Support encrypted private keys (#26)

nakabonne · Dec 28, 2020 · 8f4ca3a · 8f4ca3a
1 parent 31b8bab
commit 8f4ca3a
Show file tree

Hide file tree

Showing 4 changed files with 39 additions and 20 deletions.
diff --git a/commands/copy.go b/commands/copy.go
@@ -127,7 +127,7 @@ func (r *copyRunner) encrypt(plaintext []byte, saltFunc func() ([]byte, error))
 		if err != nil {
 			return nil, fmt.Errorf("failed to read %s: %w", r.publicKeyFile, err)
 		}
-		encryptedSessKey, err := pbcrypto.EncryptWithRSA(pubKey, sessionKey)
+		encryptedSessKey, err := pbcrypto.EncryptWithRSA(sessionKey, pubKey)
 		if err != nil {
 			return nil, fmt.Errorf("failed to encrypt the session key: %w", err)
 		}

diff --git a/commands/paste.go b/commands/paste.go
@@ -1,6 +1,7 @@
 package commands
 
 import (
+	"bytes"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -17,12 +18,13 @@ import (
 )
 
 type pasteRunner struct {
-	timeout          time.Duration
-	password         string
-	symmetricKeyFile string
-	privateKeyFile   string
-	basicAuth        string
-	maxBufSize       string
+	timeout                time.Duration
+	password               string
+	symmetricKeyFile       string
+	privateKeyFile         string
+	privateKeyPasswordFile string
+	basicAuth              string
+	maxBufSize             string
 
 	stdout io.Writer
 	stderr io.Writer
@@ -44,6 +46,7 @@ func NewPasteCommand(stdout, stderr io.Writer) *cobra.Command {
 	cmd.Flags().StringVarP(&r.password, "password", "p", "", "Password to derive the symmetric-key to be used for decryption")
 	cmd.Flags().StringVarP(&r.symmetricKeyFile, "symmetric-key-file", "k", "", "Path to symmetric-key file to be used for decryption")
 	cmd.Flags().StringVarP(&r.privateKeyFile, "private-key-file", "K", "", "Path to an RSA private-key file to be used for decryption; Must be in PEM or DER format")
+	cmd.Flags().StringVar(&r.privateKeyPasswordFile, "private-key-password-file", "", "Path to password file to decrypt the encrypted private key")
 	cmd.Flags().StringVarP(&r.basicAuth, "basic-auth", "a", "", "Basic authentication, username:password")
 	cmd.Flags().StringVar(&r.maxBufSize, "max-size", "500mb", "Max data size with unit")
 	return cmd
@@ -107,7 +110,14 @@ func (r *pasteRunner) decrypt(data []byte, saltFunc func() ([]byte, error)) ([]b
 		if err != nil {
 			return nil, fmt.Errorf("failed to read %s: %w", r.privateKeyFile, err)
 		}
-		sessKey, err := pbcrypto.DecryptWithRSA(privKey, withSessKey.EncryptedSessionKey)
+		var keyPassword []byte
+		if r.privateKeyPasswordFile != "" {
+			keyPassword, err = ioutil.ReadFile(r.privateKeyPasswordFile)
+			if err != nil {
+				return nil, fmt.Errorf("failed to read %s: %w", r.privateKeyPasswordFile, err)
+			}
+		}
+		sessKey, err := pbcrypto.DecryptWithRSA(withSessKey.EncryptedSessionKey, privKey, bytes.TrimSpace(keyPassword))
 		if err != nil {
 			return nil, fmt.Errorf("failed to decrypt the session key: %w", err)
 		}

diff --git a/crypto/crypto.go b/crypto/crypto.go
@@ -66,7 +66,7 @@ func Decrypt(key, encrypted []byte) ([]byte, error) {
 
 // EncryptWithRSA encrypts the given data with RSA-OAEP.
 // pubKey must be a RSA public key in PEM or DER format.
-func EncryptWithRSA(pubKey, plaintext []byte) ([]byte, error) {
+func EncryptWithRSA(plaintext, pubKey []byte) ([]byte, error) {
 	// At first it assumes the pubKey is in DER format.
 	derKey, err := parsePubKeyInDER(pubKey)
 	if err == nil {
@@ -106,7 +106,7 @@ func parsePubKeyInDER(der []byte) (*rsa.PublicKey, error) {
 
 // DecryptWithRSA decrypts the given encrypted data with RSA-OAEP.
 // privKey must be a RSA private key in PEM or DER format.
-func DecryptWithRSA(privKey, encrypted []byte) ([]byte, error) {
+func DecryptWithRSA(encrypted, privKey, password []byte) ([]byte, error) {
 	// At first it assumes the privKey is in DER format.
 	derKey, err := parsePrivKeyInDER(privKey)
 	if err == nil {
@@ -118,7 +118,15 @@ func DecryptWithRSA(privKey, encrypted []byte) ([]byte, error) {
 	if pem == nil {
 		return nil, fmt.Errorf("given private key format is neither DER nor PEM")
 	}
-	pemKey, err := parsePrivKeyInDER(pem.Bytes)
+	bytes := pem.Bytes
+	if x509.IsEncryptedPEMBlock(pem) {
+		var err error
+		bytes, err = x509.DecryptPEMBlock(pem, password)
+		if err != nil {
+			return nil, fmt.Errorf("failed to decrypt the encrypted private key: %w", err)
+		}
+	}
+	pemKey, err := parsePrivKeyInDER(bytes)
 	if err != nil {
 		return nil, err
 	}

diff --git a/crypto/crypto_test.go b/crypto/crypto_test.go
@@ -100,19 +100,20 @@ YQIDAQAB
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			_, err := EncryptWithRSA([]byte(tt.pubKey), []byte(tt.data))
+			_, err := EncryptWithRSA([]byte(tt.data), []byte(tt.pubKey))
 			assert.Equal(t, tt.wantErr, err != nil)
 		})
 	}
 }
 
 func TestDecryptWithRSA(t *testing.T) {
 	tests := []struct {
-		name    string
-		privKey string
-		pubKey  string
-		data    string
-		wantErr bool
+		name     string
+		privKey  string
+		pubKey   string
+		data     string
+		password string
+		wantErr  bool
 	}{
 		{
 			name:    "private key is not in pem format",
@@ -134,7 +135,7 @@ vI7VebGGA3OUmbqWMPoIR2epT3KLRi2pEA==
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			_, err := DecryptWithRSA([]byte(tt.privKey), []byte(tt.data))
+			_, err := DecryptWithRSA([]byte(tt.data), []byte(tt.privKey), []byte(tt.password))
 			assert.Equal(t, tt.wantErr, err != nil)
 		})
 	}
@@ -280,9 +281,9 @@ QwIDAQAB
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			encrypted, err := EncryptWithRSA([]byte(tt.pubKey), []byte(tt.data))
+			encrypted, err := EncryptWithRSA([]byte(tt.data), []byte(tt.pubKey))
 			assert.NoError(t, err)
-			_, err = DecryptWithRSA([]byte(tt.privKey), encrypted)
+			_, err = DecryptWithRSA(encrypted, []byte(tt.privKey), nil)
 			assert.Equal(t, tt.wantErr, err != nil)
 		})
 	}