Home Explore Help
Sign In
logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets
1
0
Fork 0
Files Issues 0 Wiki
Browse Source

Remove the use of "golang.org/x/crypto/pkcs12" (#3601)

Switch to software.sslmate.com/src/go-pkcs12 instead

Signed-off-by: yihuaf <yihuaf@unkies.org>
Eric Fang 1 year ago
parent
c7fc730019
commit
ebae16beb3
4 changed files with 32 additions and 37 deletions
Split View Show Diff Stats
  1. 2 2
      pkg/provider/azure/keyvault/keyvault.go
  2. 1 1
      pkg/template/v1/template.go
  3. 28 34
      pkg/template/v2/pkcs12.go
  4. 1 0
      pkg/template/v2/template.go

+ 2 - 2
pkg/provider/azure/keyvault/keyvault.go
View File 

@@ -35,7 +35,6 @@ import (
 
 	"github.com/AzureAD/microsoft-authentication-library-for-go/apps/confidential"
 
 	"github.com/lestrrat-go/jwx/v2/jwk"
 
 	"github.com/tidwall/gjson"
 
-	"golang.org/x/crypto/pkcs12"
 
 	"golang.org/x/crypto/sha3"
 
 	authv1 "k8s.io/api/authentication/v1"
 
 	corev1 "k8s.io/api/core/v1"
 
@@ -47,6 +46,7 @@ import (
 
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	ctrlcfg "sigs.k8s.io/controller-runtime/pkg/client/config"
 
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
 
+	gopkcs12 "software.sslmate.com/src/go-pkcs12"
 
 
 	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
 
 	"github.com/external-secrets/external-secrets/pkg/constants"
 
@@ -345,7 +345,7 @@ func (a *Azure) SecretExists(ctx context.Context, remoteRef esv1beta1.PushSecret
 
 
 func getCertificateFromValue(value []byte) (*x509.Certificate, error) {
 
 	// 1st: try decode pkcs12
 
-	_, localCert, err := pkcs12.Decode(value, "")
 
+	_, localCert, err := gopkcs12.Decode(value, "")
 
 	if err == nil {
 
 		return localCert, nil
 
 	}

+ 1 - 1
pkg/template/v1/template.go
View File 

@@ -26,8 +26,8 @@ import (
 
 
 	"github.com/lestrrat-go/jwx/v2/jwk"
 
 	"github.com/youmark/pkcs8"
 
-	"golang.org/x/crypto/pkcs12"
 
 	corev1 "k8s.io/api/core/v1"
 
+	"software.sslmate.com/src/go-pkcs12"
 
 
 	esapi "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
 
 )

+ 28 - 34
pkg/template/v2/pkcs12.go
View File 

@@ -21,41 +21,28 @@ import (
 
 	"encoding/pem"
 
 	"fmt"
 
 
-	"golang.org/x/crypto/pkcs12"
 
 	gopkcs12 "software.sslmate.com/src/go-pkcs12"
 
 )
 
 
 func pkcs12keyPass(pass, input string) (string, error) {
 
-	blocks, err := pkcs12.ToPEM([]byte(input), pass)
 
+	privateKey, _, _, err := gopkcs12.DecodeChain([]byte(input), pass)
 
 	if err != nil {
 
 		return "", fmt.Errorf(errDecodePKCS12WithPass, err)
 
 	}
 
 
-	var pemData []byte
 
-	for _, block := range blocks {
 
-		// remove bag attributes like localKeyID, friendlyName
 
-		block.Headers = nil
 
-		if block.Type == pemTypeCertificate {
 
-			continue
 
-		}
 
-		key, err := parsePrivateKey(block.Bytes)
 
-		if err != nil {
 
-			return "", err
 
-		}
 
-		// we use pkcs8 because it supports more key types (ecdsa, ed25519), not just RSA
 
-		block.Bytes, err = x509.MarshalPKCS8PrivateKey(key)
 
-		if err != nil {
 
-			return "", err
 
-		}
 
-		// report error if encode fails
 
-		var buf bytes.Buffer
 
-		if err := pem.Encode(&buf, block); err != nil {
 
-			return "", err
 
-		}
 
-		pemData = append(pemData, buf.Bytes()...)
 
+	marshalPrivateKey, err := x509.MarshalPKCS8PrivateKey(privateKey)
 
+	if err != nil {
 
+		return "", err
 
 	}
 
 
-	return string(pemData), nil
 
+	var buf bytes.Buffer
 
+	if err := pem.Encode(&buf, &pem.Block{
 
+		Type:  pemTypeKey,
 
+		Bytes: marshalPrivateKey,
 
+	}); err != nil {
 
+		return "", err
 
+	}
 
+	return buf.String(), nil
 
 }
 
 
 func parsePrivateKey(block []byte) (any, error) {
 
@@ -76,21 +63,28 @@ func pkcs12key(input string) (string, error) {
 
 }
 
 
 func pkcs12certPass(pass, input string) (string, error) {
 
-	blocks, err := pkcs12.ToPEM([]byte(input), pass)
 
+	_, certificate, caCerts, err := gopkcs12.DecodeChain([]byte(input), pass)
 
 	if err != nil {
 
 		return "", fmt.Errorf(errDecodeCertWithPass, err)
 
 	}
 
 
 	var pemData []byte
 
-	for _, block := range blocks {
 
-		if block.Type != pemTypeCertificate {
 
-			continue
 
-		}
 
-		// remove bag attributes like localKeyID, friendlyName
 
-		block.Headers = nil
 
-		// report error if encode fails
 
+	var buf bytes.Buffer
 
+	if err := pem.Encode(&buf, &pem.Block{
 
+		Type:  pemTypeCertificate,
 
+		Bytes: certificate.Raw,
 
+	}); err != nil {
 
+		return "", err
 
+	}
 
+
 
+	pemData = append(pemData, buf.Bytes()...)
 
+
 
+	for _, ca := range caCerts {
 
 		var buf bytes.Buffer
 
-		if err := pem.Encode(&buf, block); err != nil {
 
+		if err := pem.Encode(&buf, &pem.Block{
 
+			Type:  pemTypeCertificate,
 
+			Bytes: ca.Raw,
 
+		}); err != nil {
 
 			return "", err
 
 		}
 
 		pemData = append(pemData, buf.Bytes()...)

+ 1 - 0
pkg/template/v2/template.go
View File 

@@ -59,6 +59,7 @@ const (
 
 	errParsePrivKey         = "unable to parse private key type"
 
 
 	pemTypeCertificate = "CERTIFICATE"
 
+	pemTypeKey         = "PRIVATE KEY"
 
 )
 
 
 func init() {