Decrypt RSA private key

Author: everesio

config/config.go

@@ -5,9 +5,10 @@ import (
 )
 
 type TLSServerConfig struct {
-	Enable  bool           `help:"Enable server-side TLS."`
-	Refresh time.Duration  `default:"0s" help:"Interval for refreshing server TLS certificates."`
-	File    TLSServerFiles `embed:"" prefix:"file."`
+	Enable      bool           `help:"Enable server-side TLS."`
+	Refresh     time.Duration  `default:"0s" help:"Interval for refreshing server TLS certificates."`
+	File        TLSServerFiles `embed:"" prefix:"file."`
+	KeyPassword string         `help:"Optional password to decrypt RSA private key."`
 }
 
 type TLSServerFiles struct {
@@ -22,6 +23,7 @@ type TLSClientConfig struct {
 	Refresh            time.Duration  `default:"0s" help:"Interval for refreshing client TLS certificates."`
 	InsecureSkipVerify bool           `help:"Skip TLS verification on client side."`
 	File               TLSClientFiles `embed:"" prefix:"file."`
+	KeyPassword        string         `help:"Optional password to decrypt RSA private key."`
 }
 
 type TLSClientFiles struct {

go.mod

@@ -2,10 +2,14 @@ module github.com/grepplabs/cert-source
 
 go 1.21
 
-require github.com/stretchr/testify v1.10.0
+require (
+	github.com/stretchr/testify v1.10.0
+	github.com/youmark/pkcs8 v0.0.0-20240726163527-a2c0da244d78
+)
 
 require (
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
+	golang.org/x/crypto v0.32.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

go.sum

@@ -4,6 +4,10 @@ github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZb
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
 github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/youmark/pkcs8 v0.0.0-20240726163527-a2c0da244d78 h1:ilQV1hzziu+LLM3zUTJ0trRztfwgjqKnBWNtSRkbmwM=
+github.com/youmark/pkcs8 v0.0.0-20240726163527-a2c0da244d78/go.mod h1:aL8wCCfTfSfmXjznFBSZNN13rSJjlIOI1fUNAtF7rmI=
+golang.org/x/crypto v0.32.0 h1:euUpcYgM8WcP71gNpTqQCn6rC2t6ULUPiOzfWaXVVfc=
+golang.org/x/crypto v0.32.0/go.mod h1:ZnnJkOaASj8g0AjIduWNlq2NRxL0PlBrbKVyZ6V/Ugc=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=

internal/testutil/certs.go

@@ -1,6 +1,7 @@
 package testutil
 
 import (
+	"bytes"
 	"crypto"
 	"crypto/rand"
 	"crypto/rsa"
@@ -9,6 +10,7 @@ import (
 	"crypto/x509/pkix"
 	"encoding/pem"
 	"fmt"
+	"io"
 	"math/big"
 	mathrand "math/rand"
 	"net"
@@ -18,8 +20,11 @@ import (
 	"time"
 
 	tlsclient "github.com/grepplabs/cert-source/tls/client"
+	"github.com/grepplabs/cert-source/tls/keyutil"
 )
 
+const DefaultKeyPassword = "test123"
+
 func GenerateCRL(caX509Cert *x509.Certificate, caPrivateKey crypto.PrivateKey, certs []*x509.Certificate, crlFile *os.File) error {
 	revoked := make([]x509.RevocationListEntry, 0)
 	for _, cert := range certs {
@@ -193,25 +198,31 @@ type CertsBundle struct {
 	CATLSCert  *tls.Certificate
 	CAX509Cert *x509.Certificate
 
-	ServerCert     *os.File
-	ServerKey      *os.File
-	ServerTLSCert  *tls.Certificate
-	ServerX509Cert *x509.Certificate
+	ServerCert         *os.File
+	ServerKey          *os.File
+	ServerKeyPassword  string
+	ServerKeyEncrypted *os.File
+	ServerTLSCert      *tls.Certificate
+	ServerX509Cert     *x509.Certificate
 
-	ClientCert     *os.File
-	ClientKey      *os.File
-	ClientCRL      *os.File
-	ClientTLSCert  *tls.Certificate
-	ClientX509Cert *x509.Certificate
+	ClientCert         *os.File
+	ClientKey          *os.File
+	ClientKeyPassword  string
+	ClientKeyEncrypted *os.File
+	ClientCRL          *os.File
+	ClientTLSCert      *tls.Certificate
+	ClientX509Cert     *x509.Certificate
 }
 
 func (bundle *CertsBundle) Close() {
 	_ = os.Remove(bundle.CACert.Name())
 	_ = os.Remove(bundle.CAKey.Name())
 	_ = os.Remove(bundle.ServerCert.Name())
 	_ = os.Remove(bundle.ServerKey.Name())
+	_ = os.Remove(bundle.ServerKeyEncrypted.Name())
 	_ = os.Remove(bundle.ClientCert.Name())
 	_ = os.Remove(bundle.ClientKey.Name())
+	_ = os.Remove(bundle.ClientKeyEncrypted.Name())
 	_ = os.Remove(bundle.dirName)
 }
 
@@ -257,6 +268,12 @@ func NewCertsBundle() *CertsBundle {
 	}
 	defer closeFile(bundle.ServerKey)
 
+	bundle.ServerKeyEncrypted, err = os.CreateTemp(dirName, "server-key-encrypted-")
+	if err != nil {
+		panic(err)
+	}
+	defer closeFile(bundle.ServerKeyEncrypted)
+
 	bundle.ClientCert, err = os.CreateTemp(dirName, "client-cert-")
 	if err != nil {
 		panic(err)
@@ -269,6 +286,12 @@ func NewCertsBundle() *CertsBundle {
 	}
 	defer closeFile(bundle.ClientKey)
 
+	bundle.ClientKeyEncrypted, err = os.CreateTemp("", "client-key-encrypted-")
+	if err != nil {
+		panic(err)
+	}
+	defer closeFile(bundle.ClientKeyEncrypted)
+
 	bundle.ClientCRL, err = os.CreateTemp("", "client-crl-")
 	if err != nil {
 		panic(err)
@@ -284,10 +307,22 @@ func NewCertsBundle() *CertsBundle {
 	if err != nil {
 		panic(err)
 	}
+	serverKeyPassword := bundle.ServerKeyPassword
+	if serverKeyPassword == "" {
+		serverKeyPassword = DefaultKeyPassword
+	}
+	writeEncryptedPrivate(bundle.ServerKey.Name(), bundle.ServerKeyEncrypted, serverKeyPassword)
+
 	bundle.ClientTLSCert, bundle.ClientX509Cert, err = GenerateCert(bundle.CATLSCert, true, bundle.ClientCert, bundle.ClientKey)
 	if err != nil {
 		panic(err)
 	}
+	clientKeyPassword := bundle.ClientKeyPassword
+	if clientKeyPassword == "" {
+		clientKeyPassword = DefaultKeyPassword
+	}
+	writeEncryptedPrivate(bundle.ClientKey.Name(), bundle.ClientKeyEncrypted, clientKeyPassword)
+
 	// generate CRLs
 	err = GenerateCRL(bundle.CAX509Cert, bundle.CATLSCert.PrivateKey, []*x509.Certificate{}, bundle.CAEmptyCRL)
 	if err != nil {
@@ -300,6 +335,22 @@ func NewCertsBundle() *CertsBundle {
 	return bundle
 }
 
+func writeEncryptedPrivate(keyFilename string, encryptedFile *os.File, password string) {
+	keyData, err := os.ReadFile(keyFilename)
+	if err != nil {
+		panic(err)
+	}
+	encryptedKey, err := keyutil.EncryptPKCS8PrivateKeyPEM(keyData, password)
+	if err != nil {
+		panic(err)
+	}
+
+	_, err = io.Copy(encryptedFile, bytes.NewReader(encryptedKey))
+	if err != nil {
+		panic(err)
+	}
+}
+
 func closeFile(file *os.File) {
 	err := file.Close()
 	if err != nil {

tls/client/config/config.go

@@ -19,6 +19,7 @@ func GetTLSClientConfigFunc(logger *slog.Logger, conf *config.TLSClientConfig, o
 		filesource.WithInsecureSkipVerify(conf.InsecureSkipVerify),
 		filesource.WithClientCert(conf.File.Cert, conf.File.Key),
 		filesource.WithClientRootCAs(conf.File.RootCAs),
+		filesource.WithKeyPassword(conf.KeyPassword),
 	)
 	if err != nil {
 		return nil, fmt.Errorf("setup client cert file source: %w", err)

tls/client/filesource/filesource.go

@@ -8,13 +8,15 @@ import (
 	"time"
 
 	tlscert "github.com/grepplabs/cert-source/tls/client/source"
+	"github.com/grepplabs/cert-source/tls/keyutil"
 	"github.com/grepplabs/cert-source/tls/watcher"
 )
 
 type fileSource struct {
 	insecureSkipVerify bool
 	certFile           string
 	keyFile            string
+	keyPassword        string
 	rootCAsFile        string
 	refresh            time.Duration
 	logger             *slog.Logger
@@ -105,6 +107,9 @@ func (s *fileSource) Load() (pemBlocks *tlscert.ClientPEMs, err error) {
 		if pemBlocks.KeyPEMBlock, err = s.readFile(s.keyFile); err != nil {
 			return nil, err
 		}
+		if pemBlocks.KeyPEMBlock, err = keyutil.DecryptPrivateKeyPEM(pemBlocks.KeyPEMBlock, s.keyPassword); err != nil {
+			return nil, err
+		}
 	}
 	if pemBlocks.RootCAsPEMBlock, err = s.readFile(s.rootCAsFile); err != nil {
 		return nil, err

tls/client/filesource/option.go

@@ -20,6 +20,12 @@ func WithClientCert(certFile, keyFile string) Option {
 	}
 }
 
+func WithKeyPassword(keyPassword string) Option {
+	return func(c *fileSource) {
+		c.keyPassword = keyPassword
+	}
+}
+
 func WithClientRootCAs(rootCAsFile string) Option {
 	return func(c *fileSource) {
 		c.rootCAsFile = rootCAsFile

tls/keyutil/crypto.go

@@ -0,0 +1,91 @@
+package keyutil
+
+import (
+	"crypto/x509"
+	"encoding/pem"
+	"errors"
+	"strings"
+
+	"github.com/youmark/pkcs8"
+)
+
+func DecryptPrivateKeyPEM(pemData []byte, password string) ([]byte, error) {
+	keyBlock, _ := pem.Decode(pemData)
+	if keyBlock == nil {
+		return nil, errors.New("failed to parse PEM")
+	}
+	//nolint:staticcheck  // Ignore SA1019: Support legacy encrypted PEM blocks
+	if x509.IsEncryptedPEMBlock(keyBlock) {
+		if password == "" {
+			return nil, errors.New("PEM is encrypted, but password is empty")
+		}
+		key, err := x509.DecryptPEMBlock(keyBlock, []byte(password))
+		if err != nil {
+			return nil, err
+		}
+		block := &pem.Block{
+			Type:  "RSA PRIVATE KEY",
+			Bytes: key,
+		}
+		return pem.EncodeToMemory(block), nil
+	} else if strings.Contains(string(pemData), "ENCRYPTED PRIVATE KEY") {
+		if password == "" {
+			return nil, errors.New("PEM is encrypted, but password is empty")
+		}
+		key, err := pkcs8.ParsePKCS8PrivateKey(keyBlock.Bytes, []byte(password))
+		if err != nil {
+			return nil, err
+		}
+		return MarshalPrivateKeyToPEM(key)
+	}
+	return pemData, nil
+}
+
+func EncryptPKCS8PrivateKeyPEM(pemData []byte, password string) ([]byte, error) {
+	if password == "" {
+		return nil, errors.New("password cannot be empty")
+	}
+	keyBlock, _ := pem.Decode(pemData)
+	if keyBlock == nil {
+		return nil, errors.New("failed to parse PEM")
+	}
+
+	var (
+		key any
+		err error
+	)
+	switch keyBlock.Type {
+	case "PRIVATE KEY":
+		key, err = x509.ParsePKCS8PrivateKey(keyBlock.Bytes)
+		if err != nil {
+			return nil, err
+		}
+	case "RSA PRIVATE KEY":
+		rsaKey, err := x509.ParsePKCS1PrivateKey(keyBlock.Bytes)
+		if err != nil {
+			return nil, err
+		}
+		key, err = x509.MarshalPKCS8PrivateKey(rsaKey)
+		if err != nil {
+			return nil, err
+		}
+		// Parse back to interface{} to match the signature for pkcs8.MarshalPrivateKey
+		key, err = x509.ParsePKCS8PrivateKey(key.([]byte))
+		if err != nil {
+			return nil, err
+		}
+	default:
+		return nil, errors.New("unsupported key type: " + keyBlock.Type)
+	}
+
+	encryptedBytes, err := pkcs8.MarshalPrivateKey(key, []byte(password), pkcs8.DefaultOpts)
+	if err != nil {
+		return nil, err
+	}
+	encryptedBlock := &pem.Block{
+		Type:  "ENCRYPTED PRIVATE KEY",
+		Bytes: encryptedBytes,
+	}
+
+	return pem.EncodeToMemory(encryptedBlock), nil
+}