Skip to content

Commit

Permalink
fix(core): fixes leaking private key password to logs in mongo setup (#…
Browse files Browse the repository at this point in the history 
…28)
  • Loading branch information
@ddneilson
ddneilson authored Jul 31, 2020
1 parent 84e09fb commit efd1602
Showing 1 changed file with 5 additions and 3 deletions.
8 changes: 5 additions & 3 deletions packages/aws-rfdk/lib/core/scripts/mongodb/3.6/serverCertFromSecrets.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,12 +40,14 @@ get_secret_string "${CHAIN_ID}"
printenv RET_VALUE > ./ca.crt
get_secret_string "${KEY_ID}"
printenv RET_VALUE > ./encrypted_key.pem

# Note: We must get the private key passphrase **LAST**. We use the returned
# environment variable to securely invoke openssl to decrypt the private key.
get_secret_string "${KEY_PW_ID}"
export KEY_PW=$(printenv RET_VALUE)

# Decrypt the private key.
openssl rsa -in ./encrypted_key.pem -passin env:KEY_PW -out ./decrypted_key.pem
unset KEY_PW
openssl rsa -in ./encrypted_key.pem -passin env:RET_VALUE -out ./decrypted_key.pem
unset RET_VALUE

cat key.crt decrypted_key.pem > key.pem

Expand Down

0 comments on commit efd1602

Please sign in to comment.