MyFavMirrors/minio
1
0
Fork 0
mirror of https://github.com/minio/minio.git synced 2025-01-11 15:03:22 -05:00
Code Issues Packages Projects Releases Wiki Activity

Better error message when TLS certs do not have proper permissions (#16703)

Browse Source
This commit is contained in:
Anis Elleuch 2023-02-24 15:34:55 +01:00 committed by GitHub
parent 9acf1024e4
commit 8da0f4c5bb
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 17 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
internal/config/certs.go
View File

@ -49,19 +49,19 @@ func ParsePublicCertFile(certFile string) (x509Certs []*x509.Certificate, err er
for len(current) > 0 { for len(current) > 0 {
var pemBlock *pem.Block var pemBlock *pem.Block
if pemBlock, current = pem.Decode(current); pemBlock == nil { if pemBlock, current = pem.Decode(current); pemBlock == nil {
return nil, ErrSSLUnexpectedData(nil).Msg("Could not read PEM block from file %s", certFile) return nil, ErrTLSUnexpectedData(nil).Msg("Could not read PEM block from file %s", certFile)
} }
var x509Cert *x509.Certificate var x509Cert *x509.Certificate
if x509Cert, err = x509.ParseCertificate(pemBlock.Bytes); err != nil { if x509Cert, err = x509.ParseCertificate(pemBlock.Bytes); err != nil {
return nil, ErrSSLUnexpectedData(nil).Msg("Failed to parse `%s`: %s", certFile, err.Error()) return nil, ErrTLSUnexpectedData(nil).Msg("Failed to parse `%s`: %s", certFile, err.Error())
} }
x509Certs = append(x509Certs, x509Cert) x509Certs = append(x509Certs, x509Cert)
} }
if len(x509Certs) == 0 { if len(x509Certs) == 0 {
return nil, ErrSSLUnexpectedData(nil).Msg("Empty public certificate file %s", certFile) return nil, ErrTLSUnexpectedData(nil).Msg("Empty public certificate file %s", certFile)
} }
return x509Certs, nil return x509Certs, nil
@ -73,33 +73,33 @@ func ParsePublicCertFile(certFile string) (x509Certs []*x509.Certificate, err er
func LoadX509KeyPair(certFile, keyFile string) (tls.Certificate, error) { func LoadX509KeyPair(certFile, keyFile string) (tls.Certificate, error) {
certPEMBlock, err := os.ReadFile(certFile) certPEMBlock, err := os.ReadFile(certFile)
if err != nil { if err != nil {
return tls.Certificate{}, ErrSSLUnexpectedError(err) return tls.Certificate{}, ErrTLSReadError(nil).Msg("Unable to read the public key: %s", err)
} }
keyPEMBlock, err := os.ReadFile(keyFile) keyPEMBlock, err := os.ReadFile(keyFile)
if err != nil { if err != nil {
return tls.Certificate{}, ErrSSLUnexpectedError(err) return tls.Certificate{}, ErrTLSReadError(nil).Msg("Unable to read the private key: %s", err)
} }
key, rest := pem.Decode(keyPEMBlock) key, rest := pem.Decode(keyPEMBlock)
if len(rest) > 0 { if len(rest) > 0 {
return tls.Certificate{}, ErrSSLUnexpectedData(nil).Msg("The private key contains additional data") return tls.Certificate{}, ErrTLSUnexpectedData(nil).Msg("The private key contains additional data")
} }
if key == nil { if key == nil {
return tls.Certificate{}, ErrSSLUnexpectedData(nil).Msg("The private key is not readable") return tls.Certificate{}, ErrTLSUnexpectedData(nil).Msg("The private key is not readable")
} }
if x509.IsEncryptedPEMBlock(key) { if x509.IsEncryptedPEMBlock(key) {
password := env.Get(EnvCertPassword, "") password := env.Get(EnvCertPassword, "")
if len(password) == 0 { if len(password) == 0 {
return tls.Certificate{}, ErrSSLNoPassword(nil) return tls.Certificate{}, ErrTLSNoPassword(nil)
} }
decryptedKey, decErr := x509.DecryptPEMBlock(key, []byte(password)) decryptedKey, decErr := x509.DecryptPEMBlock(key, []byte(password))
if decErr != nil { if decErr != nil {
return tls.Certificate{}, ErrSSLWrongPassword(decErr) return tls.Certificate{}, ErrTLSWrongPassword(decErr)
} }
keyPEMBlock = pem.EncodeToMemory(&pem.Block{Type: key.Type, Bytes: decryptedKey}) keyPEMBlock = pem.EncodeToMemory(&pem.Block{Type: key.Type, Bytes: decryptedKey})
} }
cert, err := tls.X509KeyPair(certPEMBlock, keyPEMBlock) cert, err := tls.X509KeyPair(certPEMBlock, keyPEMBlock)
if err != nil { if err != nil {
return tls.Certificate{}, ErrSSLUnexpectedData(nil).Msg(err.Error()) return tls.Certificate{}, ErrTLSUnexpectedData(nil).Msg(err.Error())
} }
return cert, nil return cert, nil
} }

14
internal/config/errors.go
View File

@ -225,19 +225,19 @@ Examples:
`Use 'sudo setcap cap_net_bind_service=+ep /path/to/minio' to provide sufficient permissions`, `Use 'sudo setcap cap_net_bind_service=+ep /path/to/minio' to provide sufficient permissions`,
) )
ErrSSLUnexpectedError = newErrFn( ErrTLSReadError = newErrFn(
"Invalid TLS certificate", "Cannot read the TLS certificate",
"Please check the content of your certificate data", "Please check if the certificate has the proper owner and read permissions",
`Only PEM (x.509) format is accepted as valid public & private certificates`, "",
) )
ErrSSLUnexpectedData = newErrFn( ErrTLSUnexpectedData = newErrFn(
"Invalid TLS certificate", "Invalid TLS certificate",
"Please check your certificate", "Please check your certificate",
"", "",
) )
ErrSSLNoPassword = newErrFn( ErrTLSNoPassword = newErrFn(
"Missing TLS password", "Missing TLS password",
"Please set the password to environment variable `MINIO_CERT_PASSWD` so that the private key can be decrypted", "Please set the password to environment variable `MINIO_CERT_PASSWD` so that the private key can be decrypted",
"", "",
@ -255,7 +255,7 @@ Examples:
"", "",
) )
ErrSSLWrongPassword = newErrFn( ErrTLSWrongPassword = newErrFn(
"Unable to decrypt the private key using the provided password", "Unable to decrypt the private key using the provided password",
"Please set the correct password in environment variable `MINIO_CERT_PASSWD`", "Please set the correct password in environment variable `MINIO_CERT_PASSWD`",
"", "",