From c39eb3bacdeb5c8e349fc45b772ed96fb1892e80 Mon Sep 17 00:00:00 2001 From: Harshavardhana Date: Sun, 30 Jan 2022 12:55:21 -0800 Subject: [PATCH] fix: possible crash if private.key is empty (#14208) Before ``` panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x10 pc=0x9f54f7] goroutine 1 [running]: crypto/x509.IsEncryptedPEMBlock(...) crypto/x509/pem_decrypt.go:105 github.com/minio/minio/internal/config.LoadX509KeyPair({0xc00061e270, 0x0}, {0xc00061e2d0, 0x25}) github.com/minio/minio/internal/config/certs.go:88 +0xf7 github.com/minio/pkg/certs.(*Manager).AddCertificate(0xc000576150, {0xc00061e270, 0x25}, {0xc00061e2d0, 0x25}) github.com/minio/pkg@v1.1.15/certs/certs.go:132 +0x368 github.com/minio/pkg/certs.NewManager({0x51f5910, 0xc00053e140}, {0xc00061e270, 0xc000580400}, {0xc00061e2d0, 0x25}, 0x4dc5880) github.com/minio/pkg@v1.1.15/certs/certs.go:97 +0x170 github.com/minio/minio/cmd.getTLSConfig() ``` After ``` ERROR Unable to load the TLS configuration: The private key is not readable > Please check your certificate ``` --- internal/config/certs.go | 3 +++ internal/config/certs_test.go | 26 ++++++++++++++++++++++++++ 2 files changed, 29 insertions(+) diff --git a/internal/config/certs.go b/internal/config/certs.go index b80946c3c..713b19111 100644 --- a/internal/config/certs.go +++ b/internal/config/certs.go @@ -85,6 +85,9 @@ func LoadX509KeyPair(certFile, keyFile string) (tls.Certificate, error) { if len(rest) > 0 { return tls.Certificate{}, ErrSSLUnexpectedData(nil).Msg("The private key contains additional data") } + if key == nil { + return tls.Certificate{}, ErrSSLUnexpectedData(nil).Msg("The private key is not readable") + } if x509.IsEncryptedPEMBlock(key) { password := env.Get(EnvCertPassword, "") if len(password) == 0 { diff --git a/internal/config/certs_test.go b/internal/config/certs_test.go index 036adfd81..43f08100b 100644 --- a/internal/config/certs_test.go +++ b/internal/config/certs_test.go @@ -213,6 +213,32 @@ var loadX509KeyPairTests = []struct { privateKey, certificate string shouldFail bool }{ + { + password: "", + privateKey: "", + certificate: `-----BEGIN CERTIFICATE----- +MIIDiTCCAnGgAwIBAgIJAK5m5S7EE46kMA0GCSqGSIb3DQEBCwUAMFsxCzAJBgNV +BAYTAlVTMQ4wDAYDVQQIDAVzdGF0ZTERMA8GA1UEBwwIbG9jYXRpb24xFTATBgNV +BAoMDG9yZ2FuaXphdGlvbjESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTE3MTIxODE4 +MDUyOFoXDTI3MTIxNjE4MDUyOFowWzELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBXN0 +YXRlMREwDwYDVQQHDAhsb2NhdGlvbjEVMBMGA1UECgwMb3JnYW5pemF0aW9uMRIw +EAYDVQQDDAlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB +AQDPJfYY5Dhsntrqwyu7ZgKM/zrlKEjCwGHhWJBdZdeZCHQlY8ISrtDxxp2XMmI6 +HsszalEhNF9fk3vSXWclTuomG03fgGzP4R6QpcwGUCxhRF1J+0b64Yi8pw2uEGsR +GuMwLhGorcWalNoihgHc0BQ4vO8aaTNTX7iD06olesP6vGNu/S8h0VomE+0v9qYc +VF66Zaiv/6OmxAtDpElJjVd0mY7G85BlDlFrVwzd7zhRiuJZ4iDg749Xt9GuuKla +Dvr14glHhP4dQgUbhluJmIHMdx2ZPjk+5FxaDK6I9IUpxczFDe4agDE6lKzU1eLd +cCXRWFOf6q9lTB1hUZfmWfTxAgMBAAGjUDBOMB0GA1UdDgQWBBTQh7lDTq+8salD +0HBNILochiiNaDAfBgNVHSMEGDAWgBTQh7lDTq+8salD0HBNILochiiNaDAMBgNV +HRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAqi9LycxcXKNSDXaPkCKvw7RQy +iMBDGm1kIY++p3tzbUGuaeu85TsswKnqd50AullEU+aQxRRJGfR8eSKzQJMBXLMQ +b4ptYCc5OrZtRHT8NaZ/df2tc6I88kN8dBu6ybcNGsevXA/iNX3kKLW7naxdr5jj +KUudWSuqDCjCmQa5bYb9H6DreLH2lUItSWBa/YmeZ3VSezDCd+XYO53QKwZVj8Jb +bulZmoo7e7HO1qecEzWKL10UYyEbG3UDPtw+NZc142ZYeEhXQ0dsstGAO5hf3hEl +kQyKGUTpDbKLuyYMFsoH73YLjBqNe+UEhPwE+FWpcky1Sp9RTx/oMLpiZaPR +-----END CERTIFICATE-----`, + shouldFail: true, + }, { password: "foobar", privateKey: `-----BEGIN RSA PRIVATE KEY-----