From 9dda8fbf846db052243e6ce5ab707650da8c030e Mon Sep 17 00:00:00 2001
From: Francis Lavoie <lavofr@gmail.com>
Date: Wed, 25 Sep 2024 08:00:48 -0400
Subject: [PATCH] caddytls: Give a better error message when given encrypted
 private keys (#6591)

---
 modules/caddytls/fileloader.go    | 9 +++++++++
 modules/caddytls/folderloader.go  | 6 ++++++
 modules/caddytls/storageloader.go | 9 +++++++++
 3 files changed, 24 insertions(+)

diff --git a/modules/caddytls/fileloader.go b/modules/caddytls/fileloader.go
index 8603bbe652b..7d2927e2ae9 100644
--- a/modules/caddytls/fileloader.go
+++ b/modules/caddytls/fileloader.go
@@ -18,6 +18,7 @@ import (
 	"crypto/tls"
 	"fmt"
 	"os"
+	"strings"
 
 	"github.com/caddyserver/caddy/v2"
 )
@@ -92,8 +93,16 @@ func (fl FileLoader) LoadCertificates() ([]Certificate, error) {
 		switch pair.Format {
 		case "":
 			fallthrough
+
 		case "pem":
+			// if the start of the key file looks like an encrypted private key,
+			// reject it with a helpful error message
+			if strings.Contains(string(keyData[:40]), "ENCRYPTED") {
+				return nil, fmt.Errorf("encrypted private keys are not supported; please decrypt the key first")
+			}
+
 			cert, err = tls.X509KeyPair(certData, keyData)
+
 		default:
 			return nil, fmt.Errorf("unrecognized certificate/key encoding format: %s", pair.Format)
 		}
diff --git a/modules/caddytls/folderloader.go b/modules/caddytls/folderloader.go
index 89e978df631..2df6f4cee41 100644
--- a/modules/caddytls/folderloader.go
+++ b/modules/caddytls/folderloader.go
@@ -150,6 +150,12 @@ func tlsCertFromCertAndKeyPEMBundle(bundle []byte) (tls.Certificate, error) {
 		return tls.Certificate{}, fmt.Errorf("no private key block found")
 	}
 
+	// if the start of the key file looks like an encrypted private key,
+	// reject it with a helpful error message
+	if strings.HasPrefix(string(keyPEMBytes[:40]), "ENCRYPTED") {
+		return tls.Certificate{}, fmt.Errorf("encrypted private keys are not supported; please decrypt the key first")
+	}
+
 	cert, err := tls.X509KeyPair(certPEMBytes, keyPEMBytes)
 	if err != nil {
 		return tls.Certificate{}, fmt.Errorf("making X509 key pair: %v", err)
diff --git a/modules/caddytls/storageloader.go b/modules/caddytls/storageloader.go
index f9f0e7e680f..c9487e89252 100644
--- a/modules/caddytls/storageloader.go
+++ b/modules/caddytls/storageloader.go
@@ -17,6 +17,7 @@ package caddytls
 import (
 	"crypto/tls"
 	"fmt"
+	"strings"
 
 	"github.com/caddyserver/certmagic"
 
@@ -88,8 +89,16 @@ func (sl StorageLoader) LoadCertificates() ([]Certificate, error) {
 		switch pair.Format {
 		case "":
 			fallthrough
+
 		case "pem":
+			// if the start of the key file looks like an encrypted private key,
+			// reject it with a helpful error message
+			if strings.Contains(string(keyData[:40]), "ENCRYPTED") {
+				return nil, fmt.Errorf("encrypted private keys are not supported; please decrypt the key first")
+			}
+
 			cert, err = tls.X509KeyPair(certData, keyData)
+
 		default:
 			return nil, fmt.Errorf("unrecognized certificate/key encoding format: %s", pair.Format)
 		}