Skip to content

Commit

Permalink
Merge pull request #45 from pavlo-v-chernykh/get-private-key-certific…
Browse files Browse the repository at this point in the history
…ate-chain-without-a-password

Get private key certificate chain without a password
  • Loading branch information
pavlo-v-chernykh authored Aug 31, 2023
2 parents e49ca8f + 8dabcfb commit ae44a5e
Show file tree
Hide file tree
Showing 10 changed files with 56 additions and 38 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/main.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ jobs:
uses: golangci/[email protected]
with:
args: --timeout=5m0s -c .golangci.yaml
version: v1.46.2
version: v1.54.2
test:
name: Test
runs-on: ubuntu-latest
Expand Down
4 changes: 2 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ func readKeyStore(filename string, password []byte) keystore.KeyStore {

ks := keystore.New()
if err := ks.Load(f, password); err != nil {
log.Fatal(err) // nolint: gocritic
log.Fatal(err) //nolint: gocritic
}

return ks
Expand All @@ -52,7 +52,7 @@ func writeKeyStore(ks keystore.KeyStore, filename string, password []byte) {

err = ks.Store(f, password)
if err != nil {
log.Fatal(err) // nolint: gocritic
log.Fatal(err) //nolint: gocritic
}
}

Expand Down
6 changes: 3 additions & 3 deletions decoder.go
Original file line number Diff line number Diff line change
Expand Up @@ -130,9 +130,9 @@ func (d decoder) readPrivateKeyEntry(version uint32) (PrivateKeyEntry, error) {

creationDateTime := time.UnixMilli(int64(creationTimeStamp))
privateKeyEntry := PrivateKeyEntry{
encryptedPrivateKey: encryptedPrivateKey,
CreationTime: creationDateTime,
CertificateChain: chain,
PrivateKey: encryptedPrivateKey,
CreationTime: creationDateTime,
CertificateChain: chain,
}

return privateKeyEntry, nil
Expand Down
4 changes: 2 additions & 2 deletions encoder.go
Original file line number Diff line number Diff line change
Expand Up @@ -99,7 +99,7 @@ func (e encoder) writePrivateKeyEntry(alias string, pke PrivateKeyEntry) error {
return fmt.Errorf("write creation timestamp: %w", err)
}

length := uint64(len(pke.encryptedPrivateKey))
length := uint64(len(pke.PrivateKey))
if length > math.MaxUint32 {
return fmt.Errorf("got encrypted content %d bytes long, max length is %d", length, uint64(math.MaxUint32))
}
Expand All @@ -108,7 +108,7 @@ func (e encoder) writePrivateKeyEntry(alias string, pke PrivateKeyEntry) error {
return fmt.Errorf("filed to write length: %w", err)
}

if err := e.writeBytes(pke.encryptedPrivateKey); err != nil {
if err := e.writeBytes(pke.PrivateKey); err != nil {
return fmt.Errorf("write content: %w", err)
}

Expand Down
7 changes: 3 additions & 4 deletions examples/compare/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,6 @@ package main

import (
"encoding/pem"
"io/ioutil"
"log"
"os"
"reflect"
Expand All @@ -14,7 +13,7 @@ import (
type nonRand struct {
}

func (r nonRand) Read(p []byte) (n int, err error) {
func (r nonRand) Read(p []byte) (int, error) {
for i := range p {
p[i] = 1
}
Expand Down Expand Up @@ -61,7 +60,7 @@ func writeKeyStore(ks keystore.KeyStore, filename string, password []byte) {
}

func readPrivateKey() []byte {
pkPEM, err := ioutil.ReadFile("./key.pem")
pkPEM, err := os.ReadFile("./key.pem")
if err != nil {
panic(err)
}
Expand All @@ -79,7 +78,7 @@ func readPrivateKey() []byte {
}

func readCertificate() []byte {
pkPEM, err := ioutil.ReadFile("./cert.pem")
pkPEM, err := os.ReadFile("./cert.pem")
if err != nil {
panic(err)
}
Expand Down
7 changes: 3 additions & 4 deletions examples/keypass/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ func readKeyStore(filename string, password []byte) keystore.KeyStore {

ks := keystore.New()
if err := ks.Load(f, password); err != nil {
log.Fatal(err) // nolint: gocritic
log.Fatal(err) //nolint: gocritic
}

return ks
Expand All @@ -34,9 +34,8 @@ func zeroing(buf []byte) {
}
}

// nolint: godot
// keytool -genkeypair -alias alias -storepass password -keypass keypassword -keyalg RSA -keystore keystore.jks
func main() {
// keytool -genkeypair -alias alias -storepass password -keypass keypassword -keyalg RSA -keystore keystore.jks
password := []byte{'p', 'a', 's', 's', 'w', 'o', 'r', 'd'}
defer zeroing(password)

Expand All @@ -47,7 +46,7 @@ func main() {

pke, err := ks.GetPrivateKeyEntry("alias", keyPassword)
if err != nil {
log.Fatal(err) // nolint: gocritic
log.Fatal(err) //nolint: gocritic
}

key, err := x509.ParsePKCS8PrivateKey(pke.PrivateKey)
Expand Down
15 changes: 7 additions & 8 deletions examples/pem/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,6 @@ package main
import (
"crypto/x509"
"encoding/pem"
"io/ioutil"
"log"
"os"
"time"
Expand All @@ -25,7 +24,7 @@ func readKeyStore(filename string, password []byte) keystore.KeyStore {

ks := keystore.New()
if err := ks.Load(f, password); err != nil {
log.Fatal(err) // nolint: gocritic
log.Fatal(err) //nolint: gocritic
}

return ks
Expand All @@ -45,12 +44,12 @@ func writeKeyStore(ks keystore.KeyStore, filename string, password []byte) {

err = ks.Store(f, password)
if err != nil {
log.Fatal(err) // nolint: gocritic
log.Fatal(err) //nolint: gocritic
}
}

func readPrivateKey() []byte {
pkPEM, err := ioutil.ReadFile("./key.pem")
pkPEM, err := os.ReadFile("./key.pem")
if err != nil {
log.Fatal(err)
}
Expand All @@ -68,7 +67,7 @@ func readPrivateKey() []byte {
}

func readCertificate() []byte {
pkPEM, err := ioutil.ReadFile("./cert.pem")
pkPEM, err := os.ReadFile("./cert.pem")
if err != nil {
log.Fatal(err)
}
Expand All @@ -91,9 +90,9 @@ func zeroing(buf []byte) {
}
}

// nolint: godot, lll
// openssl req -x509 -sha256 -nodes -days 365 -subj '/CN=localhost' -newkey rsa:2048 -outform pem -keyout key.pem -out cert.pem
func main() {
//nolint: lll
// openssl req -x509 -sha256 -nodes -days 365 -subj '/CN=localhost' -newkey rsa:2048 -outform pem -keyout key.pem -out cert.pem
password := []byte{'p', 'a', 's', 's', 'w', 'o', 'r', 'd'}
defer zeroing(password)

Expand All @@ -111,7 +110,7 @@ func main() {
}

if err := ks1.SetPrivateKeyEntry("alias", pkeIn, password); err != nil {
log.Fatal(err) // nolint: gocritic
log.Fatal(err) //nolint: gocritic
}

writeKeyStore(ks1, "keystore.jks", password)
Expand Down
8 changes: 4 additions & 4 deletions examples/truststore/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -22,16 +22,16 @@ func readKeyStore(filename string, password []byte) keystore.KeyStore {

ks := keystore.New()
if err := ks.Load(f, password); err != nil {
log.Fatal(err) // nolint: gocritic
log.Fatal(err) //nolint: gocritic
}

return ks
}

// nolint: godot, lll
// go run main.go "/Library/Java/JavaVirtualMachines/adoptopenjdk-8.jdk/Contents/Home/jre/lib/security/cacerts" "changeit"
func main() {
if len(os.Args) < 3 { // nolint: gomnd
//nolint: lll
// go run main.go "/Library/Java/JavaVirtualMachines/adoptopenjdk-8.jdk/Contents/Home/jre/lib/security/cacerts" "changeit"
if len(os.Args) < 3 { //nolint: gomnd
log.Fatal("usage: <path> <password>")
}

Expand Down
23 changes: 18 additions & 5 deletions keystore.go
Original file line number Diff line number Diff line change
Expand Up @@ -33,8 +33,6 @@ type KeyStore struct {

// PrivateKeyEntry is an entry for private keys and associated certificates.
type PrivateKeyEntry struct {
encryptedPrivateKey []byte

CreationTime time.Time
PrivateKey []byte
CertificateChain []Certificate
Expand Down Expand Up @@ -222,7 +220,7 @@ func (ks KeyStore) SetPrivateKeyEntry(alias string, entry PrivateKeyEntry, passw
return fmt.Errorf("encrypt private key: %w", err)
}

entry.encryptedPrivateKey = epk
entry.PrivateKey = epk

ks.m[ks.convertAlias(alias)] = entry

Expand All @@ -242,17 +240,32 @@ func (ks KeyStore) GetPrivateKeyEntry(alias string, password []byte) (PrivateKey
return PrivateKeyEntry{}, ErrWrongEntryType
}

dpk, err := decrypt(pke.encryptedPrivateKey, password)
dpk, err := decrypt(pke.PrivateKey, password)
if err != nil {
return PrivateKeyEntry{}, fmt.Errorf("decrypt private key: %w", err)
}

pke.encryptedPrivateKey = nil
pke.PrivateKey = dpk

return pke, nil
}

// GetPrivateKeyEntryCertificateChain returns certificate chain associated with
// PrivateKeyEntry from the keystore by the alias.
func (ks KeyStore) GetPrivateKeyEntryCertificateChain(alias string) ([]Certificate, error) {
e, ok := ks.m[ks.convertAlias(alias)]
if !ok {
return nil, ErrEntryNotFound
}

pke, ok := e.(PrivateKeyEntry)
if !ok {
return nil, ErrWrongEntryType
}

return pke.CertificateChain, nil
}

// IsPrivateKeyEntry returns true if the keystore has PrivateKeyEntry by the alias.
func (ks KeyStore) IsPrivateKeyEntry(alias string) bool {
_, ok := ks.m[ks.convertAlias(alias)].(PrivateKeyEntry)
Expand Down
18 changes: 13 additions & 5 deletions keystore_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,6 @@ package keystore
import (
"encoding/pem"
"errors"
"io/ioutil"
"os"
"reflect"
"sort"
Expand Down Expand Up @@ -52,6 +51,11 @@ func TestSetGetMethods(t *testing.T) {
t.Fatal(err)
}

chainGet, err := ks.GetPrivateKeyEntryCertificateChain(pkeAlias)
if err != nil {
t.Fatal(err)
}

tceGet, err := ks.GetTrustedCertificateEntry(tceAlias)
if err != nil {
t.Fatal(err)
Expand All @@ -61,6 +65,10 @@ func TestSetGetMethods(t *testing.T) {
t.Fatal("private key entries not equal")
}

if !reflect.DeepEqual(pke.CertificateChain, chainGet) {
t.Fatal("certificate chains of private key entries are not equal")
}

if !reflect.DeepEqual(tce, tceGet) {
t.Fatal("private key entries not equal")
}
Expand Down Expand Up @@ -218,7 +226,7 @@ func TestLoad(t *testing.T) {
t.Errorf("unexpected private key entry certificate chain length: '%d' '%d'", len(actualPKE.CertificateChain), 0)
}

pkPEM, err := ioutil.ReadFile("./testdata/key.pem")
pkPEM, err := os.ReadFile("./testdata/key.pem")
if err != nil {
t.Fatalf("read expected private key file: %s", err)
}
Expand Down Expand Up @@ -272,7 +280,7 @@ func TestLoadKeyPassword(t *testing.T) {
t.Errorf("unexpected private key entry certificate chain length: '%d' '%d'", len(actualPKE.CertificateChain), 0)
}

pkPEM, err := ioutil.ReadFile("./testdata/key_keypass.pem")
pkPEM, err := os.ReadFile("./testdata/key_keypass.pem")
if err != nil {
t.Fatalf("read expected private key file: %s", err)
}
Expand All @@ -287,7 +295,7 @@ func TestLoadKeyPassword(t *testing.T) {
func readPrivateKey(t *testing.T) []byte {
t.Helper()

pkPEM, err := ioutil.ReadFile("./testdata/key.pem")
pkPEM, err := os.ReadFile("./testdata/key.pem")
if err != nil {
t.Fatal(err)
}
Expand All @@ -307,7 +315,7 @@ func readPrivateKey(t *testing.T) []byte {
func readCertificate(t *testing.T) []byte {
t.Helper()

pkPEM, err := ioutil.ReadFile("./testdata/cert.pem")
pkPEM, err := os.ReadFile("./testdata/cert.pem")
if err != nil {
t.Fatal(err)
}
Expand Down

0 comments on commit ae44a5e

Please sign in to comment.