mirror of
https://github.com/external-secrets/external-secrets.git
synced 2024-12-14 11:57:59 +00:00
Remove the use of "golang.org/x/crypto/pkcs12" (#3601)
Switch to software.sslmate.com/src/go-pkcs12 instead Signed-off-by: yihuaf <yihuaf@unkies.org>
This commit is contained in:
Eric Fang
GitHub
parent
c7fc730019
commit
ebae16beb3
4 changed files with 32 additions and 37 deletions
|
|
@ -35,7 +35,6 @@ import (
|
|||
"github.com/AzureAD/microsoft-authentication-library-for-go/apps/confidential"
|
||||
"github.com/lestrrat-go/jwx/v2/jwk"
|
||||
"github.com/tidwall/gjson"
|
||||
"golang.org/x/crypto/pkcs12"
|
||||
"golang.org/x/crypto/sha3"
|
||||
authv1 "k8s.io/api/authentication/v1"
|
||||
corev1 "k8s.io/api/core/v1"
|
||||
|
|
@ -47,6 +46,7 @@ import (
|
|||
"sigs.k8s.io/controller-runtime/pkg/client"
|
||||
ctrlcfg "sigs.k8s.io/controller-runtime/pkg/client/config"
|
||||
"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
|
||||
gopkcs12 "software.sslmate.com/src/go-pkcs12"
|
||||
|
||||
esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
|
||||
"github.com/external-secrets/external-secrets/pkg/constants"
|
||||
|
|
@ -345,7 +345,7 @@ func (a *Azure) SecretExists(ctx context.Context, remoteRef esv1beta1.PushSecret
|
|||
|
||||
func getCertificateFromValue(value []byte) (*x509.Certificate, error) {
|
||||
// 1st: try decode pkcs12
|
||||
_, localCert, err := pkcs12.Decode(value, "")
|
||||
_, localCert, err := gopkcs12.Decode(value, "")
|
||||
if err == nil {
|
||||
return localCert, nil
|
||||
}
|
||||
|
|
|
|||
|
|
@ -26,8 +26,8 @@ import (
|
|||
|
||||
"github.com/lestrrat-go/jwx/v2/jwk"
|
||||
"github.com/youmark/pkcs8"
|
||||
"golang.org/x/crypto/pkcs12"
|
||||
corev1 "k8s.io/api/core/v1"
|
||||
"software.sslmate.com/src/go-pkcs12"
|
||||
|
||||
esapi "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
|
||||
)
|
||||
|
|
|
|||
|
|
@ -21,41 +21,28 @@ import (
|
|||
"encoding/pem"
|
||||
"fmt"
|
||||
|
||||
"golang.org/x/crypto/pkcs12"
|
||||
gopkcs12 "software.sslmate.com/src/go-pkcs12"
|
||||
)
|
||||
|
||||
func pkcs12keyPass(pass, input string) (string, error) {
|
||||
blocks, err := pkcs12.ToPEM([]byte(input), pass)
|
||||
privateKey, _, _, err := gopkcs12.DecodeChain([]byte(input), pass)
|
||||
if err != nil {
|
||||
return "", fmt.Errorf(errDecodePKCS12WithPass, err)
|
||||
}
|
||||
|
||||
var pemData []byte
|
||||
for _, block := range blocks {
|
||||
// remove bag attributes like localKeyID, friendlyName
|
||||
block.Headers = nil
|
||||
if block.Type == pemTypeCertificate {
|
||||
continue
|
||||
}
|
||||
key, err := parsePrivateKey(block.Bytes)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
// we use pkcs8 because it supports more key types (ecdsa, ed25519), not just RSA
|
||||
block.Bytes, err = x509.MarshalPKCS8PrivateKey(key)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
// report error if encode fails
|
||||
var buf bytes.Buffer
|
||||
if err := pem.Encode(&buf, block); err != nil {
|
||||
return "", err
|
||||
}
|
||||
pemData = append(pemData, buf.Bytes()...)
|
||||
marshalPrivateKey, err := x509.MarshalPKCS8PrivateKey(privateKey)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
|
||||
return string(pemData), nil
|
||||
var buf bytes.Buffer
|
||||
if err := pem.Encode(&buf, &pem.Block{
|
||||
Type: pemTypeKey,
|
||||
Bytes: marshalPrivateKey,
|
||||
}); err != nil {
|
||||
return "", err
|
||||
}
|
||||
return buf.String(), nil
|
||||
}
|
||||
|
||||
func parsePrivateKey(block []byte) (any, error) {
|
||||
|
|
@ -76,21 +63,28 @@ func pkcs12key(input string) (string, error) {
|
|||
}
|
||||
|
||||
func pkcs12certPass(pass, input string) (string, error) {
|
||||
blocks, err := pkcs12.ToPEM([]byte(input), pass)
|
||||
_, certificate, caCerts, err := gopkcs12.DecodeChain([]byte(input), pass)
|
||||
if err != nil {
|
||||
return "", fmt.Errorf(errDecodeCertWithPass, err)
|
||||
}
|
||||
|
||||
var pemData []byte
|
||||
for _, block := range blocks {
|
||||
if block.Type != pemTypeCertificate {
|
||||
continue
|
||||
}
|
||||
// remove bag attributes like localKeyID, friendlyName
|
||||
block.Headers = nil
|
||||
// report error if encode fails
|
||||
var buf bytes.Buffer
|
||||
if err := pem.Encode(&buf, &pem.Block{
|
||||
Type: pemTypeCertificate,
|
||||
Bytes: certificate.Raw,
|
||||
}); err != nil {
|
||||
return "", err
|
||||
}
|
||||
|
||||
pemData = append(pemData, buf.Bytes()...)
|
||||
|
||||
for _, ca := range caCerts {
|
||||
var buf bytes.Buffer
|
||||
if err := pem.Encode(&buf, block); err != nil {
|
||||
if err := pem.Encode(&buf, &pem.Block{
|
||||
Type: pemTypeCertificate,
|
||||
Bytes: ca.Raw,
|
||||
}); err != nil {
|
||||
return "", err
|
||||
}
|
||||
pemData = append(pemData, buf.Bytes()...)
|
||||
|
|
|
|||
|
|
@ -59,6 +59,7 @@ const (
|
|||
errParsePrivKey = "unable to parse private key type"
|
||||
|
||||
pemTypeCertificate = "CERTIFICATE"
|
||||
pemTypeKey = "PRIVATE KEY"
|
||||
)
|
||||
|
||||
func init() {
|
||||
|
|
|
|||
Loading…
Reference in a new issue