mirror of
https://github.com/caddyserver/caddy.git
synced 2024-11-25 09:40:13 +08:00
caddytls: Give a better error message when given encrypted private keys (#6591)
Some checks are pending
Tests / goreleaser-check (push) Waiting to run
Tests / test (./cmd/caddy/caddy, ~1.22.3, macos-14, 0, 1.22, mac) (push) Waiting to run
Tests / test (./cmd/caddy/caddy, ~1.22.3, ubuntu-latest, 0, 1.22, linux) (push) Waiting to run
Tests / test (./cmd/caddy/caddy, ~1.23.0, macos-14, 0, 1.23, mac) (push) Waiting to run
Tests / test (./cmd/caddy/caddy, ~1.23.0, ubuntu-latest, 0, 1.23, linux) (push) Waiting to run
Tests / test (./cmd/caddy/caddy.exe, ~1.22.3, windows-latest, True, 1.22, windows) (push) Waiting to run
Tests / test (./cmd/caddy/caddy.exe, ~1.23.0, windows-latest, True, 1.23, windows) (push) Waiting to run
Tests / test (s390x on IBM Z) (push) Waiting to run
Cross-Build / build (~1.22.3, 1.22, aix) (push) Waiting to run
Cross-Build / build (~1.22.3, 1.22, darwin) (push) Waiting to run
Cross-Build / build (~1.22.3, 1.22, dragonfly) (push) Waiting to run
Cross-Build / build (~1.22.3, 1.22, freebsd) (push) Waiting to run
Cross-Build / build (~1.22.3, 1.22, illumos) (push) Waiting to run
Cross-Build / build (~1.22.3, 1.22, linux) (push) Waiting to run
Cross-Build / build (~1.22.3, 1.22, netbsd) (push) Waiting to run
Cross-Build / build (~1.22.3, 1.22, openbsd) (push) Waiting to run
Cross-Build / build (~1.22.3, 1.22, solaris) (push) Waiting to run
Cross-Build / build (~1.22.3, 1.22, windows) (push) Waiting to run
Cross-Build / build (~1.23.0, 1.23, aix) (push) Waiting to run
Cross-Build / build (~1.23.0, 1.23, darwin) (push) Waiting to run
Cross-Build / build (~1.23.0, 1.23, dragonfly) (push) Waiting to run
Cross-Build / build (~1.23.0, 1.23, freebsd) (push) Waiting to run
Cross-Build / build (~1.23.0, 1.23, illumos) (push) Waiting to run
Cross-Build / build (~1.23.0, 1.23, linux) (push) Waiting to run
Cross-Build / build (~1.23.0, 1.23, netbsd) (push) Waiting to run
Cross-Build / build (~1.23.0, 1.23, openbsd) (push) Waiting to run
Cross-Build / build (~1.23.0, 1.23, solaris) (push) Waiting to run
Cross-Build / build (~1.23.0, 1.23, windows) (push) Waiting to run
Lint / lint (windows-latest, windows) (push) Waiting to run
Lint / govulncheck (push) Waiting to run
Lint / lint (macos-14, mac) (push) Waiting to run
Lint / lint (ubuntu-latest, linux) (push) Waiting to run
Some checks are pending
Tests / goreleaser-check (push) Waiting to run
Tests / test (./cmd/caddy/caddy, ~1.22.3, macos-14, 0, 1.22, mac) (push) Waiting to run
Tests / test (./cmd/caddy/caddy, ~1.22.3, ubuntu-latest, 0, 1.22, linux) (push) Waiting to run
Tests / test (./cmd/caddy/caddy, ~1.23.0, macos-14, 0, 1.23, mac) (push) Waiting to run
Tests / test (./cmd/caddy/caddy, ~1.23.0, ubuntu-latest, 0, 1.23, linux) (push) Waiting to run
Tests / test (./cmd/caddy/caddy.exe, ~1.22.3, windows-latest, True, 1.22, windows) (push) Waiting to run
Tests / test (./cmd/caddy/caddy.exe, ~1.23.0, windows-latest, True, 1.23, windows) (push) Waiting to run
Tests / test (s390x on IBM Z) (push) Waiting to run
Cross-Build / build (~1.22.3, 1.22, aix) (push) Waiting to run
Cross-Build / build (~1.22.3, 1.22, darwin) (push) Waiting to run
Cross-Build / build (~1.22.3, 1.22, dragonfly) (push) Waiting to run
Cross-Build / build (~1.22.3, 1.22, freebsd) (push) Waiting to run
Cross-Build / build (~1.22.3, 1.22, illumos) (push) Waiting to run
Cross-Build / build (~1.22.3, 1.22, linux) (push) Waiting to run
Cross-Build / build (~1.22.3, 1.22, netbsd) (push) Waiting to run
Cross-Build / build (~1.22.3, 1.22, openbsd) (push) Waiting to run
Cross-Build / build (~1.22.3, 1.22, solaris) (push) Waiting to run
Cross-Build / build (~1.22.3, 1.22, windows) (push) Waiting to run
Cross-Build / build (~1.23.0, 1.23, aix) (push) Waiting to run
Cross-Build / build (~1.23.0, 1.23, darwin) (push) Waiting to run
Cross-Build / build (~1.23.0, 1.23, dragonfly) (push) Waiting to run
Cross-Build / build (~1.23.0, 1.23, freebsd) (push) Waiting to run
Cross-Build / build (~1.23.0, 1.23, illumos) (push) Waiting to run
Cross-Build / build (~1.23.0, 1.23, linux) (push) Waiting to run
Cross-Build / build (~1.23.0, 1.23, netbsd) (push) Waiting to run
Cross-Build / build (~1.23.0, 1.23, openbsd) (push) Waiting to run
Cross-Build / build (~1.23.0, 1.23, solaris) (push) Waiting to run
Cross-Build / build (~1.23.0, 1.23, windows) (push) Waiting to run
Lint / lint (windows-latest, windows) (push) Waiting to run
Lint / govulncheck (push) Waiting to run
Lint / lint (macos-14, mac) (push) Waiting to run
Lint / lint (ubuntu-latest, linux) (push) Waiting to run
This commit is contained in:
Francis Lavoie
GitHub
parent
ff67b97126
commit
9dda8fbf84
|
|
@ -18,6 +18,7 @@ import (
|
||||||
"crypto/tls"
|
"crypto/tls"
|
||||||
"fmt"
|
"fmt"
|
||||||
"os"
|
"os"
|
||||||
|
"strings"
|
||||||
|
|
||||||
"github.com/caddyserver/caddy/v2"
|
"github.com/caddyserver/caddy/v2"
|
||||||
)
|
)
|
||||||
|
|
@ -92,8 +93,16 @@ func (fl FileLoader) LoadCertificates() ([]Certificate, error) {
|
||||||
switch pair.Format {
|
switch pair.Format {
|
||||||
case "":
|
case "":
|
||||||
fallthrough
|
fallthrough
|
||||||
|
|
||||||
case "pem":
|
case "pem":
|
||||||
|
// if the start of the key file looks like an encrypted private key,
|
||||||
|
// reject it with a helpful error message
|
||||||
|
if strings.Contains(string(keyData[:40]), "ENCRYPTED") {
|
||||||
|
return nil, fmt.Errorf("encrypted private keys are not supported; please decrypt the key first")
|
||||||
|
}
|
||||||
|
|
||||||
cert, err = tls.X509KeyPair(certData, keyData)
|
cert, err = tls.X509KeyPair(certData, keyData)
|
||||||
|
|
||||||
default:
|
default:
|
||||||
return nil, fmt.Errorf("unrecognized certificate/key encoding format: %s", pair.Format)
|
return nil, fmt.Errorf("unrecognized certificate/key encoding format: %s", pair.Format)
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -150,6 +150,12 @@ func tlsCertFromCertAndKeyPEMBundle(bundle []byte) (tls.Certificate, error) {
|
||||||
return tls.Certificate{}, fmt.Errorf("no private key block found")
|
return tls.Certificate{}, fmt.Errorf("no private key block found")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// if the start of the key file looks like an encrypted private key,
|
||||||
|
// reject it with a helpful error message
|
||||||
|
if strings.HasPrefix(string(keyPEMBytes[:40]), "ENCRYPTED") {
|
||||||
|
return tls.Certificate{}, fmt.Errorf("encrypted private keys are not supported; please decrypt the key first")
|
||||||
|
}
|
||||||
|
|
||||||
cert, err := tls.X509KeyPair(certPEMBytes, keyPEMBytes)
|
cert, err := tls.X509KeyPair(certPEMBytes, keyPEMBytes)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return tls.Certificate{}, fmt.Errorf("making X509 key pair: %v", err)
|
return tls.Certificate{}, fmt.Errorf("making X509 key pair: %v", err)
|
||||||
|
|
|
||||||
|
|
@ -17,6 +17,7 @@ package caddytls
|
||||||
import (
|
import (
|
||||||
"crypto/tls"
|
"crypto/tls"
|
||||||
"fmt"
|
"fmt"
|
||||||
|
"strings"
|
||||||
|
|
||||||
"github.com/caddyserver/certmagic"
|
"github.com/caddyserver/certmagic"
|
||||||
|
|
||||||
|
|
@ -88,8 +89,16 @@ func (sl StorageLoader) LoadCertificates() ([]Certificate, error) {
|
||||||
switch pair.Format {
|
switch pair.Format {
|
||||||
case "":
|
case "":
|
||||||
fallthrough
|
fallthrough
|
||||||
|
|
||||||
case "pem":
|
case "pem":
|
||||||
|
// if the start of the key file looks like an encrypted private key,
|
||||||
|
// reject it with a helpful error message
|
||||||
|
if strings.Contains(string(keyData[:40]), "ENCRYPTED") {
|
||||||
|
return nil, fmt.Errorf("encrypted private keys are not supported; please decrypt the key first")
|
||||||
|
}
|
||||||
|
|
||||||
cert, err = tls.X509KeyPair(certData, keyData)
|
cert, err = tls.X509KeyPair(certData, keyData)
|
||||||
|
|
||||||
default:
|
default:
|
||||||
return nil, fmt.Errorf("unrecognized certificate/key encoding format: %s", pair.Format)
|
return nil, fmt.Errorf("unrecognized certificate/key encoding format: %s", pair.Format)
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue
Block a user