From ebae16beb3803038dcaef8695104481d1768db44 Mon Sep 17 00:00:00 2001
From: Eric Fang <github@accounts.unkies.org>
Date: Tue, 18 Jun 2024 10:21:48 -0700
Subject: [PATCH] Remove the use of "golang.org/x/crypto/pkcs12" (#3601)

Switch to software.sslmate.com/src/go-pkcs12 instead

Signed-off-by: yihuaf <yihuaf@unkies.org>
---
 pkg/provider/azure/keyvault/keyvault.go |  4 +-
 pkg/template/v1/template.go             |  2 +-
 pkg/template/v2/pkcs12.go               | 62 +++++++++++--------------
 pkg/template/v2/template.go             |  1 +
 4 files changed, 32 insertions(+), 37 deletions(-)

diff --git a/pkg/provider/azure/keyvault/keyvault.go b/pkg/provider/azure/keyvault/keyvault.go
index 5b98142d8..9e87d7ac9 100644
--- a/pkg/provider/azure/keyvault/keyvault.go
+++ b/pkg/provider/azure/keyvault/keyvault.go
@@ -35,7 +35,6 @@ import (
 	"github.com/AzureAD/microsoft-authentication-library-for-go/apps/confidential"
 	"github.com/lestrrat-go/jwx/v2/jwk"
 	"github.com/tidwall/gjson"
-	"golang.org/x/crypto/pkcs12"
 	"golang.org/x/crypto/sha3"
 	authv1 "k8s.io/api/authentication/v1"
 	corev1 "k8s.io/api/core/v1"
@@ -47,6 +46,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	ctrlcfg "sigs.k8s.io/controller-runtime/pkg/client/config"
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
+	gopkcs12 "software.sslmate.com/src/go-pkcs12"
 
 	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
 	"github.com/external-secrets/external-secrets/pkg/constants"
@@ -345,7 +345,7 @@ func (a *Azure) SecretExists(ctx context.Context, remoteRef esv1beta1.PushSecret
 
 func getCertificateFromValue(value []byte) (*x509.Certificate, error) {
 	// 1st: try decode pkcs12
-	_, localCert, err := pkcs12.Decode(value, "")
+	_, localCert, err := gopkcs12.Decode(value, "")
 	if err == nil {
 		return localCert, nil
 	}
diff --git a/pkg/template/v1/template.go b/pkg/template/v1/template.go
index 59c17b6a2..df49cbf7b 100644
--- a/pkg/template/v1/template.go
+++ b/pkg/template/v1/template.go
@@ -26,8 +26,8 @@ import (
 
 	"github.com/lestrrat-go/jwx/v2/jwk"
 	"github.com/youmark/pkcs8"
-	"golang.org/x/crypto/pkcs12"
 	corev1 "k8s.io/api/core/v1"
+	"software.sslmate.com/src/go-pkcs12"
 
 	esapi "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
 )
diff --git a/pkg/template/v2/pkcs12.go b/pkg/template/v2/pkcs12.go
index d73f82981..d4cab3760 100644
--- a/pkg/template/v2/pkcs12.go
+++ b/pkg/template/v2/pkcs12.go
@@ -21,41 +21,28 @@ import (
 	"encoding/pem"
 	"fmt"
 
-	"golang.org/x/crypto/pkcs12"
 	gopkcs12 "software.sslmate.com/src/go-pkcs12"
 )
 
 func pkcs12keyPass(pass, input string) (string, error) {
-	blocks, err := pkcs12.ToPEM([]byte(input), pass)
+	privateKey, _, _, err := gopkcs12.DecodeChain([]byte(input), pass)
 	if err != nil {
 		return "", fmt.Errorf(errDecodePKCS12WithPass, err)
 	}
 
-	var pemData []byte
-	for _, block := range blocks {
-		// remove bag attributes like localKeyID, friendlyName
-		block.Headers = nil
-		if block.Type == pemTypeCertificate {
-			continue
-		}
-		key, err := parsePrivateKey(block.Bytes)
-		if err != nil {
-			return "", err
-		}
-		// we use pkcs8 because it supports more key types (ecdsa, ed25519), not just RSA
-		block.Bytes, err = x509.MarshalPKCS8PrivateKey(key)
-		if err != nil {
-			return "", err
-		}
-		// report error if encode fails
-		var buf bytes.Buffer
-		if err := pem.Encode(&buf, block); err != nil {
-			return "", err
-		}
-		pemData = append(pemData, buf.Bytes()...)
+	marshalPrivateKey, err := x509.MarshalPKCS8PrivateKey(privateKey)
+	if err != nil {
+		return "", err
 	}
 
-	return string(pemData), nil
+	var buf bytes.Buffer
+	if err := pem.Encode(&buf, &pem.Block{
+		Type:  pemTypeKey,
+		Bytes: marshalPrivateKey,
+	}); err != nil {
+		return "", err
+	}
+	return buf.String(), nil
 }
 
 func parsePrivateKey(block []byte) (any, error) {
@@ -76,21 +63,28 @@ func pkcs12key(input string) (string, error) {
 }
 
 func pkcs12certPass(pass, input string) (string, error) {
-	blocks, err := pkcs12.ToPEM([]byte(input), pass)
+	_, certificate, caCerts, err := gopkcs12.DecodeChain([]byte(input), pass)
 	if err != nil {
 		return "", fmt.Errorf(errDecodeCertWithPass, err)
 	}
 
 	var pemData []byte
-	for _, block := range blocks {
-		if block.Type != pemTypeCertificate {
-			continue
-		}
-		// remove bag attributes like localKeyID, friendlyName
-		block.Headers = nil
-		// report error if encode fails
+	var buf bytes.Buffer
+	if err := pem.Encode(&buf, &pem.Block{
+		Type:  pemTypeCertificate,
+		Bytes: certificate.Raw,
+	}); err != nil {
+		return "", err
+	}
+
+	pemData = append(pemData, buf.Bytes()...)
+
+	for _, ca := range caCerts {
 		var buf bytes.Buffer
-		if err := pem.Encode(&buf, block); err != nil {
+		if err := pem.Encode(&buf, &pem.Block{
+			Type:  pemTypeCertificate,
+			Bytes: ca.Raw,
+		}); err != nil {
 			return "", err
 		}
 		pemData = append(pemData, buf.Bytes()...)
diff --git a/pkg/template/v2/template.go b/pkg/template/v2/template.go
index b1c65fe79..46040e844 100644
--- a/pkg/template/v2/template.go
+++ b/pkg/template/v2/template.go
@@ -59,6 +59,7 @@ const (
 	errParsePrivKey         = "unable to parse private key type"
 
 	pemTypeCertificate = "CERTIFICATE"
+	pemTypeKey         = "PRIVATE KEY"
 )
 
 func init() {