mirror of
https://github.com/caddyserver/caddy.git
synced 2024-12-26 21:53:48 +03:00
caddytls: Give a better error message when given encrypted private keys (#6591)
This commit is contained in:
parent
ff67b97126
commit
9dda8fbf84
3 changed files with 24 additions and 0 deletions
|
@ -18,6 +18,7 @@ import (
|
|||
"crypto/tls"
|
||||
"fmt"
|
||||
"os"
|
||||
"strings"
|
||||
|
||||
"github.com/caddyserver/caddy/v2"
|
||||
)
|
||||
|
@ -92,8 +93,16 @@ func (fl FileLoader) LoadCertificates() ([]Certificate, error) {
|
|||
switch pair.Format {
|
||||
case "":
|
||||
fallthrough
|
||||
|
||||
case "pem":
|
||||
// if the start of the key file looks like an encrypted private key,
|
||||
// reject it with a helpful error message
|
||||
if strings.Contains(string(keyData[:40]), "ENCRYPTED") {
|
||||
return nil, fmt.Errorf("encrypted private keys are not supported; please decrypt the key first")
|
||||
}
|
||||
|
||||
cert, err = tls.X509KeyPair(certData, keyData)
|
||||
|
||||
default:
|
||||
return nil, fmt.Errorf("unrecognized certificate/key encoding format: %s", pair.Format)
|
||||
}
|
||||
|
|
|
@ -150,6 +150,12 @@ func tlsCertFromCertAndKeyPEMBundle(bundle []byte) (tls.Certificate, error) {
|
|||
return tls.Certificate{}, fmt.Errorf("no private key block found")
|
||||
}
|
||||
|
||||
// if the start of the key file looks like an encrypted private key,
|
||||
// reject it with a helpful error message
|
||||
if strings.HasPrefix(string(keyPEMBytes[:40]), "ENCRYPTED") {
|
||||
return tls.Certificate{}, fmt.Errorf("encrypted private keys are not supported; please decrypt the key first")
|
||||
}
|
||||
|
||||
cert, err := tls.X509KeyPair(certPEMBytes, keyPEMBytes)
|
||||
if err != nil {
|
||||
return tls.Certificate{}, fmt.Errorf("making X509 key pair: %v", err)
|
||||
|
|
|
@ -17,6 +17,7 @@ package caddytls
|
|||
import (
|
||||
"crypto/tls"
|
||||
"fmt"
|
||||
"strings"
|
||||
|
||||
"github.com/caddyserver/certmagic"
|
||||
|
||||
|
@ -88,8 +89,16 @@ func (sl StorageLoader) LoadCertificates() ([]Certificate, error) {
|
|||
switch pair.Format {
|
||||
case "":
|
||||
fallthrough
|
||||
|
||||
case "pem":
|
||||
// if the start of the key file looks like an encrypted private key,
|
||||
// reject it with a helpful error message
|
||||
if strings.Contains(string(keyData[:40]), "ENCRYPTED") {
|
||||
return nil, fmt.Errorf("encrypted private keys are not supported; please decrypt the key first")
|
||||
}
|
||||
|
||||
cert, err = tls.X509KeyPair(certData, keyData)
|
||||
|
||||
default:
|
||||
return nil, fmt.Errorf("unrecognized certificate/key encoding format: %s", pair.Format)
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue