caddytls: Give a better error message when given encrypted private keys (#6591)

This commit is contained in:
Francis Lavoie 2024-09-25 08:00:48 -04:00 committed by GitHub
parent ff67b97126
commit 9dda8fbf84
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 24 additions and 0 deletions

View file

@ -18,6 +18,7 @@ import (
"crypto/tls" "crypto/tls"
"fmt" "fmt"
"os" "os"
"strings"
"github.com/caddyserver/caddy/v2" "github.com/caddyserver/caddy/v2"
) )
@ -92,8 +93,16 @@ func (fl FileLoader) LoadCertificates() ([]Certificate, error) {
switch pair.Format { switch pair.Format {
case "": case "":
fallthrough fallthrough
case "pem": case "pem":
// if the start of the key file looks like an encrypted private key,
// reject it with a helpful error message
if strings.Contains(string(keyData[:40]), "ENCRYPTED") {
return nil, fmt.Errorf("encrypted private keys are not supported; please decrypt the key first")
}
cert, err = tls.X509KeyPair(certData, keyData) cert, err = tls.X509KeyPair(certData, keyData)
default: default:
return nil, fmt.Errorf("unrecognized certificate/key encoding format: %s", pair.Format) return nil, fmt.Errorf("unrecognized certificate/key encoding format: %s", pair.Format)
} }

View file

@ -150,6 +150,12 @@ func tlsCertFromCertAndKeyPEMBundle(bundle []byte) (tls.Certificate, error) {
return tls.Certificate{}, fmt.Errorf("no private key block found") return tls.Certificate{}, fmt.Errorf("no private key block found")
} }
// if the start of the key file looks like an encrypted private key,
// reject it with a helpful error message
if strings.HasPrefix(string(keyPEMBytes[:40]), "ENCRYPTED") {
return tls.Certificate{}, fmt.Errorf("encrypted private keys are not supported; please decrypt the key first")
}
cert, err := tls.X509KeyPair(certPEMBytes, keyPEMBytes) cert, err := tls.X509KeyPair(certPEMBytes, keyPEMBytes)
if err != nil { if err != nil {
return tls.Certificate{}, fmt.Errorf("making X509 key pair: %v", err) return tls.Certificate{}, fmt.Errorf("making X509 key pair: %v", err)

View file

@ -17,6 +17,7 @@ package caddytls
import ( import (
"crypto/tls" "crypto/tls"
"fmt" "fmt"
"strings"
"github.com/caddyserver/certmagic" "github.com/caddyserver/certmagic"
@ -88,8 +89,16 @@ func (sl StorageLoader) LoadCertificates() ([]Certificate, error) {
switch pair.Format { switch pair.Format {
case "": case "":
fallthrough fallthrough
case "pem": case "pem":
// if the start of the key file looks like an encrypted private key,
// reject it with a helpful error message
if strings.Contains(string(keyData[:40]), "ENCRYPTED") {
return nil, fmt.Errorf("encrypted private keys are not supported; please decrypt the key first")
}
cert, err = tls.X509KeyPair(certData, keyData) cert, err = tls.X509KeyPair(certData, keyData)
default: default:
return nil, fmt.Errorf("unrecognized certificate/key encoding format: %s", pair.Format) return nil, fmt.Errorf("unrecognized certificate/key encoding format: %s", pair.Format)
} }