-
Notifications
You must be signed in to change notification settings - Fork 100
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add the ability to decrypt TLS private keys #35
add the ability to decrypt TLS private keys #35
Conversation
tlsconfig/config.go
Outdated
if err != nil { | ||
return nil, errors.Wrap(err, "private key is encrypted, but could not decrypt it") | ||
} | ||
keyBytes = pem.EncodeToMemory(&pem.Block{Type: "PRIVATE KEY", Bytes: keyBytes}) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Usually this contains a type, such as EC PRIVATE KEY
or RSA PRIVATE KEY
- we can probably just keep the previous one: keyBytes = pem.EncodeToMemory(&pem.Block{Type: pemBlock.Type, Bytes: keyBytes})
tlsconfig/config_test.go
Outdated
|
||
if err == nil || tlsConfig != nil { | ||
t.Fatal("Expected failure due to incorrect passphrase.") | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we want to assert that it is specifically a passphrase error?
if !IsErrEncryptedKey(err) || tlsConfig != nil {
...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for the review @cyli. Yes, this seems a better test. I have updated the PR to address both changes (pem.EncodeToMemory() and the specific passphrase error in the test.
Thanks for working on this @adshmh! |
Signed-off-by: Arash Deshmeh <adeshmeh@ca.ibm.com>
b00eb56
to
9a08a30
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM! Thank you for your continued work on improving this library and for your patience!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM 🐮
added the ability to accept a passphrase and decrypt a TLS private key, by adding a 'Passphrase' to the Options struct and the functionality required to decrypt TLS keys.
This is needed to address moby/moby#30935. A few rounds of reviews were done in moby/moby#31364 on the code in this PR as part of stubbing out the overall implementation.
Signed-off-by: Arash Deshmeh adeshmeh@ca.ibm.com