mirrors/external-secrets
1
0
Fork 0
mirror of https://github.com/external-secrets/external-secrets.git synced 2024-12-14 11:57:59 +00:00
Code Activity

Remove the use of "golang.org/x/crypto/pkcs12" (#3601)

Browse source 
Switch to software.sslmate.com/src/go-pkcs12 instead

Signed-off-by: yihuaf <yihuaf@unkies.org>
This commit is contained in:
Eric Fang 2024-06-18 10:21:48 -07:00 committed by GitHub
parent c7fc730019
commit ebae16beb3
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
4 changed files with 32 additions and 37 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
pkg/provider/azure/keyvault/keyvault.go
View file

@ -35,7 +35,6 @@ import (
"github.com/AzureAD/microsoft-authentication-library-for-go/apps/confidential" "github.com/AzureAD/microsoft-authentication-library-for-go/apps/confidential"
"github.com/lestrrat-go/jwx/v2/jwk" "github.com/lestrrat-go/jwx/v2/jwk"
"github.com/tidwall/gjson" "github.com/tidwall/gjson"
"golang.org/x/crypto/pkcs12"
"golang.org/x/crypto/sha3" "golang.org/x/crypto/sha3"
authv1 "k8s.io/api/authentication/v1" authv1 "k8s.io/api/authentication/v1"
corev1 "k8s.io/api/core/v1" corev1 "k8s.io/api/core/v1"
@ -47,6 +46,7 @@ import (
"sigs.k8s.io/controller-runtime/pkg/client" "sigs.k8s.io/controller-runtime/pkg/client"
ctrlcfg "sigs.k8s.io/controller-runtime/pkg/client/config" ctrlcfg "sigs.k8s.io/controller-runtime/pkg/client/config"
"sigs.k8s.io/controller-runtime/pkg/webhook/admission" "sigs.k8s.io/controller-runtime/pkg/webhook/admission"
gopkcs12 "software.sslmate.com/src/go-pkcs12"
esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1" esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
"github.com/external-secrets/external-secrets/pkg/constants" "github.com/external-secrets/external-secrets/pkg/constants"
@ -345,7 +345,7 @@ func (a *Azure) SecretExists(ctx context.Context, remoteRef esv1beta1.PushSecret
func getCertificateFromValue(value []byte) (*x509.Certificate, error) { func getCertificateFromValue(value []byte) (*x509.Certificate, error) {
// 1st: try decode pkcs12 // 1st: try decode pkcs12
_, localCert, err := pkcs12.Decode(value, "") _, localCert, err := gopkcs12.Decode(value, "")
if err == nil { if err == nil {
return localCert, nil return localCert, nil
} }

2
pkg/template/v1/template.go
View file

@ -26,8 +26,8 @@ import (
"github.com/lestrrat-go/jwx/v2/jwk" "github.com/lestrrat-go/jwx/v2/jwk"
"github.com/youmark/pkcs8" "github.com/youmark/pkcs8"
"golang.org/x/crypto/pkcs12"
corev1 "k8s.io/api/core/v1" corev1 "k8s.io/api/core/v1"
"software.sslmate.com/src/go-pkcs12"
esapi "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1" esapi "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
) )

62
pkg/template/v2/pkcs12.go
View file

@ -21,41 +21,28 @@ import (
"encoding/pem" "encoding/pem"
"fmt" "fmt"
"golang.org/x/crypto/pkcs12"
gopkcs12 "software.sslmate.com/src/go-pkcs12" gopkcs12 "software.sslmate.com/src/go-pkcs12"
) )
func pkcs12keyPass(pass, input string) (string, error) { func pkcs12keyPass(pass, input string) (string, error) {
blocks, err := pkcs12.ToPEM([]byte(input), pass) privateKey, _, _, err := gopkcs12.DecodeChain([]byte(input), pass)
if err != nil { if err != nil {
return "", fmt.Errorf(errDecodePKCS12WithPass, err) return "", fmt.Errorf(errDecodePKCS12WithPass, err)
} }
var pemData []byte marshalPrivateKey, err := x509.MarshalPKCS8PrivateKey(privateKey)
for _, block := range blocks { if err != nil {
// remove bag attributes like localKeyID, friendlyName return "", err
block.Headers = nil
if block.Type == pemTypeCertificate {
continue
}
key, err := parsePrivateKey(block.Bytes)
if err != nil {
return "", err
}
// we use pkcs8 because it supports more key types (ecdsa, ed25519), not just RSA
block.Bytes, err = x509.MarshalPKCS8PrivateKey(key)
if err != nil {
return "", err
}
// report error if encode fails
var buf bytes.Buffer
if err := pem.Encode(&buf, block); err != nil {
return "", err
}
pemData = append(pemData, buf.Bytes()...)
} }
return string(pemData), nil var buf bytes.Buffer
if err := pem.Encode(&buf, &pem.Block{
Type: pemTypeKey,
Bytes: marshalPrivateKey,
}); err != nil {
return "", err
}
return buf.String(), nil
} }
func parsePrivateKey(block []byte) (any, error) { func parsePrivateKey(block []byte) (any, error) {
@ -76,21 +63,28 @@ func pkcs12key(input string) (string, error) {
} }
func pkcs12certPass(pass, input string) (string, error) { func pkcs12certPass(pass, input string) (string, error) {
blocks, err := pkcs12.ToPEM([]byte(input), pass) _, certificate, caCerts, err := gopkcs12.DecodeChain([]byte(input), pass)
if err != nil { if err != nil {
return "", fmt.Errorf(errDecodeCertWithPass, err) return "", fmt.Errorf(errDecodeCertWithPass, err)
} }
var pemData []byte var pemData []byte
for _, block := range blocks { var buf bytes.Buffer
if block.Type != pemTypeCertificate { if err := pem.Encode(&buf, &pem.Block{
continue Type: pemTypeCertificate,
} Bytes: certificate.Raw,
// remove bag attributes like localKeyID, friendlyName }); err != nil {
block.Headers = nil return "", err
// report error if encode fails }
pemData = append(pemData, buf.Bytes()...)
for _, ca := range caCerts {
var buf bytes.Buffer var buf bytes.Buffer
if err := pem.Encode(&buf, block); err != nil { if err := pem.Encode(&buf, &pem.Block{
Type: pemTypeCertificate,
Bytes: ca.Raw,
}); err != nil {
return "", err return "", err
} }
pemData = append(pemData, buf.Bytes()...) pemData = append(pemData, buf.Bytes()...)

1
pkg/template/v2/template.go
View file

@ -59,6 +59,7 @@ const (
errParsePrivKey = "unable to parse private key type" errParsePrivKey = "unable to parse private key type"
pemTypeCertificate = "CERTIFICATE" pemTypeCertificate = "CERTIFICATE"
pemTypeKey = "PRIVATE KEY"
) )
func init() { func init() {