add support for x509-encrypted PEM secrets

Benton Roberts · Benton Roberts · commit 782447c4bfd9 · 2016-07-04T22:03:24.000-07:00
diff --git a/.goxc.json b/.goxc.json
@@ -11,6 +11,6 @@
   ],
   "Arch": "amd64",
   "BuildConstraints": "linux",
-  "PackageVersion": "0.5.1",
+  "PackageVersion": "0.5.2",
   "ConfigVersion": "0.9"
-}
+}
diff --git a/README.md b/README.md
@@ -58,6 +58,8 @@ Here's the command-line help:
           path to key file (default "~/.ssh/id_rsa")
       -port int
           server receiving port (default 1067)
+      -pwd string
+          password for encrypted RSA key
       -server
           run key server instead of command
       -version
diff --git a/config.go b/config.go
@@ -8,10 +8,12 @@ import (
 )
 
 const DEFAULT_KEYPATH = `~/.ssh/id_rsa`
+const DEFAULT_PWD = `$RSA_KEY_PWD`
 
 // Represents this app's possible configuration values
 type Config struct {
 	KeyPath string
+	Pwd     string
 	Server  bool
 	Port    int
 	Wait    int
@@ -25,6 +27,7 @@ func newConfig() Config {
 		server  = flag.Bool("server", false, "run key server instead of command")
 		port    = flag.Int("port", SERVER_RECV_PORT, "server receiving port")
 		wait    = flag.Int("wait", CLIENT_TIMEOUT, "client timeout, in seconds")
+		pwd     = flag.String("pwd", DEFAULT_PWD, "password for encrypted RSA key")
 	)
 	flag.Parse()
 	if *print_v {
@@ -45,9 +48,14 @@ func newConfig() Config {
 		}
 		keyPath = filepath.Join(home, `.ssh`, `id_rsa`)
 	}
+	rsaPasswd := *pwd
+	if *pwd == DEFAULT_PWD {
+		rsaPasswd = os.Getenv(`RSA_KEY_PWD`)
+	}
 	return Config{
 		Server:  *server,
 		KeyPath: keyPath,
+		Pwd:     rsaPasswd,
 		Port:    *port,
 		Wait:    *wait,
 	}
diff --git a/main.go b/main.go
@@ -15,8 +15,8 @@ const (
 )
 
 // Package version & timestamp - interpolated by goxc
-const VERSION = "0.5.1"
-const SOURCE_DATE = "2015-10-27T10:48:34-04:00"
+const VERSION = "0.5.2"
+const SOURCE_DATE = "2016-07-04T21:46:43-07:00"
 
 func main() {
 	config := newConfig()
diff --git a/make.sh b/make.sh
@@ -2,15 +2,15 @@
 # runs goxc in each product directory
 set -e
 
+goxc
 echo "Building static linux binary for docker-ssh-exec..."
 mkdir -p pkg
 buildcmd='CGO_ENABLED=0 go build -a --installsuffix cgo --ldflags="-s" -o pkg/docker-ssh-exec'
 docker run --rm -it -v "$GOPATH":/gopath -v "$(pwd)":/app -e "GOPATH=/gopath" \
-  -w /app golang:1.5 sh -c "$buildcmd"
+  -w /app golang:1.6 sh -c "$buildcmd"
 
 echo "Building docker image for docker-ssh-exec..."
 docker build --no-cache=true --tag mdsol/docker-ssh-exec .
 rm -f pkg/docker-ssh-exec
 
-echo "Done. To make a release, run: goxc"
 exit 0
diff --git a/server.go b/server.go
@@ -1,10 +1,13 @@
 package main
 
 import (
+	"crypto/x509"
+	"encoding/pem"
 	"fmt"
 	"io/ioutil"
 	"net"
 	"os"
+	"regexp"
 )
 
 func server(config Config) {
@@ -33,19 +36,33 @@ func server(config Config) {
 				IP:   clientAddr.IP,
 				Port: clientAddr.Port + 1,
 			})
-
-			response := os.Getenv(KEY_DATA_ENV_VAR)
-			if response == `` {
-				keyData, err := ioutil.ReadFile(config.KeyPath)
-				if err == nil {
-					response = string(keyData)
-				} else {
-					response = fmt.Sprintf("ERROR reading keyfile %s: %s!",
-						config.KeyPath, err)
-					fmt.Println(response)
+			var keyData []byte
+			keyData = []byte(os.Getenv(KEY_DATA_ENV_VAR))
+			if len(keyData) == 0 {
+				keyData, err = ioutil.ReadFile(config.KeyPath)
+				if err != nil {
+					fmt.Printf("ERROR reading keyfile %s: %s!\n", config.KeyPath, err)
+				}
+			}
+			pemBlock, _ := pem.Decode(keyData)
+			if pemBlock != nil {
+				if x509.IsEncryptedPEMBlock(pemBlock) {
+					fmt.Println("Decrypting private key with passphrase...")
+					decoded, err := x509.DecryptPEMBlock(pemBlock, []byte(config.Pwd))
+					if err == nil {
+						header := `PRIVATE KEY` // default key type in header
+						matcher := regexp.MustCompile("-----BEGIN (.*)-----")
+						if matches := matcher.FindSubmatch(keyData); len(matches) > 1 {
+							header = string(matches[1])
+						}
+						keyData = pem.EncodeToMemory(
+							&pem.Block{Type: header, Bytes: decoded})
+					} else {
+						fmt.Printf("Error decrypting PEM-encoded secret: %s\n", err)
+					}
 				}
 			}
-			_, err = writeSocket.Write([]byte(response))
+			_, err = writeSocket.Write(keyData)
 			if err != nil {
 				fmt.Printf("ERROR writing data to socket:%s!\n", err)
 			}

Original file line number	Diff line number	Diff line change
`@@ -15,8 +15,8 @@ const (`
`15`	`15`	`)`
`16`	`16`
`17`	`17`	`// Package version & timestamp - interpolated by goxc`
`18`		`-const VERSION = "0.5.1"`
`19`		`-const SOURCE_DATE = "2015-10-27T10:48:34-04:00"`
	`18`	`+const VERSION = "0.5.2"`
	`19`	`+const SOURCE_DATE = "2016-07-04T21:46:43-07:00"`
`20`	`20`
`21`	`21`	`func main() {`
`22`	`22`	`config := newConfig()`