diff options
| author | Francis Lavoie <lavofr@gmail.com> | 2024-09-25 08:00:48 -0400 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-09-25 06:00:48 -0600 |
| commit | 9dda8fbf846db052243e6ce5ab707650da8c030e (patch) | |
| tree | c4e73c1e4304b04b0eb6912aaee30bff40042c9a | |
| parent | ff67b971267abb24774d18f323b0d6d43bfcdb3b (diff) | |
caddytls: Give a better error message when given encrypted private keys (#6591)
| -rw-r--r-- | modules/caddytls/fileloader.go | 9 | ||||
| -rw-r--r-- | modules/caddytls/folderloader.go | 6 | ||||
| -rw-r--r-- | modules/caddytls/storageloader.go | 9 |
3 files changed, 24 insertions, 0 deletions
diff --git a/modules/caddytls/fileloader.go b/modules/caddytls/fileloader.go index 8603bbe6..7d2927e2 100644 --- a/modules/caddytls/fileloader.go +++ b/modules/caddytls/fileloader.go @@ -18,6 +18,7 @@ import ( "crypto/tls" "fmt" "os" + "strings" "github.com/caddyserver/caddy/v2" ) @@ -92,8 +93,16 @@ func (fl FileLoader) LoadCertificates() ([]Certificate, error) { switch pair.Format { case "": fallthrough + case "pem": + // if the start of the key file looks like an encrypted private key, + // reject it with a helpful error message + if strings.Contains(string(keyData[:40]), "ENCRYPTED") { + return nil, fmt.Errorf("encrypted private keys are not supported; please decrypt the key first") + } + cert, err = tls.X509KeyPair(certData, keyData) + default: return nil, fmt.Errorf("unrecognized certificate/key encoding format: %s", pair.Format) } diff --git a/modules/caddytls/folderloader.go b/modules/caddytls/folderloader.go index 89e978df..2df6f4ce 100644 --- a/modules/caddytls/folderloader.go +++ b/modules/caddytls/folderloader.go @@ -150,6 +150,12 @@ func tlsCertFromCertAndKeyPEMBundle(bundle []byte) (tls.Certificate, error) { return tls.Certificate{}, fmt.Errorf("no private key block found") } + // if the start of the key file looks like an encrypted private key, + // reject it with a helpful error message + if strings.HasPrefix(string(keyPEMBytes[:40]), "ENCRYPTED") { + return tls.Certificate{}, fmt.Errorf("encrypted private keys are not supported; please decrypt the key first") + } + cert, err := tls.X509KeyPair(certPEMBytes, keyPEMBytes) if err != nil { return tls.Certificate{}, fmt.Errorf("making X509 key pair: %v", err) diff --git a/modules/caddytls/storageloader.go b/modules/caddytls/storageloader.go index f9f0e7e6..c9487e89 100644 --- a/modules/caddytls/storageloader.go +++ b/modules/caddytls/storageloader.go @@ -17,6 +17,7 @@ package caddytls import ( "crypto/tls" "fmt" + "strings" "github.com/caddyserver/certmagic" @@ -88,8 +89,16 @@ func (sl StorageLoader) LoadCertificates() ([]Certificate, error) { switch pair.Format { case "": fallthrough + case "pem": + // if the start of the key file looks like an encrypted private key, + // reject it with a helpful error message + if strings.Contains(string(keyData[:40]), "ENCRYPTED") { + return nil, fmt.Errorf("encrypted private keys are not supported; please decrypt the key first") + } + cert, err = tls.X509KeyPair(certData, keyData) + default: return nil, fmt.Errorf("unrecognized certificate/key encoding format: %s", pair.Format) } |