Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(common.tls): Add support for passphrase-protected private key #13262

Merged
merged 11 commits into from
Jun 1, 2023
Merged

feat(common.tls): Add support for passphrase-protected private key #13262

merged 11 commits into from
Jun 1, 2023

Conversation

rajiv-k
Copy link
Contributor

@rajiv-k rajiv-k commented May 10, 2023

Required for all PRs

I have implemented the feature using https://github.com/youmark/pkcs8 because the go stdlib lacks support for parsing encrypted PKCS8 private keys (golang/go#8860).

Note: When storing encrypted Private Keys in PKCS#8 format, a number of PKCS#5 v1.5, PKCS#5 v2.0 and PKCS#12 can be used to generate the encryption key from the provided passphrase.
However, this library can only handle the more modern and recommended PKCS#5 v2.0.

This fix itself seems to be working well. I was able to use this in two different plugins, influxdb_v2 and amqp_consumer which were both configured with client certificate authentication and had an encrypted private key.

resolves #12932

@rajiv-k
testutil/tls: Make encrypted private key filename consistent
b2ba769 
The encrypted private key file is in the `testutil/pki` dir is
`clientenckey.pem`. However the `tls-certs.sh` script and
`pki.ClientEncKeyPath()` refered to it as `clientkeyenc.pem`.
This patch makes the filename consistent (`clientenckey.pem`)
across all those places.
@rajiv-k
feat(tls): Add support for TLS Auth using a passphrase protected priv…
ca9e767 
…ate key

This patch adds support for handling an PEM-encoded encrypted private key
in the pkcs#1 format and the more general & recommended pkcs#8 (using a
pkcs#5 v2.0 encryption standard).

Fixes influxdata#12932
@rajiv-k
Add youmark/pkcs8 to go.mod
8930fda
@rajiv-k
tls/config: Wrap the underlying errors to provide more context
e72d4ca 
This also makes golangci-lint happier! :yay:
@rajiv-k
tls/config: Disable linting for deprecated x509.IsEncryptedPEMBlock &…
c73c01f 
… x509.DecryptPEMBlock
@srebhan srebhan changed the title tls: Add support for TLS Auth using a passphrase protected private key feat(common.tls): Add support for passphrase-protected private key May 15, 2023
@rajiv-k
Copy link
Contributor Author

rajiv-k commented May 16, 2023

@powersj This PR is ready for review. Please let me know if there is any feedback or changes you'd like me to make to this pull request. I'm happy to discuss any suggestions you might have.

@allej
Copy link

allej commented May 16, 2023

Hi Rajiv
Thanks very much!
I've tested your fix and it perfectly suits my use case.

  • Plugin outputs.influxdb
  • Private keys in pkcs#1 encrypted pem format, looking like this:
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: ...

...
-----END RSA PRIVATE KEY-----
  • Unencrypted keys still working as expected

@rajiv-k
Copy link
Contributor Author

rajiv-k commented May 16, 2023

@allej Thanks for the confirmation!

@srebhan srebhan added feat Improvement on an existing feature such as adding a new setting/mode to an existing plugin security raise security concerns or improve the security of Telegraf labels May 22, 2023
powersj
powersj reviewed May 22, 2023
View reviewed changes
Copy link
Contributor

@powersj powersj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the updates - one final comment about a test case, then this should be ready for final review

plugins/common/tls/config_test.go Show resolved Hide resolved
@powersj powersj added the ready for final review This pull request has been reviewed and/or tested by multiple users and is ready for a final review. label May 23, 2023
srebhan
srebhan reviewed May 23, 2023
View reviewed changes
Copy link
Member

@srebhan srebhan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for your contribution @rajiv-k! Just a few minor comments...

plugins/common/tls/config.go Outdated Show resolved Hide resolved
plugins/common/tls/config.go Outdated Show resolved Hide resolved
plugins/common/tls/config.go Show resolved Hide resolved
plugins/common/tls/config.go Outdated Show resolved Hide resolved
srebhan
srebhan reviewed May 25, 2023
View reviewed changes
Copy link
Member

@srebhan srebhan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@rajiv-k can you please switch to the implicit declaration for certBytes, keyBytes and err!? Furthermore, please declare var cert tls.Certificate immediately before it is assigned in order to avoid unintended read-before-set cases.

@srebhan
Copy link
Member

srebhan commented May 30, 2023

@rajiv-k can you please check the implicit declaration?!?

@powersj powersj added the waiting for response waiting for response from contributor label May 31, 2023
@telegraf-tiger
Copy link
Contributor

Download PR build artifacts for linux_amd64.tar.gz, darwin_amd64.tar.gz, and windows_amd64.zip.
Downloads for additional architectures and packages are available below.

🥳 This pull request decreases the Telegraf binary size by -5.62 % for linux amd64 (new size: 175.1 MB, nightly size 185.5 MB)

📦 Click here to get additional PR build artifacts

Artifact URLs

DEB RPM TAR GZ ZIP
amd64.deb aarch64.rpm darwin_amd64.tar.gz windows_amd64.zip
arm64.deb armel.rpm darwin_arm64.tar.gz windows_arm64.zip
armel.deb armv6hl.rpm freebsd_amd64.tar.gz windows_i386.zip
armhf.deb i386.rpm freebsd_armv7.tar.gz
i386.deb ppc64le.rpm freebsd_i386.tar.gz
mips.deb riscv64.rpm linux_amd64.tar.gz
mipsel.deb s390x.rpm linux_arm64.tar.gz
ppc64el.deb x86_64.rpm linux_armel.tar.gz
riscv64.deb linux_armhf.tar.gz
s390x.deb linux_i386.tar.gz
linux_mips.tar.gz
linux_mipsel.tar.gz
linux_ppc64le.tar.gz
linux_riscv64.tar.gz
linux_s390x.tar.gz

srebhan
srebhan approved these changes Jun 1, 2023
View reviewed changes
Copy link
Member

@srebhan srebhan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Adapted the variable declaration, so I'm fine with the code now. Thanks a lot for your work and contribution @rajiv-k!

@srebhan srebhan merged commit 7427ea3 into influxdata:master Jun 1, 2023
@rajiv-k
Copy link
Contributor Author

rajiv-k commented Jun 6, 2023

@srebhan Thanks for taking care of this while I was away on vacation 👍

@telegraf-tiger telegraf-tiger bot removed the waiting for response waiting for response from contributor label Jun 6, 2023
@chenrui333 chenrui333 mentioned this pull request Jun 13, 2023
Merged
@srebhan srebhan added this to the v1.27.0 milestone Jun 21, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jdstrand jdstrand jdstrand left review comments

@srebhan srebhan srebhan approved these changes

@powersj powersj powersj approved these changes

Assignees

@srebhan srebhan

Labels
feat Improvement on an existing feature such as adding a new setting/mode to an existing plugin ready for final review This pull request has been reviewed and/or tested by multiple users and is ready for a final review. security raise security concerns or improve the security of Telegraf
Projects
None yet
Milestone
v1.27.0
Development

Successfully merging this pull request may close these issues.

Support for TLS Auth using a passphrase protected private key
5 participants
@rajiv-k @allej @srebhan @jdstrand @powersj