2018-12-11 02:59:03 +10:00
|
|
|
// Copyright 2015 Matthew Holt
|
|
|
|
//
|
|
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
// you may not use this file except in compliance with the License.
|
|
|
|
// You may obtain a copy of the License at
|
|
|
|
//
|
|
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
//
|
|
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
// See the License for the specific language governing permissions and
|
|
|
|
// limitations under the License.
|
|
|
|
|
|
|
|
package certmagic
|
|
|
|
|
|
|
|
import (
|
|
|
|
"bytes"
|
|
|
|
"crypto"
|
|
|
|
"crypto/ecdsa"
|
2020-07-28 08:50:41 +10:00
|
|
|
"crypto/ed25519"
|
2018-12-11 02:59:03 +10:00
|
|
|
"crypto/elliptic"
|
|
|
|
"crypto/rand"
|
|
|
|
"crypto/rsa"
|
|
|
|
"crypto/x509"
|
|
|
|
"testing"
|
|
|
|
)
|
|
|
|
|
|
|
|
func TestEncodeDecodeRSAPrivateKey(t *testing.T) {
|
|
|
|
privateKey, err := rsa.GenerateKey(rand.Reader, 128) // make tests faster; small key size OK for testing
|
|
|
|
if err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// test save
|
2022-02-18 07:37:50 +10:00
|
|
|
savedBytes, err := PEMEncodePrivateKey(privateKey)
|
2018-12-11 02:59:03 +10:00
|
|
|
if err != nil {
|
|
|
|
t.Fatal("error saving private key:", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// test load
|
2022-02-18 07:37:50 +10:00
|
|
|
loadedKey, err := PEMDecodePrivateKey(savedBytes)
|
2018-12-11 02:59:03 +10:00
|
|
|
if err != nil {
|
|
|
|
t.Error("error loading private key:", err)
|
|
|
|
}
|
|
|
|
|
Check keyBlockDER for nil (#147)
I got following panic while Caddy was running:
2021/10/26 08:06:34 panic: certificate worker: runtime error: invalid memory address or nil pointer dereference
goroutine 43 [running]:
github.com/caddyserver/certmagic.(*jobManager).worker.func1()
github.com/caddyserver/certmagic@v0.14.5/async.go:58 +0x65
panic({0x145d400, 0x23d6c50})
runtime/panic.go:1038 +0x215
github.com/caddyserver/certmagic.decodePrivateKey({0xc000738c00, 0x0, 0x0})
github.com/caddyserver/certmagic@v0.14.5/crypto.go:75 +0x2a
github.com/caddyserver/certmagic.(*Config).reusePrivateKey(0xc0003b77c0, {0xc0003b1640, 0x32})
github.com/caddyserver/certmagic@v0.14.5/config.go:602 +0x2b9
github.com/caddyserver/certmagic.(*Config).obtainCert.func2({0x190d3b8, 0xc000655920})
github.com/caddyserver/certmagic@v0.14.5/config.go:487 +0x1d6
github.com/caddyserver/certmagic.doWithRetry({0x190d310, 0xc0000b0440}, 0xc00003bd40, 0xc0007afba8)
github.com/caddyserver/certmagic@v0.14.5/async.go:106 +0x1cc
github.com/caddyserver/certmagic.(*Config).obtainCert(0xc0003b77c0, {0x190d310, 0xc0000b0440}, {0xc0003b1640, 0x32}, 0x0)
github.com/caddyserver/certmagic@v0.14.5/config.go:572 +0x58e
github.com/caddyserver/certmagic.(*Config).ObtainCertAsync(...)
github.com/caddyserver/certmagic@v0.14.5/config.go:427
github.com/caddyserver/certmagic.(*Config).manageOne.func1()
github.com/caddyserver/certmagic@v0.14.5/config.go:332 +0x6f
github.com/caddyserver/certmagic.(*jobManager).worker(0x23e0c60)
github.com/caddyserver/certmagic@v0.14.5/async.go:73 +0x112
created by github.com/caddyserver/certmagic.(*jobManager).Submit
github.com/caddyserver/certmagic@v0.14.5/async.go:50 +0x288
According to Go documentation: https://pkg.go.dev/encoding/pem#Decode
p can be nil (first parameter returned) and so it should be checked
before continuing as per this example:
https://pkg.go.dev/encoding/pem#example-Decode
I also added a test to verify that the fix works. Running the test
without the fix causes a panic.
Test: go test -count=1 './...'
2021-10-27 06:11:35 +10:00
|
|
|
// test load (should fail)
|
2022-02-18 07:37:50 +10:00
|
|
|
_, err = PEMDecodePrivateKey(savedBytes[2:])
|
Check keyBlockDER for nil (#147)
I got following panic while Caddy was running:
2021/10/26 08:06:34 panic: certificate worker: runtime error: invalid memory address or nil pointer dereference
goroutine 43 [running]:
github.com/caddyserver/certmagic.(*jobManager).worker.func1()
github.com/caddyserver/certmagic@v0.14.5/async.go:58 +0x65
panic({0x145d400, 0x23d6c50})
runtime/panic.go:1038 +0x215
github.com/caddyserver/certmagic.decodePrivateKey({0xc000738c00, 0x0, 0x0})
github.com/caddyserver/certmagic@v0.14.5/crypto.go:75 +0x2a
github.com/caddyserver/certmagic.(*Config).reusePrivateKey(0xc0003b77c0, {0xc0003b1640, 0x32})
github.com/caddyserver/certmagic@v0.14.5/config.go:602 +0x2b9
github.com/caddyserver/certmagic.(*Config).obtainCert.func2({0x190d3b8, 0xc000655920})
github.com/caddyserver/certmagic@v0.14.5/config.go:487 +0x1d6
github.com/caddyserver/certmagic.doWithRetry({0x190d310, 0xc0000b0440}, 0xc00003bd40, 0xc0007afba8)
github.com/caddyserver/certmagic@v0.14.5/async.go:106 +0x1cc
github.com/caddyserver/certmagic.(*Config).obtainCert(0xc0003b77c0, {0x190d310, 0xc0000b0440}, {0xc0003b1640, 0x32}, 0x0)
github.com/caddyserver/certmagic@v0.14.5/config.go:572 +0x58e
github.com/caddyserver/certmagic.(*Config).ObtainCertAsync(...)
github.com/caddyserver/certmagic@v0.14.5/config.go:427
github.com/caddyserver/certmagic.(*Config).manageOne.func1()
github.com/caddyserver/certmagic@v0.14.5/config.go:332 +0x6f
github.com/caddyserver/certmagic.(*jobManager).worker(0x23e0c60)
github.com/caddyserver/certmagic@v0.14.5/async.go:73 +0x112
created by github.com/caddyserver/certmagic.(*jobManager).Submit
github.com/caddyserver/certmagic@v0.14.5/async.go:50 +0x288
According to Go documentation: https://pkg.go.dev/encoding/pem#Decode
p can be nil (first parameter returned) and so it should be checked
before continuing as per this example:
https://pkg.go.dev/encoding/pem#example-Decode
I also added a test to verify that the fix works. Running the test
without the fix causes a panic.
Test: go test -count=1 './...'
2021-10-27 06:11:35 +10:00
|
|
|
if err == nil {
|
|
|
|
t.Error("loading private key should have failed")
|
|
|
|
}
|
|
|
|
|
2018-12-11 02:59:03 +10:00
|
|
|
// verify loaded key is correct
|
|
|
|
if !privateKeysSame(privateKey, loadedKey) {
|
|
|
|
t.Error("Expected key bytes to be the same, but they weren't")
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestSaveAndLoadECCPrivateKey(t *testing.T) {
|
|
|
|
privateKey, err := ecdsa.GenerateKey(elliptic.P384(), rand.Reader)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// test save
|
2022-02-18 07:37:50 +10:00
|
|
|
savedBytes, err := PEMEncodePrivateKey(privateKey)
|
2018-12-11 02:59:03 +10:00
|
|
|
if err != nil {
|
|
|
|
t.Fatal("error saving private key:", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// test load
|
2022-02-18 07:37:50 +10:00
|
|
|
loadedKey, err := PEMDecodePrivateKey(savedBytes)
|
2018-12-11 02:59:03 +10:00
|
|
|
if err != nil {
|
|
|
|
t.Error("error loading private key:", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// verify loaded key is correct
|
|
|
|
if !privateKeysSame(privateKey, loadedKey) {
|
|
|
|
t.Error("Expected key bytes to be the same, but they weren't")
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// privateKeysSame compares the bytes of a and b and returns true if they are the same.
|
|
|
|
func privateKeysSame(a, b crypto.PrivateKey) bool {
|
|
|
|
return bytes.Equal(privateKeyBytes(a), privateKeyBytes(b))
|
|
|
|
}
|
|
|
|
|
|
|
|
// privateKeyBytes returns the bytes of DER-encoded key.
|
|
|
|
func privateKeyBytes(key crypto.PrivateKey) []byte {
|
|
|
|
var keyBytes []byte
|
|
|
|
switch key := key.(type) {
|
|
|
|
case *rsa.PrivateKey:
|
|
|
|
keyBytes = x509.MarshalPKCS1PrivateKey(key)
|
|
|
|
case *ecdsa.PrivateKey:
|
|
|
|
keyBytes, _ = x509.MarshalECPrivateKey(key)
|
2020-07-28 08:50:41 +10:00
|
|
|
case ed25519.PrivateKey:
|
|
|
|
return key
|
2018-12-11 02:59:03 +10:00
|
|
|
}
|
|
|
|
return keyBytes
|
|
|
|
}
|