Skip to content

Commit

Permalink
Report error for unsupported PKCS #1 format for the private key (#4117)
Browse files Browse the repository at this point in the history
Java Kafka clients don't support PKCS #1 format for private keys.

Signed-off-by: Pierangelo Di Pilato <pierdipi@redhat.com>
Co-authored-by: Pierangelo Di Pilato <pierdipi@redhat.com>
  • Loading branch information
knative-prow-robot and pierDipi authored Sep 27, 2024
1 parent 0c77381 commit ea10ce6
Show file tree
Hide file tree
Showing 3 changed files with 78 additions and 0 deletions.
22 changes: 22 additions & 0 deletions control-plane/pkg/security/secret.go
Original file line number Diff line number Diff line change
Expand Up @@ -19,8 +19,10 @@ package security
import (
"crypto/tls"
"crypto/x509"
"encoding/pem"
"fmt"
"strconv"
"strings"

"github.com/IBM/sarama"

Expand Down Expand Up @@ -193,6 +195,10 @@ func sslConfig(protocol string, data map[string][]byte) kafka.ConfigOption {
if err != nil {
return fmt.Errorf("[protocol %s] failed to load x.509 key pair: %w", protocol, err)
}
// Java Kafka clients don't support PKCS #1 format for the private key
if isPrivateKeyPKCS1Format(userKeyCert) {
return fmt.Errorf("[protocol %s] unsupported user key format in %s, 'PKCS #1' format is not supported, convert private key to 'PKCS #8'", protocol, UserKey)
}
tlsCerts = []tls.Certificate{tlsCert}
}
}
Expand Down Expand Up @@ -220,3 +226,19 @@ func skipClientAuthCheck(data map[string][]byte) (bool, error) {
}
return enabled, nil
}

func isPrivateKeyPKCS1Format(keyPEMBlock []byte) bool {
var keyDERBlock *pem.Block
for {
keyDERBlock, keyPEMBlock = pem.Decode(keyPEMBlock)
if keyDERBlock == nil {
return false
}
if keyDERBlock.Type == "PRIVATE KEY" || strings.HasSuffix(keyDERBlock.Type, " PRIVATE KEY") {
break
}
}

_, err := x509.ParsePKCS1PrivateKey(keyDERBlock.Bytes)
return err == nil
}
29 changes: 29 additions & 0 deletions control-plane/pkg/security/secret_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -194,6 +194,22 @@ func TestSSL(t *testing.T) {
assert.NotNil(t, config.Net.TLS.Config.RootCAs)
}

func TestSSLPKCS1(t *testing.T) {
ca, userKey, userCert := loadPKCS1Certs(t)

secret := map[string][]byte{
"protocol": []byte("SSL"),
"user.key": userKey,
"user.crt": userCert,
"ca.crt": ca,
}
config := sarama.NewConfig()

err := kafka.Options(config, secretData(secret))

assert.NotNil(t, err)
}

func TestSSLNoUserKey(t *testing.T) {
ca, _, userCert := loadCerts(t)

Expand Down Expand Up @@ -384,3 +400,16 @@ func loadCerts(t *testing.T) (ca, userKey, userCert []byte) {

return ca, userKey, userCert
}

func loadPKCS1Certs(t *testing.T) (ca, userKey, userCert []byte) {
ca, err := os.ReadFile("testdata/ca.crt")
assert.Nil(t, err)

userKey, err = os.ReadFile("testdata/pkcs1_user.key")
assert.Nil(t, err)

userCert, err = os.ReadFile("testdata/user.crt")
assert.Nil(t, err)

return ca, userKey, userCert
}
27 changes: 27 additions & 0 deletions control-plane/pkg/security/testdata/pkcs1_user.key
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA1c6XoILp78NVhSuzC8KJ1QnSGQ8CisCHkGWeEIkXI0Cuh2k6
2+vpVIMUuHdehF45/Jxcia54GqIZ6SneN1IpW94+oP+Sls1ZtEZgJpJCyMqe8qBd
jB2M/+CI3px8GyinnumM50TPr/zpp04XsR8I2NzhQq2IQtNAm7FjK7orZtfdqCYe
sk5tARcObVWxKm+WOwjTWDGmlVyxwyWqFGIspV2ymv8Sx8rnOBhUFYIBqB3lefNn
ja0Oh89oZM6ZlRrCupxsnZHXhM3i/c2+AR+tLWQEW0xlqdtle8oARe44E1bnryI1
mDLmjQ3YuyR4/Kw+yl4Q+DLFMC7pBAZLTFbkIQIDAQABAoIBAE190DTr3e/5gyB+
Iymq+5vMMGrGpuw1Na0fN3fUyB8NzXPkruGQkoP/8l2dXhNpt2iYH24DXyKACBYb
B6BTVgwm89oUZ0Pi75VIQIcaUbxGu+9CMkWbXERNVC4i11Rcmswc5+XWadPmPaVW
x315uxImlDo/fPiDapJDa6colZxzDRfa+cH2PrjzDw317Q371qEliJOJF2ZFPDRF
vSBiSQlo9gE9vVR6lanuaG1nQFkAnN1wjb4qfjsGjSdSbQfOHkwA+jQ8o4L3csAo
idUq8UlLmGJY7GIStF47m7TiWv/aLcTCOks7sii/gQJx9GEme+wR1Xe/BtHErqnI
N3hUVKUCgYEA7PvaV6AJE/Ht9itRbxuoeK+yAe0Sn9z5mbuy9HQsVJH0LLL/lL5Y
BuyWWy+Tj7IorfCEmHyY9KOq9V7HRRIa6PKzd5rVGn1D8I6yPU/n8FgZboOy4ahN
lkbDNIuHcu27bkqiAZ4Vu2mpRtalr7QQdlS9v7S235GDQWTroDQQyycCgYEA5vaj
mPnvYOR2S2h4pSBTKdz9Ba2fWw0MiLFIKoHmOblazqRZkLOKoN/DbnOKpbvKqyA6
cwo4r9AF4dRLa0sE3zjmNOBZAV0Uu6fhcaZgvc+1t82P+vrZblP9pXOdFGGoed4S
bskLL/C1oXd6+Q89rCFIkkHJXDJvxRUZNe0BA3cCgYBZ9akGxltr1NTOM9dv5AHp
/lgGXyZIxSuC7juajFcfq2ATb8eRgUgNKNZSuxa635iNntXWxMWTaGXHSzk9wQey
Eh+KcZ4fthmKQcDrgV+8XtUYnKnU+3yoZShI1AaQ3CngTjh9gLMjN5LoryaqMiJl
qPl2wnUBHU3EDzla0Sjm1QKBgQCPxodu6l+OxImzRZScznOWwt+rkjp6NrRPv3R6
KaUE2BLkQkETKAErRkBlWH290BpIzuYzyPAi2e9fdoWAhBHDV6tOzT368FPAwbBA
zF66qjun8MopZdDGsnhab48gKe7z9j8pQfO54zFeE3+03Tz6EzoW+eb8gtU7LXgl
LqWL3wKBgQC0+0lRsGfnsPgRDaAAwoHCxP6h3DNMcRxNMca1aI78ENJZUXfY3XzG
yOE1i/1/SV1NQD4O1BlEqNTaDlM0yw0UttMvOPrI+ZC9hZIbCxVfXGZ7xKqIL+Vo
nG64GxSZh7M6pQHzUjlqTpsr8JaG6O7ODQtlYPHwNw24j7YGvxfk7A==
-----END RSA PRIVATE KEY-----

0 comments on commit ea10ce6

Please sign in to comment.