From 8ad754567ece5fc44f13f55c4e182fe018fb5074 Mon Sep 17 00:00:00 2001 From: Gerald Pinder Date: Sat, 10 Aug 2024 13:04:48 -0400 Subject: [PATCH] fix: Allow using from_encrypted_pem for unencrypted pems if an empty password is given --- src/crypto/signing_key/ecdsa/ec.rs | 14 ++++++++++++++ src/crypto/signing_key/ed25519.rs | 14 ++++++++++++++ src/crypto/signing_key/rsa/keypair.rs | 18 +++++++++++++++++- 3 files changed, 45 insertions(+), 1 deletion(-) diff --git a/src/crypto/signing_key/ecdsa/ec.rs b/src/crypto/signing_key/ecdsa/ec.rs index 353379b92c..b18e329e01 100644 --- a/src/crypto/signing_key/ecdsa/ec.rs +++ b/src/crypto/signing_key/ecdsa/ec.rs @@ -153,6 +153,7 @@ where let ec_seckey = SecretKey::::from_sec1_der(pkcs8.private_key)?; Self::from_private_key(ec_seckey) } + PRIVATE_KEY_PEM_LABEL if password.is_empty() => Self::from_pem(private_key), tag => Err(SigstoreError::PrivateKeyDecryptError(format!( "Unsupported pem tag {tag}" ))), @@ -390,6 +391,19 @@ mod tests { ); } + /// This test will try to read an unencrypted ecdsa with an empty password + /// private key file, which is generated by `sigstore`. + #[test] + fn ecdsa_from_unencrypted_pem_empty_password() { + let content = fs::read("tests/data/keys/ecdsa_private.key") + .expect("read tests/data/keys/ecdsa_private.key failed."); + let key = EcdsaKeys::::from_encrypted_pem(&content, EMPTY_PASSWORD); + assert!( + key.is_ok(), + "can not create EcdsaKeys from unencrypted PEM file." + ); + } + /// This test will try to read an encrypted ecdsa /// private key file, which is generated by `sigstore`. #[test] diff --git a/src/crypto/signing_key/ed25519.rs b/src/crypto/signing_key/ed25519.rs index 24d01ba261..671ab96b1c 100644 --- a/src/crypto/signing_key/ed25519.rs +++ b/src/crypto/signing_key/ed25519.rs @@ -120,6 +120,7 @@ impl Ed25519Keys { })?; Self::from_key_pair_bytes(key_pair_bytes) } + PRIVATE_KEY_PEM_LABEL if password.is_empty() => Self::from_pem(encrypted_pem), tag => Err(SigstoreError::PrivateKeyDecryptError(format!( "Unsupported pem tag {tag}" ))), @@ -303,6 +304,19 @@ mod tests { ); } + /// This test will try to read an unencrypted ed25519 with an empty password + /// private key file, which is generated by `sigstore`. + #[test] + fn ed25519_from_unencrypted_pem_empty_password() { + let content = fs::read("tests/data/keys/ed25519_private.key") + .expect("read tests/data/keys/ed25519_private.key failed."); + let key = Ed25519Keys::from_encrypted_pem(&content, EMPTY_PASSWORD); + assert!( + key.is_ok(), + "can not create Ed25519Keys from unencrypted PEM file." + ); + } + /// This test will try to read an encrypted ed25519 /// private key file, which is generated by `sigstore`. #[test] diff --git a/src/crypto/signing_key/rsa/keypair.rs b/src/crypto/signing_key/rsa/keypair.rs index 9f02468adc..48cde19e1f 100644 --- a/src/crypto/signing_key/rsa/keypair.rs +++ b/src/crypto/signing_key/rsa/keypair.rs @@ -101,7 +101,9 @@ impl RSAKeys { })?; Ok(Self::from(private_key)) } - + RSA_PRIVATE_KEY_PEM_LABEL | PRIVATE_KEY_PEM_LABEL if password.is_empty() => { + Self::from_pem(encrypted_pem) + } tag => Err(SigstoreError::PrivateKeyDecryptError(format!( "Unsupported pem tag {tag}" ))), @@ -296,6 +298,20 @@ mod tests { ); } + /// This test will try to read an unencrypted rsa with an empty password + /// private key file, which is generated by `sigstore`. + #[test] + fn rsa_from_unencrypted_pem_empty_password() { + let content = fs::read("tests/data/keys/rsa_private.key") + .expect("read tests/data/keys/rsa_private.key failed."); + let key = RSAKeys::from_encrypted_pem(&content, EMPTY_PASSWORD); + dbg!(&key); + assert!( + key.is_ok(), + "can not create RSAKeys from unencrypted PEM file." + ); + } + /// This test will try to read an encrypted rsa /// private key file, which is generated by `sigstore`. #[test]