summaryrefslogtreecommitdiffhomepage
path: root/modules
diff options
context:
space:
mode:
authorFrancis Lavoie <[email protected]>2024-09-25 08:00:48 -0400
committerGitHub <[email protected]>2024-09-25 06:00:48 -0600
commit9dda8fbf846db052243e6ce5ab707650da8c030e (patch)
treec4e73c1e4304b04b0eb6912aaee30bff40042c9a /modules
parentff67b971267abb24774d18f323b0d6d43bfcdb3b (diff)
downloadcaddy-9dda8fbf846db052243e6ce5ab707650da8c030e.tar.gz
caddy-9dda8fbf846db052243e6ce5ab707650da8c030e.zip
caddytls: Give a better error message when given encrypted private keys (#6591)
Diffstat (limited to 'modules')
-rw-r--r--modules/caddytls/fileloader.go9
-rw-r--r--modules/caddytls/folderloader.go6
-rw-r--r--modules/caddytls/storageloader.go9
3 files changed, 24 insertions, 0 deletions
diff --git a/modules/caddytls/fileloader.go b/modules/caddytls/fileloader.go
index 8603bbe65..7d2927e2a 100644
--- a/modules/caddytls/fileloader.go
+++ b/modules/caddytls/fileloader.go
@@ -18,6 +18,7 @@ import (
"crypto/tls"
"fmt"
"os"
+ "strings"
"github.com/caddyserver/caddy/v2"
)
@@ -92,8 +93,16 @@ func (fl FileLoader) LoadCertificates() ([]Certificate, error) {
switch pair.Format {
case "":
fallthrough
+
case "pem":
+ // if the start of the key file looks like an encrypted private key,
+ // reject it with a helpful error message
+ if strings.Contains(string(keyData[:40]), "ENCRYPTED") {
+ return nil, fmt.Errorf("encrypted private keys are not supported; please decrypt the key first")
+ }
+
cert, err = tls.X509KeyPair(certData, keyData)
+
default:
return nil, fmt.Errorf("unrecognized certificate/key encoding format: %s", pair.Format)
}
diff --git a/modules/caddytls/folderloader.go b/modules/caddytls/folderloader.go
index 89e978df6..2df6f4cee 100644
--- a/modules/caddytls/folderloader.go
+++ b/modules/caddytls/folderloader.go
@@ -150,6 +150,12 @@ func tlsCertFromCertAndKeyPEMBundle(bundle []byte) (tls.Certificate, error) {
return tls.Certificate{}, fmt.Errorf("no private key block found")
}
+ // if the start of the key file looks like an encrypted private key,
+ // reject it with a helpful error message
+ if strings.HasPrefix(string(keyPEMBytes[:40]), "ENCRYPTED") {
+ return tls.Certificate{}, fmt.Errorf("encrypted private keys are not supported; please decrypt the key first")
+ }
+
cert, err := tls.X509KeyPair(certPEMBytes, keyPEMBytes)
if err != nil {
return tls.Certificate{}, fmt.Errorf("making X509 key pair: %v", err)
diff --git a/modules/caddytls/storageloader.go b/modules/caddytls/storageloader.go
index f9f0e7e68..c9487e892 100644
--- a/modules/caddytls/storageloader.go
+++ b/modules/caddytls/storageloader.go
@@ -17,6 +17,7 @@ package caddytls
import (
"crypto/tls"
"fmt"
+ "strings"
"github.com/caddyserver/certmagic"
@@ -88,8 +89,16 @@ func (sl StorageLoader) LoadCertificates() ([]Certificate, error) {
switch pair.Format {
case "":
fallthrough
+
case "pem":
+ // if the start of the key file looks like an encrypted private key,
+ // reject it with a helpful error message
+ if strings.Contains(string(keyData[:40]), "ENCRYPTED") {
+ return nil, fmt.Errorf("encrypted private keys are not supported; please decrypt the key first")
+ }
+
cert, err = tls.X509KeyPair(certData, keyData)
+
default:
return nil, fmt.Errorf("unrecognized certificate/key encoding format: %s", pair.Format)
}