feat: add a way to represent redacted x509 private keys

If the x509 private key is set to be `******`, do not base64-encode it in the YAML representation, so it stays human-readable, clearly communicating that it is redacted.

Signed-off-by: Utku Ozdemir <utku.ozdemir@siderolabs.com>

Author: utkuozdemir

x509/x509.go

@@ -27,6 +27,11 @@ import (
 	"time"
 )
 
+// Redacted is a special string that is used to indicate that a private key should be YAML-marshaled without the base64 encoding.
+//
+// If the value of a private key is exactly this string (in bytes), it will be marshaled as-is into YAML, without the base64 encoding.
+const Redacted = "******"
+
 // CertificateAuthority represents a CA.
 type CertificateAuthority struct {
 	Crt    *x509.Certificate
@@ -789,13 +794,18 @@ func (p *PEMEncodedCertificateAndKey) UnmarshalYAML(unmarshal func(interface{})
 		return err
 	}
 
-	decodedKey, err := base64.StdEncoding.DecodeString(aux.Key)
-	if err != nil {
-		return err
-	}
-
 	p.Crt = decodedCrt
-	p.Key = decodedKey
+
+	if aux.Key == Redacted {
+		p.Key = []byte(Redacted)
+	} else {
+		decodedKey, err := base64.StdEncoding.DecodeString(aux.Key)
+		if err != nil {
+			return err
+		}
+
+		p.Key = decodedKey
+	}
 
 	return nil
 }
@@ -811,7 +821,12 @@ func (p *PEMEncodedCertificateAndKey) MarshalYAML() (interface{}, error) {
 	}
 
 	aux.Crt = base64.StdEncoding.EncodeToString(p.Crt)
-	aux.Key = base64.StdEncoding.EncodeToString(p.Key)
+
+	if string(p.Key) == Redacted {
+		aux.Key = Redacted
+	} else {
+		aux.Key = base64.StdEncoding.EncodeToString(p.Key)
+	}
 
 	return aux, nil
 }
@@ -939,12 +954,16 @@ func (p *PEMEncodedKey) UnmarshalYAML(unmarshal func(interface{}) error) error {
 		return err
 	}
 
-	decodedKey, err := base64.StdEncoding.DecodeString(aux.Key)
-	if err != nil {
-		return err
-	}
+	if aux.Key == Redacted {
+		p.Key = []byte(Redacted)
+	} else {
+		decodedKey, err := base64.StdEncoding.DecodeString(aux.Key)
+		if err != nil {
+			return err
+		}
 
-	p.Key = decodedKey
+		p.Key = decodedKey
+	}
 
 	return nil
 }
@@ -958,7 +977,11 @@ func (p *PEMEncodedKey) MarshalYAML() (interface{}, error) {
 		Key string `yaml:"key"`
 	}
 
-	aux.Key = base64.StdEncoding.EncodeToString(p.Key)
+	if string(p.Key) == Redacted {
+		aux.Key = Redacted
+	} else {
+		aux.Key = base64.StdEncoding.EncodeToString(p.Key)
+	}
 
 	return aux, nil
 }

x509/x509_test.go

@@ -7,6 +7,7 @@ package x509_test
 import (
 	stdx509 "crypto/x509"
 	"crypto/x509/pkix"
+	"encoding/base64"
 	"testing"
 	"time"
 
@@ -327,3 +328,44 @@ func TestNewCertificateFromCSR(t *testing.T) {
 	assert.Equal(t, []string{"os:admin"}, crt1.X509Certificate.Subject.Organization)
 	assert.Equal(t, []string(nil), crt2.X509Certificate.Subject.Organization)
 }
+
+func TestPEMEncodedCertificateAndKeyYAMLMarshaling(t *testing.T) {
+	t.Parallel()
+
+	// when key is not set to redacted, it should be base64'd on marshaling
+
+	pair := &x509.PEMEncodedCertificateAndKey{
+		Crt: []byte("crt"),
+		Key: []byte("key"),
+	}
+
+	bytes, err := yaml.Marshal(pair)
+	require.NoError(t, err)
+
+	var m map[string]any
+
+	require.NoError(t, yaml.Unmarshal(bytes, &m))
+
+	assert.Equal(t, base64.StdEncoding.EncodeToString(pair.Key), m["key"])
+	assert.Equal(t, base64.StdEncoding.EncodeToString(pair.Crt), m["crt"])
+
+	// when the key is set to Redacted, it should be marshaled as-is, without base64 encoding
+
+	pair.Key = []byte(x509.Redacted)
+
+	bytes, err = yaml.Marshal(pair)
+	require.NoError(t, err)
+
+	require.NoError(t, yaml.Unmarshal(bytes, &m))
+
+	assert.Equal(t, x509.Redacted, m["key"])
+	assert.Equal(t, base64.StdEncoding.EncodeToString(pair.Crt), m["crt"])
+
+	// unmarshal should work with redacted key
+
+	var unmarshalPair x509.PEMEncodedCertificateAndKey
+
+	require.NoError(t, yaml.Unmarshal(bytes, &unmarshalPair))
+
+	assert.Equal(t, []byte(x509.Redacted), unmarshalPair.Key)
+}