From 0d8d0ba5a092ed539a26ec5a36ff80c5e1abcce5 Mon Sep 17 00:00:00 2001
From: Xidorn Quan <quanxunzhen@gmail.com>
Date: Sat, 16 Jan 2016 12:36:40 +1100
Subject: [PATCH] letsencrypt: Fix perm of user key

---
 caddy/letsencrypt/crypto.go      |  1 +
 caddy/letsencrypt/crypto_test.go | 16 +++++++++++++++-
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/caddy/letsencrypt/crypto.go b/caddy/letsencrypt/crypto.go
index 3322cc1c..95f2069d 100644
--- a/caddy/letsencrypt/crypto.go
+++ b/caddy/letsencrypt/crypto.go
@@ -25,6 +25,7 @@ func saveRSAPrivateKey(key *rsa.PrivateKey, file string) error {
 	if err != nil {
 		return err
 	}
+	keyOut.Chmod(0600)
 	defer keyOut.Close()
 	return pem.Encode(keyOut, &pemKey)
 }
diff --git a/caddy/letsencrypt/crypto_test.go b/caddy/letsencrypt/crypto_test.go
index ca81efd6..672095d9 100644
--- a/caddy/letsencrypt/crypto_test.go
+++ b/caddy/letsencrypt/crypto_test.go
@@ -6,6 +6,7 @@ import (
 	"crypto/rsa"
 	"crypto/x509"
 	"os"
+	"runtime"
 	"testing"
 )
 
@@ -28,13 +29,26 @@ func TestSaveAndLoadRSAPrivateKey(t *testing.T) {
 		t.Fatal("error saving private key:", err)
 	}
 
+	// it doesn't make sense to test file permission on windows
+	if runtime.GOOS != "windows" {
+		// get info of the key file
+		info, err := os.Stat(keyFile)
+		if err != nil {
+			t.Fatal("error stating private key:", err)
+		}
+		// verify permission of key file is correct
+		if info.Mode().Perm() != 0600 {
+			t.Error("Expected key file to have permission 0600, but it wasn't")
+		}
+	}
+
 	// test load
 	loadedKey, err := loadRSAPrivateKey(keyFile)
 	if err != nil {
 		t.Error("error loading private key:", err)
 	}
 
-	// very loaded key is correct
+	// verify loaded key is correct
 	if !rsaPrivateKeysSame(privateKey, loadedKey) {
 		t.Error("Expected key bytes to be the same, but they weren't")
 	}