Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tlscommon: fix EC key decryption #190

Closed
wants to merge 1 commit into from
Closed

tlscommon: fix EC key decryption #190

wants to merge 1 commit into from

Conversation

AndersonQ
Copy link
Member

What does this PR do?

Fix how encrypted TLS certificate keys are handled. x509.DecryptPEMBlock returns a PEM block, and the code would assume it was not in PEM format and was re-encoding it into PEM, which would generate an invalid key.

Why is it important?

Without the fix, it breaks when parsing a certificate key

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have added tests that prove my fix is effective or that my feature works

Author's Checklist

  • [ ]

Related issues

@AndersonQ AndersonQ added bug Something isn't working Team:Elastic-Agent Label for the Agent team labels Mar 18, 2024
@AndersonQ AndersonQ self-assigned this Mar 18, 2024
@AndersonQ AndersonQ requested a review from a team as a code owner March 18, 2024 17:10
@AndersonQ AndersonQ requested review from fearful-symmetry, faec and leehinman and removed request for a team March 18, 2024 17:10
@elasticmachine
Copy link
Collaborator

elasticmachine commented Mar 18, 2024
edited
Loading

💔 Build Failed

Failed CI Steps

History

cc @AndersonQ

@cmacknz
Copy link
Member

cmacknz commented Mar 18, 2024

Needs a test

leehinman
leehinman requested changes Mar 18, 2024
View reviewed changes
Copy link
Contributor

@leehinman leehinman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

needs tests

transport/tlscommon/tls.go
default:
blocks = append(blocks, block)
// not encrypted and not in PEM format, encode it.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this function only used for reading PEM encoded private keys? The implementation suggests that, but the function name and signature don't. If this were to read a PEM encoded certificate, you don't want to re-encode.

As it stands, I think the default case is trying to catch if they actually supplied a DER encoded private key. If that is the case it is probably worth checking to see if ParsePKIXPublicKey works and to log at the warn level that DER format was provided but PEM format was expected.

@AndersonQ
Copy link
Member Author

x509.DecryptPEMBlock should receive a DER encoded key, not a PEM encoded. That way the key it returns will always be in DER format and we need to encode it as PEM. Thus the code is actually correct

@AndersonQ AndersonQ closed this Mar 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@leehinman leehinman leehinman requested changes

@fearful-symmetry fearful-symmetry Awaiting requested review from fearful-symmetry fearful-symmetry is a code owner automatically assigned from elastic/elastic-agent-data-plane

@faec faec Awaiting requested review from faec faec is a code owner automatically assigned from elastic/elastic-agent-data-plane

Assignees

@AndersonQ AndersonQ

Labels
bug Something isn't working Team:Elastic-Agent Label for the Agent team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@AndersonQ @elasticmachine @cmacknz @leehinman