() error {
|
||||
generateKeyScript := `#!/bin/bash
|
||||
openssl genpkey -out ./` + testCertKey + ` -algorithm RSA -pass pass:test -des3`
|
||||
if err := os.WriteFile(testCertScript, []byte(generateKeyScript), os.ModeAppend); err != nil {
|
||||
log.Fatalln("os.WriteFile: ", err)
|
||||
}
|
||||
|
@ -61,6 +48,9 @@ func createEncryptedKeyFile() error {
|
|||
}
|
||||
|
||||
func createCertificateFromKeyFile() error {
|
||||
generateCertScript := `#!/bin/bash
|
||||
openssl req -new -sha256 -key ./` + testCertKey + ` -passin pass:test -out ./` + testCert + ` -nodes -x509 -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com"`
|
||||
|
||||
if err := os.WriteFile(testCertScript, []byte(generateCertScript), os.ModeAppend); err != nil {
|
||||
log.Fatalln("os.WriteFile: ", err)
|
||||
}
|
||||
|
@ -73,11 +63,89 @@ func createCertificateFromKeyFile() error {
|
|||
return nil
|
||||
}
|
||||
|
||||
func createCertificateEncNoHeader() error {
|
||||
certEncryptedNotHeader := `-----BEGIN CERTIFICATE-----
|
||||
MIIFfDCCA2SgAwIBAgICEAIwDQYJKoZIhvcNAQELBQAwRzELMAkGA1UEBhMCUk0x
|
||||
DTALBgNVBAgMBFJFTUwxEjAQBgNVBAoMCUZ1bmdpbWFpbDEVMBMGA1UEAwwMaW50
|
||||
ZXJtZWRpYXRlMB4XDTIzMDQxNTE3NDMxNFoXDTI0MDQyNDE3NDMxNFowgcIxCzAJ
|
||||
BgNVBAYTAlJNMQ0wCwYDVQQIDARSRU1MMR4wHAYDVQQHDBVhcGkud2l0bmVzcy51
|
||||
cmtvYi5jb20xHjAcBgNVBAoMFWFwaS53aXRuZXNzLnVya29iLmNvbTEeMBwGA1UE
|
||||
CwwVYXBpLndpdG5lc3MudXJrb2IuY29tMR4wHAYDVQQDDBVhcGkud2l0bmVzcy51
|
||||
cmtvYi5jb20xJDAiBgkqhkiG9w0BCQEWFWFwaS53aXRuZXNzLnVya29iLmNvbTCC
|
||||
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALiufUUgzikdcbaSrX79gscy
|
||||
KCfQOkGm3hNGdgiDM0S7XWAzVIgEtpWKzuTRNskyNX7te/1cBFZX0B3JKx9b9ySx
|
||||
IB1ByoSLnM6EI3Rf2+o3TEi4d6/KLvxCMhESdXddbIYBzTlNabmqA0STUbdmCNd+
|
||||
qSn30Q8ppzcIgZQWe8lM58VknkWJvCkR5Kaji7baySM0FVHfsF+VcSufOaxV/uPF
|
||||
5hOtOneka9tlsImQBow08wARCOiMWQwk0ipEHxd1iF9zgdODzBmp/v2TXrH07/H2
|
||||
29wpJAGoIbjg87p6IzkEiDIl1q8jj9AUYPY8RI1PlrJgEUXmtWxtpcrIozDAQhkC
|
||||
AwEAAaOB9TCB8jAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIGQDAzBglghkgB
|
||||
hvhCAQ0EJhYkT3BlblNTTCBHZW5lcmF0ZWQgU2VydmVyIENlcnRpZmljYXRlMB0G
|
||||
A1UdDgQWBBTQw/IEPzQS8fPn+HH2e7bgQ8G4XjBZBgNVHSMEUjBQgBRZA1nwXhva
|
||||
oMHqfcd+CkJ1tY2+5aE0pDIwMDELMAkGA1UEBhMCUk0xDTALBgNVBAgMBFJFTUwx
|
||||
EjAQBgNVBAoMCUZ1bmdpbWFpbIICEAAwDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQM
|
||||
MAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4ICAQCHug9kWkHCNwSK37+YUZsJ
|
||||
cRSlAdZ31O60EYLpss/Gr+rGL6aDENS0YytnY+HWfztItFGnh4uSWxZvAbXP90/5
|
||||
GrLI+bdeFk05E4tazM93hmpmMf4jQyqmuZiZ6HLbxsWMCuqA+E8EiM0UzMM0toKR
|
||||
imCPV0NRcWfmu/iC41OPHYKdfVMwpDNspOUDaWP1UsrgYjkfwYDyDcakK74/XNYf
|
||||
26sX5/b28+VoDiVP5lkdaHxDWcHp+4YhuGYY3wg0/RLFmv9aHH9rpaPZ1VPs18sA
|
||||
DhshwcL88NGz/E6dTSiEkQMhWyOaYUmW18l0CIAajgVgReohk7MwgbxgzDttZuWN
|
||||
mxo8LbCle3/ePezl68O4GMXO5Z+w3veZiVB1zM7t51caBu8HAjlZI067jLL0C1ju
|
||||
lSUSRN+YMfCTkchY7o7hkgC8g6WF7pACCxY9gUksbssQXQo9DcRH6dQ6T7V8hwCS
|
||||
Q9bTvCiOneRFfH74da6aQH76NJDlspkdhdpIvsUjqyPDHnYDNxwCRJpwiUlAXKT6
|
||||
yzsuASSBlWzaTynZNB5wwXMlMwLicriMNf33cgQ0I5HWlVimCX0C39tGO+qZCWq9
|
||||
F9QpmN1nSnnhoYDx1MVuU/Ibr9+97ysuQT1saOadtcCrML5DPdtIytAl4Dtrdpj7
|
||||
yQhGi+Mkkhw6oiotDn4eVA==
|
||||
-----END CERTIFICATE-----
|
||||
`
|
||||
keyEncryptedNotHeader := `-----BEGIN RSA PRIVATE KEY-----
|
||||
Proc-Type: 4,ENCRYPTED
|
||||
DEK-Info: AES-256-CBC,99C1C3BE95C653A665C392B6FC8B8517
|
||||
|
||||
l4Ome1QW3kstGZZQ7F2/L0dXTlihM3J/poQzBuYHcsFDfAT6i41/22N1it+dujtk
|
||||
N2Rv8RfgdxRM26nGlJok66sO8YTvew4rUc4YBC9ms0W6OHzWeQXSvWxBjiRjTasX
|
||||
VK8OzaYOHqsMInGJ7hctJn3LVRtIJvNfjn29+13icUjvAuE8+b/oPc0eArwPyu6x
|
||||
Os2C7lPO5NG6BMgiwASBTr80v+SpwWQJCgrLPqpd+5pv4Yf+iCLrYnVSNHgr2IA/
|
||||
Kqw070wj9UavxPnKiRDqjgssJUMDGX/P8iTbMVJOEaGjlf5HJkhVtwOf9qoixe/f
|
||||
97QZcGWTkUqWdnstw8BYNvEah/GBtVW8x7e4rzJXr50f5EIP6fOYWERHoXEqGLuw
|
||||
WgPOploov7qS0pkikQEUbGF+v+EBv2Z+Z3k9Qy4HpGbukR4PNYxRPEEthWal9WIZ
|
||||
493aVoSgwqUeEHgOYMBs5lrryXgJ7uVw49ShzZIJVXyiMCfi8rElY5ITaDQWM0+n
|
||||
ty9EiBSEgSaf4Oxhm9tdrIhlBN0T8Byc2Sao+Xvj+NckT+M37uFB+IvhbjRlwalL
|
||||
CyB7PF1W2d7VRGUrKQ3RGDpyDlcsjIDBgD3ybSRZHuPi2wz/qmZ17PwLHal+SgB4
|
||||
ZPO21GIlmyPqvKj9K3PUFFUi88pX7wxIFg9AYOoqBSzcrlFeF6Iizv7aapbZFl4T
|
||||
qoZ4E+uE3BAtiKYBDvQdS7Vkn230ZpRyySBKSurmVusyb783mNpC0QQJ28ldSSCD
|
||||
eQFi75BadcqJnWBUta7kLA3igbONljXLm5HlWB/Ep7AWYG6PtF3U1z3JPbCB5PpC
|
||||
uFJfQARZERG0d/xZ+FIyMaqKtIhwW7WRJ6D65o4GMT++k9SQo3onnNspQIGbKcfb
|
||||
CnXhwGxHCPZ93pu+IhZqPH+4MquW4TRdRnK2Ce+HSVsQ3xvZQTg4bxexTChtMpp5
|
||||
hz0keKqhNARMRRqGihapGq/j84jAv/dIouHdnKJ+p5DgtF1UcpCO1tUIlKDDdg54
|
||||
gTJDgxunysVwupPblXKDzAdDkqB9h3stpLZb1mL6AG2+NU3lu/fXMIti8zLYWJFk
|
||||
J9jadGR9cnt2vyedErIrztpxOjLQlEfagbTxKMcjee/Pjir+VeDc/WZqWf1EWuTH
|
||||
zK9p87ze7oUW2UEffKDmPZZMDWMy8Th6goaxp3r1WEci/bVpWblG0PgYQQFZ8hHH
|
||||
SqNhRUjmYSSJza6rhe2aoqDUBisg8/xdVHqEQIpSumYsI7AbLwovgDK8E46jW9+r
|
||||
0yD/REoc8MZNd5kHTSF+tfhr8ve/4Yj0TObAeBZUv3wwqKSXhbCWW40V1iWw9+6O
|
||||
kwLoIh9iWHk4oM98/hUDCV5/6bQdMNP7LpBC+KhKXzaqKBomWZciMZQXdgYzbTHr
|
||||
eMvirNzmyc/BMkf3asQLAaTYbpi/ZwzfxHxsfPf3LcXRZay1BMF0IKwRh3SHWODJ
|
||||
oJ4rd49tRVCnMXOHnZJAbnWWAgAiiJtvVs0yGeSuVa6lWIvQk+z1XxmMGZKVJzYR
|
||||
mXTUabqj0SXf7mjBozClDrtyY4vwz77oXbg0h3HdJbQFtXH1xe3nx0/tg3jvTfJX
|
||||
-----END RSA PRIVATE KEY-----
|
||||
`
|
||||
|
||||
if err := os.WriteFile(testCertEncryptedNotHeader, []byte(certEncryptedNotHeader), os.ModeAppend); err != nil {
|
||||
return fmt.Errorf("os.WriteFile(testCertEncryptedNotHeader: %s", err)
|
||||
}
|
||||
|
||||
if err := os.WriteFile(testKeyEncryptedNotHeader, []byte(keyEncryptedNotHeader), os.ModeAppend); err != nil {
|
||||
return fmt.Errorf("os.WriteFile(testKeyEncryptedNotHeader: %s", err)
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func TestCredentialsFromKeyWithPasswd(t *testing.T) {
|
||||
require.NoError(t, deleteTestDir())
|
||||
require.NoError(t, createTestDir())
|
||||
require.NoError(t, createEncryptedKeyFile())
|
||||
require.NoError(t, createCertificateFromKeyFile())
|
||||
require.NoError(t, createCertificateEncNoHeader())
|
||||
|
||||
defer func() {
|
||||
require.NoError(t, deleteTestDir())
|
||||
|
@ -88,6 +156,9 @@ func TestCredentialsFromKeyWithPasswd(t *testing.T) {
|
|||
|
||||
_, err = FromRSAKeyWithPassword(testCert, testCertKey, "wrong-pass")
|
||||
assert.Error(t, err, "key with wrong pass password should not fail")
|
||||
|
||||
_, err = FromRSAKeyWithPassword(testCertEncryptedNotHeader, testKeyEncryptedNotHeader, "test")
|
||||
assert.NoError(t, err)
|
||||
}
|
||||
|
||||
func TestCredentialsFromKeyWithPasswdError(t *testing.T) {
|
||||
|
@ -112,6 +183,18 @@ func TestCredentialsFromKeyWithPasswdError(t *testing.T) {
|
|||
_, err = FromRSAKeyWithPassword(testCert, testKeyError, testKeyPass)
|
||||
require.Error(t, err)
|
||||
|
||||
certKeyOk := `-----BEGIN PRIVATE KEY-----
|
||||
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgP+sX5Fn7WhQgAt1l
|
||||
nL3YaX0RPuJFf058/r90mO/xViyhRANCAAT3qOUKYwgSbBSVAMkC14/kZAQWZIef
|
||||
+SnO6GvOjMU8dcchboisMujVQRksfgJUsBZmfquh93BnkYqkSzlD+dIE
|
||||
-----END PRIVATE KEY-----`
|
||||
|
||||
certKeyError := `-----BEGIN PRIVATE KEY-----
|
||||
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgFrBUnTIIrSbRBZpX
|
||||
j3TlomgnCQFe6JUVBO0fyRQMk1qhRANCAASTLZ8S8rWSmraKWNdM6N3pWPuATi92
|
||||
yQuhZ6P2JaLnfmYemIOprHeRSqTqWy4+kus3b4LxPEzu86/248d7d
|
||||
-----END PRIVATE KEY-----`
|
||||
|
||||
require.NoError(t, os.WriteFile(testCertKeyError, []byte(certKeyError), os.ModeAppend))
|
||||
_, err = FromRSAKeyWithPassword(testCert, testCertKeyError, testKeyPass)
|
||||
assert.Error(t, err)
|
||||
|
|
Loading…
Reference in New Issue