Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: try parse private key instead of checking for error #1879

Merged
merged 1 commit into from
Aug 29, 2023
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 11 additions & 6 deletions x/cert/utils/key_pair_manager.go
Original file line number Diff line number Diff line change
Expand Up @@ -264,29 +264,34 @@
}

var privKeyPlaintext []byte
var privKeyI interface{}

// PKCS#8 header defined in RFC7468 section 11
// nolint: gocritic
if block.Type == "ENCRYPTED PRIVATE KEY" {
privKeyPlaintext, err = pemutil.DecryptPKCS8PrivateKey(block.Bytes, kpm.passwordBytes)
} else if block.Headers["Proc-Type"] == "4,ENCRYPTED" {
// nolint: staticcheck
privKeyPlaintext, err = x509.DecryptPEMBlock(block, kpm.passwordBytes)
if errors.Is(err, x509.IncorrectPasswordError) {
privKeyPlaintext, _ = x509.DecryptPEMBlock(block, kpm.passwordBytes)

// DecryptPEMBlock may not return IncorrectPasswordError.
// Try parse private key instead and if it fails give another try with legacy password
privKeyI, err = x509.ParsePKCS8PrivateKey(privKeyPlaintext)
if err != nil {

Check warning on line 280 in x/cert/utils/key_pair_manager.go

View check run for this annotation

Codecov / codecov/patch

x/cert/utils/key_pair_manager.go#L275-L280

Added lines #L275 - L280 were not covered by tests
// nolint: staticcheck
privKeyPlaintext, err = x509.DecryptPEMBlock(block, kpm.passwordLegacy)
}
} else {
return nil, nil, nil, errUnsupportedEncryptedPEM
}

if err != nil {
return nil, nil, nil, fmt.Errorf("%w: failed decrypting x509 block with private key", err)
}

var privKeyI interface{}
if privKeyI, err = x509.ParsePKCS8PrivateKey(privKeyPlaintext); err != nil {
return nil, nil, nil, fmt.Errorf("%w: failed parsing private key data", err)
if privKeyI == nil {
if privKeyI, err = x509.ParsePKCS8PrivateKey(privKeyPlaintext); err != nil {
return nil, nil, nil, fmt.Errorf("%w: failed parsing private key data", err)
}

Check warning on line 294 in x/cert/utils/key_pair_manager.go

View check run for this annotation

Codecov / codecov/patch

x/cert/utils/key_pair_manager.go#L293-L294

Added lines #L293 - L294 were not covered by tests
}

eckey, valid := privKeyI.(*ecdsa.PrivateKey)
Expand Down