Better error message when TLS certs do not have proper permissions (#16703)

This commit is contained in:
Anis Elleuch 2023-02-24 15:34:55 +01:00 committed by GitHub
parent 9acf1024e4
commit 8da0f4c5bb
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 17 additions and 17 deletions

View File

@ -49,19 +49,19 @@ func ParsePublicCertFile(certFile string) (x509Certs []*x509.Certificate, err er
for len(current) > 0 {
var pemBlock *pem.Block
if pemBlock, current = pem.Decode(current); pemBlock == nil {
return nil, ErrSSLUnexpectedData(nil).Msg("Could not read PEM block from file %s", certFile)
return nil, ErrTLSUnexpectedData(nil).Msg("Could not read PEM block from file %s", certFile)
}
var x509Cert *x509.Certificate
if x509Cert, err = x509.ParseCertificate(pemBlock.Bytes); err != nil {
return nil, ErrSSLUnexpectedData(nil).Msg("Failed to parse `%s`: %s", certFile, err.Error())
return nil, ErrTLSUnexpectedData(nil).Msg("Failed to parse `%s`: %s", certFile, err.Error())
}
x509Certs = append(x509Certs, x509Cert)
}
if len(x509Certs) == 0 {
return nil, ErrSSLUnexpectedData(nil).Msg("Empty public certificate file %s", certFile)
return nil, ErrTLSUnexpectedData(nil).Msg("Empty public certificate file %s", certFile)
}
return x509Certs, nil
@ -73,33 +73,33 @@ func ParsePublicCertFile(certFile string) (x509Certs []*x509.Certificate, err er
func LoadX509KeyPair(certFile, keyFile string) (tls.Certificate, error) {
certPEMBlock, err := os.ReadFile(certFile)
if err != nil {
return tls.Certificate{}, ErrSSLUnexpectedError(err)
return tls.Certificate{}, ErrTLSReadError(nil).Msg("Unable to read the public key: %s", err)
}
keyPEMBlock, err := os.ReadFile(keyFile)
if err != nil {
return tls.Certificate{}, ErrSSLUnexpectedError(err)
return tls.Certificate{}, ErrTLSReadError(nil).Msg("Unable to read the private key: %s", err)
}
key, rest := pem.Decode(keyPEMBlock)
if len(rest) > 0 {
return tls.Certificate{}, ErrSSLUnexpectedData(nil).Msg("The private key contains additional data")
return tls.Certificate{}, ErrTLSUnexpectedData(nil).Msg("The private key contains additional data")
}
if key == nil {
return tls.Certificate{}, ErrSSLUnexpectedData(nil).Msg("The private key is not readable")
return tls.Certificate{}, ErrTLSUnexpectedData(nil).Msg("The private key is not readable")
}
if x509.IsEncryptedPEMBlock(key) {
password := env.Get(EnvCertPassword, "")
if len(password) == 0 {
return tls.Certificate{}, ErrSSLNoPassword(nil)
return tls.Certificate{}, ErrTLSNoPassword(nil)
}
decryptedKey, decErr := x509.DecryptPEMBlock(key, []byte(password))
if decErr != nil {
return tls.Certificate{}, ErrSSLWrongPassword(decErr)
return tls.Certificate{}, ErrTLSWrongPassword(decErr)
}
keyPEMBlock = pem.EncodeToMemory(&pem.Block{Type: key.Type, Bytes: decryptedKey})
}
cert, err := tls.X509KeyPair(certPEMBlock, keyPEMBlock)
if err != nil {
return tls.Certificate{}, ErrSSLUnexpectedData(nil).Msg(err.Error())
return tls.Certificate{}, ErrTLSUnexpectedData(nil).Msg(err.Error())
}
return cert, nil
}

View File

@ -225,19 +225,19 @@ Examples:
`Use 'sudo setcap cap_net_bind_service=+ep /path/to/minio' to provide sufficient permissions`,
)
ErrSSLUnexpectedError = newErrFn(
"Invalid TLS certificate",
"Please check the content of your certificate data",
`Only PEM (x.509) format is accepted as valid public & private certificates`,
ErrTLSReadError = newErrFn(
"Cannot read the TLS certificate",
"Please check if the certificate has the proper owner and read permissions",
"",
)
ErrSSLUnexpectedData = newErrFn(
ErrTLSUnexpectedData = newErrFn(
"Invalid TLS certificate",
"Please check your certificate",
"",
)
ErrSSLNoPassword = newErrFn(
ErrTLSNoPassword = newErrFn(
"Missing TLS password",
"Please set the password to environment variable `MINIO_CERT_PASSWD` so that the private key can be decrypted",
"",
@ -255,7 +255,7 @@ Examples:
"",
)
ErrSSLWrongPassword = newErrFn(
ErrTLSWrongPassword = newErrFn(
"Unable to decrypt the private key using the provided password",
"Please set the correct password in environment variable `MINIO_CERT_PASSWD`",
"",