Merge branch 'master' into improved-http-performance

caddyserver · Sep 25, 2024 · 75f8ba4 · 75f8ba4
2 parents e62916f + 9dda8fb
commit 75f8ba4
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 0 deletions.
diff --git a/modules/caddytls/fileloader.go b/modules/caddytls/fileloader.go
@@ -18,6 +18,7 @@ import (
  "crypto/tls"
  "fmt"
  "os"
+ "strings"
 
  "github.com/caddyserver/caddy/v2"
 )
@@ -92,8 +93,16 @@ func (fl FileLoader) LoadCertificates() ([]Certificate, error) {
  switch pair.Format {
  case "":
  fallthrough
+
  case "pem":
+ // if the start of the key file looks like an encrypted private key,
+ // reject it with a helpful error message
+ if strings.Contains(string(keyData[:40]), "ENCRYPTED") {
+ return nil, fmt.Errorf("encrypted private keys are not supported; please decrypt the key first")
+ }
+
  cert, err = tls.X509KeyPair(certData, keyData)
+
  default:
  return nil, fmt.Errorf("unrecognized certificate/key encoding format: %s", pair.Format)
  }

diff --git a/modules/caddytls/folderloader.go b/modules/caddytls/folderloader.go
@@ -150,6 +150,12 @@ func tlsCertFromCertAndKeyPEMBundle(bundle []byte) (tls.Certificate, error) {
  return tls.Certificate{}, fmt.Errorf("no private key block found")
  }
 
+ // if the start of the key file looks like an encrypted private key,
+ // reject it with a helpful error message
+ if strings.HasPrefix(string(keyPEMBytes[:40]), "ENCRYPTED") {
+ return tls.Certificate{}, fmt.Errorf("encrypted private keys are not supported; please decrypt the key first")
+ }
+
  cert, err := tls.X509KeyPair(certPEMBytes, keyPEMBytes)
  if err != nil {
  return tls.Certificate{}, fmt.Errorf("making X509 key pair: %v", err)

diff --git a/modules/caddytls/storageloader.go b/modules/caddytls/storageloader.go
@@ -17,6 +17,7 @@ package caddytls
 import (
  "crypto/tls"
  "fmt"
+ "strings"
 
  "github.com/caddyserver/certmagic"
 
@@ -88,8 +89,16 @@ func (sl StorageLoader) LoadCertificates() ([]Certificate, error) {
  switch pair.Format {
  case "":
  fallthrough
+
  case "pem":
+ // if the start of the key file looks like an encrypted private key,
+ // reject it with a helpful error message
+ if strings.Contains(string(keyData[:40]), "ENCRYPTED") {
+ return nil, fmt.Errorf("encrypted private keys are not supported; please decrypt the key first")
+ }
+
  cert, err = tls.X509KeyPair(certData, keyData)
+
  default:
  return nil, fmt.Errorf("unrecognized certificate/key encoding format: %s", pair.Format)
  }