fix: Allow using from_encrypted_pem for unencrypted pems if an empty …

…password is given Signed-off-by: Gerald Pinder <gmpinder@gmail.com>
sigstore · Aug 10, 2024 · 3a804bf · 3a804bf
1 parent 48857ff
commit 3a804bf
Show file tree

Hide file tree

Showing 3 changed files with 45 additions and 1 deletion.
diff --git a/src/crypto/signing_key/ecdsa/ec.rs b/src/crypto/signing_key/ecdsa/ec.rs
@@ -153,6 +153,7 @@ where
                 let ec_seckey = SecretKey::<C>::from_sec1_der(pkcs8.private_key)?;
                 Self::from_private_key(ec_seckey)
             }
+            PRIVATE_KEY_PEM_LABEL if password.is_empty() => Self::from_pem(private_key),
             tag => Err(SigstoreError::PrivateKeyDecryptError(format!(
                 "Unsupported pem tag {tag}"
             ))),
@@ -390,6 +391,19 @@ mod tests {
         );
     }
 
+    /// This test will try to read an unencrypted ecdsa with an empty password
+    /// private key file, which is generated by `sigstore`.
+    #[test]
+    fn ecdsa_from_unencrypted_pem_empty_password() {
+        let content = fs::read("tests/data/keys/ecdsa_private.key")
+            .expect("read tests/data/keys/ecdsa_private.key failed.");
+        let key = EcdsaKeys::<p256::NistP256>::from_encrypted_pem(&content, EMPTY_PASSWORD);
+        assert!(
+            key.is_ok(),
+            "can not create EcdsaKeys from unencrypted PEM file."
+        );
+    }
+
     /// This test will try to read an encrypted ecdsa
     /// private key file, which is generated by `sigstore`.
     #[test]

diff --git a/src/crypto/signing_key/ed25519.rs b/src/crypto/signing_key/ed25519.rs
@@ -120,6 +120,7 @@ impl Ed25519Keys {
                 })?;
                 Self::from_key_pair_bytes(key_pair_bytes)
             }
+            PRIVATE_KEY_PEM_LABEL if password.is_empty() => Self::from_pem(encrypted_pem),
             tag => Err(SigstoreError::PrivateKeyDecryptError(format!(
                 "Unsupported pem tag {tag}"
             ))),
@@ -303,6 +304,19 @@ mod tests {
         );
     }
 
+    /// This test will try to read an unencrypted ed25519 with an empty password
+    /// private key file, which is generated by `sigstore`.
+    #[test]
+    fn ed25519_from_unencrypted_pem_empty_password() {
+        let content = fs::read("tests/data/keys/ed25519_private.key")
+            .expect("read tests/data/keys/ed25519_private.key failed.");
+        let key = Ed25519Keys::from_encrypted_pem(&content, EMPTY_PASSWORD);
+        assert!(
+            key.is_ok(),
+            "can not create Ed25519Keys from unencrypted PEM file."
+        );
+    }
+
     /// This test will try to read an encrypted ed25519
     /// private key file, which is generated by `sigstore`.
     #[test]

diff --git a/src/crypto/signing_key/rsa/keypair.rs b/src/crypto/signing_key/rsa/keypair.rs
@@ -101,7 +101,9 @@ impl RSAKeys {
                 })?;
                 Ok(Self::from(private_key))
             }
-
+            RSA_PRIVATE_KEY_PEM_LABEL | PRIVATE_KEY_PEM_LABEL if password.is_empty() => {
+                Self::from_pem(encrypted_pem)
+            }
             tag => Err(SigstoreError::PrivateKeyDecryptError(format!(
                 "Unsupported pem tag {tag}"
             ))),
@@ -296,6 +298,20 @@ mod tests {
         );
     }
 
+    /// This test will try to read an unencrypted rsa with an empty password
+    /// private key file, which is generated by `sigstore`.
+    #[test]
+    fn rsa_from_unencrypted_pem_empty_password() {
+        let content = fs::read("tests/data/keys/rsa_private.key")
+            .expect("read tests/data/keys/rsa_private.key failed.");
+        let key = RSAKeys::from_encrypted_pem(&content, EMPTY_PASSWORD);
+        dbg!(&key);
+        assert!(
+            key.is_ok(),
+            "can not create RSAKeys from unencrypted PEM file."
+        );
+    }
+
     /// This test will try to read an encrypted rsa
     /// private key file, which is generated by `sigstore`.
     #[test]