cli: add support for encrypted private keys

This commit adds support for encrypted private keys. Now, the KES CLI can ask for a password and decrypt an encrypted private key. Since most PKI/TLS tooling on the internet still defaults to the (insecure) RFC 1423 methods, this functionality should be considered a mid-term solution. Signed-off-by: Andreas Auernhammer <[email protected]>
BitcoinOutput · Feb 7, 2022 · 479bf34 · 479bf34
1 parent 7457bf3
commit 479bf34
Show file tree

Hide file tree

Showing 3 changed files with 41 additions and 3 deletions.
diff --git a/cmd/kes/main.go b/cmd/kes/main.go
@@ -5,7 +5,11 @@
 package main
 
 import (
+	"bytes"
 	"crypto/tls"
+	"crypto/x509"
+	"encoding/pem"
+	"errors"
 	"flag"
 	"fmt"
 	stdlog "log"
@@ -105,7 +109,43 @@ func newClient(insecureSkipVerify bool) *kes.Client {
 		stdlog.Fatal("Error: no TLS private key. Environment variable 'KES_CLIENT_KEY' is empty")
 	}
 
-	cert, err := tls.LoadX509KeyPair(certPath, keyPath)
+	certPem, err := os.ReadFile(certPath)
+	if err != nil {
+		stdlog.Fatalf("Error: failed to load TLS certificate: %v", err)
+	}
+	keyPem, err := os.ReadFile(keyPath)
+	if err != nil {
+		stdlog.Fatalf("Error: failed to load TLS private key: %v", err)
+	}
+
+	// Check whether the private key is encrypted. If so, ask the user
+	// to enter the password on the CLI.
+	privateKey, rest := pem.Decode(bytes.TrimSpace(keyPem))
+	if len(rest) > 0 {
+		stdlog.Fatal("Error: failed to load TLS private key: PEM block contains additional unknown data")
+	}
+	if privateKey.Type != "PRIVATE KEY" && !strings.HasSuffix(privateKey.Type, " PRIVATE KEY") {
+		stdlog.Fatalf("Error: failed to load TLS private key: invalid type %q", privateKey.Type)
+	}
+	if len(privateKey.Headers) > 0 && x509.IsEncryptedPEMBlock(privateKey) {
+		fmt.Print("Enter password for private key: ")
+		password, err := term.ReadPassword(int(os.Stdin.Fd()))
+		if err != nil {
+			stdlog.Fatalf("Error: failed to read private key password: %v", err)
+		}
+		fmt.Println() // Add the newline again
+
+		decPrivateKey, err := x509.DecryptPEMBlock(privateKey, password)
+		if err != nil {
+			if errors.Is(err, x509.IncorrectPasswordError) {
+				stdlog.Fatalf("Error: incorrect password")
+			}
+			stdlog.Fatalf("Error: failed to decrypt private key: %v", err)
+		}
+		keyPem = pem.EncodeToMemory(&pem.Block{Type: privateKey.Type, Bytes: decPrivateKey})
+	}
+
+	cert, err := tls.X509KeyPair(certPem, keyPem)
 	if err != nil {
 		stdlog.Fatalf("Error: failed to load TLS private key or certificate: %v", err)
 	}

diff --git a/internal/fips/fips.go b/internal/fips/fips.go
@@ -3,7 +3,6 @@
 // license that can be found in the LICENSE file.
 
 //go:build fips && linux && amd64
-// +build fips,linux,amd64
 
 package fips
 

diff --git a/internal/fips/nofips.go b/internal/fips/nofips.go
@@ -3,7 +3,6 @@
 // license that can be found in the LICENSE file.
 
 //go:build !fips
-// +build !fips
 
 package fips