Move cert handling into library and add option passphrase. Adjust uploader and checker.

cmd/csaf_checker/config.go

@@ -14,6 +14,7 @@ import (
 	"fmt"
 	"net/http"
 
+	"github.com/csaf-poc/csaf_distribution/v2/internal/certs"
 	"github.com/csaf-poc/csaf_distribution/v2/internal/filter"
 	"github.com/csaf-poc/csaf_distribution/v2/internal/models"
 	"github.com/csaf-poc/csaf_distribution/v2/internal/options"
@@ -33,6 +34,7 @@ type config struct {
 	Insecure         bool              `long:"insecure" description:"Do not check TLS certificates from provider" toml:"insecure"`
 	ClientCert       *string           `long:"client-cert" description:"TLS client certificate file (PEM encoded data)" value-name:"CERT-FILE" toml:"client_cert"`
 	ClientKey        *string           `long:"client-key" description:"TLS client private key file (PEM encoded data)" value-name:"KEY-FILE" toml:"client_key"`
+	ClientPassphrase *string           `long:"client-passphrase" description:"Optional passphrase for the client certificate" value-name:"PASSPHRASE" toml:"client_passphrase"`
 	Version          bool              `long:"version" description:"Display version of the binary" toml:"-"`
 	Verbose          bool              `long:"verbose" short:"v" description:"Verbose output" toml:"verbose"`
 	Rate             *float64          `long:"rate" short:"r" description:"The average upper limit of https operations per second (defaults to unlimited)" toml:"rate"`
@@ -139,19 +141,12 @@ func (cfg *config) compileIgnorePatterns() error {
 
 // prepareCertificates loads the client side certificates used by the HTTP client.
 func (cfg *config) prepareCertificates() error {
-
+	cert, err := certs.LoadCertificate(
-	switch hasCert, hasKey := cfg.ClientCert != nil, cfg.ClientKey != nil; {
+		cfg.ClientCert, cfg.ClientKey, cfg.ClientPassphrase)
-
-	case hasCert && !hasKey || !hasCert && hasKey:
-		return errors.New("both client-key and client-cert options must be set for the authentication")
-
-	case hasCert:
-		cert, err := tls.LoadX509KeyPair(*cfg.ClientCert, *cfg.ClientKey)
 	if err != nil {
 		return err
 	}
-		cfg.clientCerts = []tls.Certificate{cert}
+	cfg.clientCerts = cert
-	}
 	return nil
 }
 

cmd/csaf_uploader/main.go

@@ -28,6 +28,7 @@ import (
 	"github.com/ProtonMail/gopenpgp/v2/constants"
 	"github.com/ProtonMail/gopenpgp/v2/crypto"
 	"github.com/csaf-poc/csaf_distribution/v2/csaf"
+	"github.com/csaf-poc/csaf_distribution/v2/internal/certs"
 	"github.com/csaf-poc/csaf_distribution/v2/util"
 	"github.com/jessevdk/go-flags"
 	"github.com/mitchellh/go-homedir"
@@ -48,6 +49,7 @@ type options struct {
 	Passphrase       *string `short:"P" long:"passphrase" description:"Passphrase to unlock the OpenPGP key" value-name:"PASSPHRASE"`
 	ClientCert       *string `long:"client-cert" description:"TLS client certificate file (PEM encoded data)" value-name:"CERT-FILE.crt"`
 	ClientKey        *string `long:"client-key" description:"TLS client private key file (PEM encoded data)" value-name:"KEY-FILE.pem"`
+	ClientPassphrase *string `long:"client-passphrase" description:"Optional passphrase for the client certificate" value-name:"PASSPHRASE"`
 
 	PasswordInteractive   bool `short:"i" long:"password-interactive" description:"Enter password interactively" no-ini:"true"`
 	PassphraseInteractive bool `short:"I" long:"passphrase-interactive" description:"Enter OpenPGP key passphrase interactively" no-ini:"true"`
@@ -75,18 +77,12 @@ var iniPaths = []string{
 
 func (o *options) prepare() error {
 	// Load client certs.
-	switch hasCert, hasKey := o.ClientCert != nil, o.ClientKey != nil; {
+	cert, err := certs.LoadCertificate(
-
+		o.ClientCert, o.ClientKey, o.ClientPassphrase)
-	case hasCert && !hasKey || !hasCert && hasKey:
-		return errors.New("both client-key and client-cert options must be set for the authentication")
-
-	case hasCert:
-		cert, err := tls.LoadX509KeyPair(*o.ClientCert, *o.ClientKey)
 	if err != nil {
 		return err
 	}
-		o.clientCerts = []tls.Certificate{cert}
+	o.clientCerts = cert
-	}
 	return nil
 }
 

docs/csaf_checker.md

@@ -12,6 +12,7 @@ Application Options:
       --insecure                        Do not check TLS certificates from provider
       --client-cert=CERT-FILE           TLS client certificate file (PEM encoded data)
       --client-key=KEY-FILE             TLS client private key file (PEM encoded data)
+      --client-passphrase=PASSPHRASE    Optional passphrase for the client certificate
       --version                         Display version of the binary
   -v, --verbose                         Verbose output
   -r, --rate=                           The average upper limit of https operations per second (defaults to unlimited)
@@ -47,6 +48,7 @@ format           = "json"
 insecure            = false 
 # client_cert       # not set by default
 # client_key        # not set by default
+# client_passphrase # not set by default
 verbose             = false
 # rate              # not set by default
 # years	            # not set by default

docs/csaf_uploader.md

@@ -7,19 +7,18 @@
 
 Application Options:
   -a, --action=[upload|create]              Action to perform (default: upload)
-  -u, --url=URL                             URL of the CSAF provider (default:
+  -u, --url=URL                             URL of the CSAF provider (default: https://localhost/cgi-bin/csaf_provider.go)
-                                            https://localhost/cgi-bin/csaf_provider.go)
   -t, --tlp=[csaf|white|green|amber|red]    TLP of the feed (default: csaf)
-  -x, --external-signed                     CSAF files are signed externally. Assumes .asc files
+  -x, --external-signed                     CSAF files are signed externally. Assumes .asc files beside CSAF files.
-                                            beside CSAF files.
   -s, --no-schema-check                     Do not check files against CSAF JSON schema locally.
   -k, --key=KEY-FILE                        OpenPGP key to sign the CSAF files
   -p, --password=PASSWORD                   Authentication password for accessing the CSAF provider
   -P, --passphrase=PASSPHRASE               Passphrase to unlock the OpenPGP key
       --client-cert=CERT-FILE.crt           TLS client certificate file (PEM encoded data)
       --client-key=KEY-FILE.pem             TLS client private key file (PEM encoded data)
+      --client-passphrase=PASSPHRASE        Optional passphrase for the client certificate
   -i, --password-interactive                Enter password interactively
-  -I, --passphrase-interactive               Enter passphrase interactively
+  -I, --passphrase-interactive              Enter OpenPGP key passphrase interactively
       --insecure                            Do not check TLS certificates from provider
   -c, --config=INI-FILE                     Path to config ini file
       --version                             Display version of the binary

internal/certs/certs.go

@@ -0,0 +1,74 @@
+// This file is Free Software under the MIT License
+// without warranty, see README.md and LICENSES/MIT.txt for details.
+//
+// SPDX-License-Identifier: MIT
+//
+// SPDX-FileCopyrightText: 2023 German Federal Office for Information Security (BSI) <https://www.bsi.bund.de>
+// Software-Engineering: 2023 Intevation GmbH <https://intevation.de>
+
+// Package certs implement helpers for the tools to handle client side certifacates.
+package certs
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/pem"
+	"errors"
+	"os"
+)
+
+// LoadCertificate loads an client certificate from file with an optional passphrase.
+// Returns nil if no certificate was loaded.
+func LoadCertificate(certFile, keyFile, passphrase *string) ([]tls.Certificate, error) {
+
+	switch hasCert, hasKey := certFile != nil, keyFile != nil; {
+
+	case hasCert && !hasKey || !hasCert && hasKey:
+		return nil, errors.New(
+			"both client-key and client-cert options must be set for the authentication")
+
+	case hasCert:
+		// No passphrase
+		if passphrase == nil {
+			cert, err := tls.LoadX509KeyPair(*certFile, *keyFile)
+			if err != nil {
+				return nil, err
+			}
+			return []tls.Certificate{cert}, nil
+		}
+
+		// With passphrase
+		keyFile, err := os.ReadFile(*keyFile)
+		if err != nil {
+			return nil, err
+		}
+		keyBlock, _ := pem.Decode(keyFile)
+
+		//lint:ignore SA1019 This is insecure by design.
+		keyDER, err := x509.DecryptPEMBlock(keyBlock, []byte(*passphrase))
+		if err != nil {
+			return nil, err
+		}
+		// Update keyBlock with the plaintext bytes and clear the now obsolete
+		// headers.
+		keyBlock.Bytes = keyDER
+		keyBlock.Headers = nil
+
+		// Turn the key back into PEM format so we can leverage tls.X509KeyPair,
+		// which will deal with the intricacies of error handling, different key
+		// types, certificate chains, etc
+		keyPEM := pem.EncodeToMemory(keyBlock)
+
+		certPEMBlock, err := os.ReadFile(*certFile)
+		if err != nil {
+			return nil, err
+		}
+		cert, err := tls.X509KeyPair(certPEMBlock, keyPEM)
+		if err != nil {
+			return nil, err
+		}
+		return []tls.Certificate{cert}, nil
+	}
+
+	return nil, nil
+}