allow p12 creation without cacert; timelimit openssl exec (#57)

PaloAltoNetworks · Jan 7, 2025 · 8377351 · 8377351
1 parent c140cfe
commit 8377351
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 5 deletions.
diff --git a/main.go b/main.go
@@ -207,6 +207,9 @@ func generateCertificate() {
 	}
 
 	log.Printf("certificate key pair created: cert: %s-cert.pem, key: %s-key.pem", viper.GetString("name"), viper.GetString("name"))
+	if viper.GetBool("p12") {
+		log.Printf("p12 bundle created: %s.p12", viper.GetString("name"))
+	}
 }
 
 func generateCSR() {

diff --git a/tglib/pkcs12.go b/tglib/pkcs12.go
@@ -12,28 +12,51 @@
 package tglib
 
 import (
+	"bytes"
+	"context"
 	"encoding/base64"
 	"fmt"
 	"io"
 	"os"
 	"os/exec"
 	"strings"
+	"time"
 )
 
 // GeneratePKCS12FromFiles generates a full PKCS certificate based on the input keys.
 func GeneratePKCS12FromFiles(out, certPath, keyPath, caPath, passphrase string) error {
 
-	/* #nosec */
-	return exec.Command(
-		"openssl",
+	var errb bytes.Buffer
+
+	ctx, cancel := context.WithTimeout(context.Background(), 60*time.Second)
+	defer cancel()
+
+	// TODO for pkcs12 file without encryption use: -keypbe NONE -certpbe NONE -nomaciter
+	const command = "openssl"
+	args := append(make([]string, 0, 15),
 		"pkcs12",
 		"-export",
 		"-out", out,
 		"-inkey", keyPath,
 		"-in", certPath,
-		"-certfile", caPath,
 		"-passout", "pass:"+passphrase,
-	).Run()
+	)
+	if len(caPath) > 0 {
+		args = append(args, "-certfile", caPath)
+	}
+
+	// #nosec G204 audited OK - no command injection can occur here
+	cmd := exec.CommandContext(ctx, command, args...)
+	cmd.Stderr = &errb
+	cmd.WaitDelay = 5 * time.Second
+
+	err := cmd.Run()
+	if err != nil {
+		// include the openssl stderr output to aid in debugging the reason for failure
+		err = fmt.Errorf("exec openssl failed: stderr='%s': %w", strings.TrimSpace(errb.String()), err)
+	}
+
+	return err
 }
 
 // GeneratePKCS12 generates a pkcs12