mirror of
https://github.com/minio/minio.git
synced 2024-12-23 21:55:53 -05:00
Better error message when TLS certs do not have proper permissions (#16703)
This commit is contained in:
parent
9acf1024e4
commit
8da0f4c5bb
@ -49,19 +49,19 @@ func ParsePublicCertFile(certFile string) (x509Certs []*x509.Certificate, err er
|
||||
for len(current) > 0 {
|
||||
var pemBlock *pem.Block
|
||||
if pemBlock, current = pem.Decode(current); pemBlock == nil {
|
||||
return nil, ErrSSLUnexpectedData(nil).Msg("Could not read PEM block from file %s", certFile)
|
||||
return nil, ErrTLSUnexpectedData(nil).Msg("Could not read PEM block from file %s", certFile)
|
||||
}
|
||||
|
||||
var x509Cert *x509.Certificate
|
||||
if x509Cert, err = x509.ParseCertificate(pemBlock.Bytes); err != nil {
|
||||
return nil, ErrSSLUnexpectedData(nil).Msg("Failed to parse `%s`: %s", certFile, err.Error())
|
||||
return nil, ErrTLSUnexpectedData(nil).Msg("Failed to parse `%s`: %s", certFile, err.Error())
|
||||
}
|
||||
|
||||
x509Certs = append(x509Certs, x509Cert)
|
||||
}
|
||||
|
||||
if len(x509Certs) == 0 {
|
||||
return nil, ErrSSLUnexpectedData(nil).Msg("Empty public certificate file %s", certFile)
|
||||
return nil, ErrTLSUnexpectedData(nil).Msg("Empty public certificate file %s", certFile)
|
||||
}
|
||||
|
||||
return x509Certs, nil
|
||||
@ -73,33 +73,33 @@ func ParsePublicCertFile(certFile string) (x509Certs []*x509.Certificate, err er
|
||||
func LoadX509KeyPair(certFile, keyFile string) (tls.Certificate, error) {
|
||||
certPEMBlock, err := os.ReadFile(certFile)
|
||||
if err != nil {
|
||||
return tls.Certificate{}, ErrSSLUnexpectedError(err)
|
||||
return tls.Certificate{}, ErrTLSReadError(nil).Msg("Unable to read the public key: %s", err)
|
||||
}
|
||||
keyPEMBlock, err := os.ReadFile(keyFile)
|
||||
if err != nil {
|
||||
return tls.Certificate{}, ErrSSLUnexpectedError(err)
|
||||
return tls.Certificate{}, ErrTLSReadError(nil).Msg("Unable to read the private key: %s", err)
|
||||
}
|
||||
key, rest := pem.Decode(keyPEMBlock)
|
||||
if len(rest) > 0 {
|
||||
return tls.Certificate{}, ErrSSLUnexpectedData(nil).Msg("The private key contains additional data")
|
||||
return tls.Certificate{}, ErrTLSUnexpectedData(nil).Msg("The private key contains additional data")
|
||||
}
|
||||
if key == nil {
|
||||
return tls.Certificate{}, ErrSSLUnexpectedData(nil).Msg("The private key is not readable")
|
||||
return tls.Certificate{}, ErrTLSUnexpectedData(nil).Msg("The private key is not readable")
|
||||
}
|
||||
if x509.IsEncryptedPEMBlock(key) {
|
||||
password := env.Get(EnvCertPassword, "")
|
||||
if len(password) == 0 {
|
||||
return tls.Certificate{}, ErrSSLNoPassword(nil)
|
||||
return tls.Certificate{}, ErrTLSNoPassword(nil)
|
||||
}
|
||||
decryptedKey, decErr := x509.DecryptPEMBlock(key, []byte(password))
|
||||
if decErr != nil {
|
||||
return tls.Certificate{}, ErrSSLWrongPassword(decErr)
|
||||
return tls.Certificate{}, ErrTLSWrongPassword(decErr)
|
||||
}
|
||||
keyPEMBlock = pem.EncodeToMemory(&pem.Block{Type: key.Type, Bytes: decryptedKey})
|
||||
}
|
||||
cert, err := tls.X509KeyPair(certPEMBlock, keyPEMBlock)
|
||||
if err != nil {
|
||||
return tls.Certificate{}, ErrSSLUnexpectedData(nil).Msg(err.Error())
|
||||
return tls.Certificate{}, ErrTLSUnexpectedData(nil).Msg(err.Error())
|
||||
}
|
||||
return cert, nil
|
||||
}
|
||||
|
@ -225,19 +225,19 @@ Examples:
|
||||
`Use 'sudo setcap cap_net_bind_service=+ep /path/to/minio' to provide sufficient permissions`,
|
||||
)
|
||||
|
||||
ErrSSLUnexpectedError = newErrFn(
|
||||
"Invalid TLS certificate",
|
||||
"Please check the content of your certificate data",
|
||||
`Only PEM (x.509) format is accepted as valid public & private certificates`,
|
||||
ErrTLSReadError = newErrFn(
|
||||
"Cannot read the TLS certificate",
|
||||
"Please check if the certificate has the proper owner and read permissions",
|
||||
"",
|
||||
)
|
||||
|
||||
ErrSSLUnexpectedData = newErrFn(
|
||||
ErrTLSUnexpectedData = newErrFn(
|
||||
"Invalid TLS certificate",
|
||||
"Please check your certificate",
|
||||
"",
|
||||
)
|
||||
|
||||
ErrSSLNoPassword = newErrFn(
|
||||
ErrTLSNoPassword = newErrFn(
|
||||
"Missing TLS password",
|
||||
"Please set the password to environment variable `MINIO_CERT_PASSWD` so that the private key can be decrypted",
|
||||
"",
|
||||
@ -255,7 +255,7 @@ Examples:
|
||||
"",
|
||||
)
|
||||
|
||||
ErrSSLWrongPassword = newErrFn(
|
||||
ErrTLSWrongPassword = newErrFn(
|
||||
"Unable to decrypt the private key using the provided password",
|
||||
"Please set the correct password in environment variable `MINIO_CERT_PASSWD`",
|
||||
"",
|
||||
|
Loading…
Reference in New Issue
Block a user