diff --git a/caddy/letsencrypt/crypto.go b/caddy/letsencrypt/crypto.go index 3322cc1c..95f2069d 100644 --- a/caddy/letsencrypt/crypto.go +++ b/caddy/letsencrypt/crypto.go @@ -25,6 +25,7 @@ func saveRSAPrivateKey(key *rsa.PrivateKey, file string) error { if err != nil { return err } + keyOut.Chmod(0600) defer keyOut.Close() return pem.Encode(keyOut, &pemKey) } diff --git a/caddy/letsencrypt/crypto_test.go b/caddy/letsencrypt/crypto_test.go index ca81efd6..672095d9 100644 --- a/caddy/letsencrypt/crypto_test.go +++ b/caddy/letsencrypt/crypto_test.go @@ -6,6 +6,7 @@ import ( "crypto/rsa" "crypto/x509" "os" + "runtime" "testing" ) @@ -28,13 +29,26 @@ func TestSaveAndLoadRSAPrivateKey(t *testing.T) { t.Fatal("error saving private key:", err) } + // it doesn't make sense to test file permission on windows + if runtime.GOOS != "windows" { + // get info of the key file + info, err := os.Stat(keyFile) + if err != nil { + t.Fatal("error stating private key:", err) + } + // verify permission of key file is correct + if info.Mode().Perm() != 0600 { + t.Error("Expected key file to have permission 0600, but it wasn't") + } + } + // test load loadedKey, err := loadRSAPrivateKey(keyFile) if err != nil { t.Error("error loading private key:", err) } - // very loaded key is correct + // verify loaded key is correct if !rsaPrivateKeysSame(privateKey, loadedKey) { t.Error("Expected key bytes to be the same, but they weren't") }