api: support SSL private key file decryption

Support `ssl_password` and `ssl_password_file` options in SslOpts.
Tarantool EE supports SSL passwords and password files since 2.11.0 [1].

Same as in Tarantool, we try `SslOpts.Password`, then each line in
`SslOpts.PasswordFile`. If all of the above fail, we re-raise errors.

The patch is based on a similar patch from tarantool-python [2].

1. tarantool/tarantool-ee#22
2. tarantool/tarantool-python#274

Author: DifferentialOrange

.gitignore

@@ -4,3 +4,15 @@
 work_dir*
 .rocks
 bench*
+
+testdata/*.crt
+!testdata/ca.crt
+!testdata/invalidhost.crt
+!testdata/localhost.crt
+testdata/*.csr
+testdata/*.ext
+testdata/*.key
+!testdata/localhost.key
+!testdata/localhost.enc.key
+testdata/*.pem
+testdata/*.srl

CHANGELOG.md

@@ -15,6 +15,7 @@ Versioning](http://semver.org/spec/v2.0.0.html) except to the first release.
 - IsNullable flag for Field (#302)
 - More linters on CI (#310)
 - Meaningful description for read/write socket errors (#129)
+- Support password and password file to decrypt private SSL key file (#319)
 
 ### Changed
 

connection.go

@@ -345,6 +345,12 @@ type SslOpts struct {
 	//
 	// * https://www.openssl.org/docs/man1.1.1/man1/ciphers.html
 	Ciphers string
+	// Password is a password for decrypting the private SSL key file.
+	Password string
+	// PasswordFile is a path to the list of passwords for decrypting
+	// the private SSL key file. The connection tries every line from the
+	// file as a password.
+	PasswordFile string
 }
 
 // Clone returns a copy of the Opts object.

ssl.go

@@ -4,9 +4,13 @@
 package tarantool
 
 import (
+	"bufio"
 	"errors"
+	"fmt"
 	"io/ioutil"
 	"net"
+	"os"
+	"strings"
 	"time"
 
 	"github.com/tarantool/go-openssl"
@@ -95,16 +99,71 @@ func sslLoadCert(ctx *openssl.Ctx, certFile string) (err error) {
 	return
 }
 
-func sslLoadKey(ctx *openssl.Ctx, keyFile string) (err error) {
+func sslLoadKey(ctx *openssl.Ctx, keyFile string, password string,
+	passwordFile string) error {
 	var keyBytes []byte
+	var err error
+
 	if keyBytes, err = ioutil.ReadFile(keyFile); err != nil {
-		return
+		return err
 	}
 
 	var key openssl.PrivateKey
-	if key, err = openssl.LoadPrivateKeyFromPEM(keyBytes); err != nil {
-		return
+	var errs []error
+
+	// If key is encrypted and password is not provided,
+	// openssl.LoadPrivateKeyFromPEM(keyBytes) asks to enter PEM pass phrase
+	// interactively. On the other hand, empty password
+	// openssl.LoadPrivateKeyFromPEMWithPassword(keyBytes, '') works fine for
+	// non-encrypted key. If key is encrypted, we fast fail with password
+	// error instead of requesting the pass phrase.
+	key, err = openssl.LoadPrivateKeyFromPEMWithPassword(keyBytes, password)
+	if err == nil {
+		return ctx.UsePrivateKey(key)
+	} else {
+		errs = append(errs, err)
+	}
+
+	if passwordFile != "" {
+		var file *os.File
+		file, err = os.Open(passwordFile)
+		if err == nil {
+			defer file.Close()
+
+			scanner := bufio.NewScanner(file)
+			// Tarantool itself tries each password file line.
+			for scanner.Scan() {
+				password = strings.TrimSpace(scanner.Text())
+
+				key, err = openssl.LoadPrivateKeyFromPEMWithPassword(keyBytes, password)
+				if err == nil {
+					return ctx.UsePrivateKey(key)
+				} else {
+					errs = append(errs, err)
+				}
+			}
+		} else {
+			errs = append(errs, err)
+		}
+	}
+
+	if len(errs) > 1 {
+		// Convenient multiple error wrapping was introduced only in Go 1.20
+		// https://pkg.go.dev/errors#example-Join
+		// https://github.com/golang/go/issues/53435
+		rerr := errors.New("got multiple errors on SSL decryption")
+		var i int
+		for i, err = range errs {
+			if i == 0 {
+				// gofmt forbids error strings to end with punctuation or newlines
+				rerr = fmt.Errorf("%s: %w", rerr, err)
+			} else {
+				rerr = fmt.Errorf("%s, %w", rerr, err)
+			}
+		}
+
+		return rerr
 	}
 
-	return ctx.UsePrivateKey(key)
+	return errs[0]
 }

ssl_test.go

@@ -117,6 +117,16 @@ func serverTnt(serverOpts, clientOpts SslOpts, auth Auth) (test_helpers.Tarantoo
 		listen += fmt.Sprintf("ssl_ciphers=%s&", ciphers)
 	}
 
+	password := serverOpts.Password
+	if password != "" {
+		listen += fmt.Sprintf("ssl_password=%s&", password)
+	}
+
+	passwordFile := serverOpts.PasswordFile
+	if passwordFile != "" {
+		listen += fmt.Sprintf("ssl_password_file=%s&", passwordFile)
+	}
+
 	listen = listen[:len(listen)-1]
 
 	return test_helpers.StartTarantool(test_helpers.StartOpts{
@@ -139,6 +149,21 @@ func serverTntStop(inst test_helpers.TarantoolInstance) {
 	test_helpers.StopTarantoolWithCleanup(inst)
 }
 
+func skipEncrypted(t testing.TB, serverOpts SslOpts) {
+	if serverOpts.Password == "" && serverOpts.PasswordFile == "" {
+		return
+	}
+
+	isLess, err := test_helpers.IsTarantoolVersionLess(2, 11, 0)
+	if err != nil {
+		t.Fatalf("Could not check the Tarantool version")
+	}
+
+	if isLess {
+		t.Skipf("Skipping test for Tarantool without SSL encryption support")
+	}
+}
+
 func assertConnectionSslFail(t testing.TB, serverOpts, clientOpts SslOpts) {
 	t.Helper()
 
@@ -431,6 +456,142 @@ var tests = []test{
 			Ciphers:  "TLS_AES_128_GCM_SHA256",
 		},
 	},
+	{
+		"pass_no_key_encrypt",
+		true,
+		SslOpts{
+			KeyFile:  "testdata/localhost.key",
+			CertFile: "testdata/localhost.crt",
+			CaFile:   "testdata/ca.crt",
+		},
+		SslOpts{
+			KeyFile:  "testdata/localhost.enc.key",
+			CertFile: "testdata/localhost.crt",
+			Password: "mysslpassword",
+		},
+	},
+	{
+		"pass_file_no_key_encrypt",
+		true,
+		SslOpts{
+			KeyFile:  "testdata/localhost.key",
+			CertFile: "testdata/localhost.crt",
+			CaFile:   "testdata/ca.crt",
+		},
+		SslOpts{
+			KeyFile:      "testdata/localhost.enc.key",
+			CertFile:     "testdata/localhost.crt",
+			PasswordFile: "testdata/passwords",
+		},
+	},
+	{
+		"pass_key_encrypt",
+		true,
+		SslOpts{
+			KeyFile:  "testdata/localhost.enc.key",
+			CertFile: "testdata/localhost.crt",
+			CaFile:   "testdata/ca.crt",
+			Password: "mysslpassword",
+		},
+		SslOpts{
+			KeyFile:  "testdata/localhost.enc.key",
+			CertFile: "testdata/localhost.crt",
+			Password: "mysslpassword",
+		},
+	},
+	{
+		"pass_file_key_encrypt",
+		true,
+		SslOpts{
+			KeyFile:      "testdata/localhost.enc.key",
+			CertFile:     "testdata/localhost.crt",
+			CaFile:       "testdata/ca.crt",
+			PasswordFile: "testdata/passwords",
+		},
+		SslOpts{
+			KeyFile:      "testdata/localhost.enc.key",
+			CertFile:     "testdata/localhost.crt",
+			PasswordFile: "testdata/passwords",
+		},
+	},
+	{
+		"pass_and_pass_file_key_encrypt",
+		true,
+		SslOpts{
+			KeyFile:      "testdata/localhost.enc.key",
+			CertFile:     "testdata/localhost.crt",
+			CaFile:       "testdata/ca.crt",
+			PasswordFile: "testdata/passwords",
+		},
+		SslOpts{
+			KeyFile:      "testdata/localhost.enc.key",
+			CertFile:     "testdata/localhost.crt",
+			Password:     "mysslpassword",
+			PasswordFile: "testdata/passwords",
+		},
+	},
+	{
+		"inv_pass_and_pass_file_key_encrypt",
+		true,
+		SslOpts{
+			KeyFile:      "testdata/localhost.enc.key",
+			CertFile:     "testdata/localhost.crt",
+			CaFile:       "testdata/ca.crt",
+			PasswordFile: "testdata/passwords",
+		},
+		SslOpts{
+			KeyFile:      "testdata/localhost.enc.key",
+			CertFile:     "testdata/localhost.crt",
+			Password:     "invalidpassword",
+			PasswordFile: "testdata/passwords",
+		},
+	},
+	{
+		"pass_and_inv_pass_file_key_encrypt",
+		true,
+		SslOpts{
+			KeyFile:      "testdata/localhost.enc.key",
+			CertFile:     "testdata/localhost.crt",
+			CaFile:       "testdata/ca.crt",
+			PasswordFile: "testdata/passwords",
+		},
+		SslOpts{
+			KeyFile:      "testdata/localhost.enc.key",
+			CertFile:     "testdata/localhost.crt",
+			Password:     "mysslpassword",
+			PasswordFile: "testdata/invalidpasswords",
+		},
+	},
+	{
+		"pass_and_inv_pass_file_key_encrypt",
+		false,
+		SslOpts{
+			KeyFile:      "testdata/localhost.enc.key",
+			CertFile:     "testdata/localhost.crt",
+			CaFile:       "testdata/ca.crt",
+			PasswordFile: "testdata/passwords",
+		},
+		SslOpts{
+			KeyFile:      "testdata/localhost.enc.key",
+			CertFile:     "testdata/localhost.crt",
+			Password:     "invalidpassword",
+			PasswordFile: "testdata/invalidpasswords",
+		},
+	},
+	{
+		"no_pass_key_encrypt",
+		false,
+		SslOpts{
+			KeyFile:      "testdata/localhost.enc.key",
+			CertFile:     "testdata/localhost.crt",
+			CaFile:       "testdata/ca.crt",
+			PasswordFile: "testdata/passwords",
+		},
+		SslOpts{
+			KeyFile:  "testdata/localhost.enc.key",
+			CertFile: "testdata/localhost.crt",
+		},
+	},
 }
 
 func isTestTntSsl() bool {

testdata/ca.crt

@@ -1,20 +1,20 @@
 -----BEGIN CERTIFICATE-----
-MIIDLzCCAhegAwIBAgIUMMZTmNkhr4qOfSwInVk2dAJvoBEwDQYJKoZIhvcNAQEL
+MIIDLzCCAhegAwIBAgIUaw6WTgYBXFRqlGbKRYczFApoNU4wDQYJKoZIhvcNAQEL
 BQAwJzELMAkGA1UEBhMCVVMxGDAWBgNVBAMMD0V4YW1wbGUtUm9vdC1DQTAeFw0y
-MjA1MjYwNjE3NDBaFw00NDEwMjkwNjE3NDBaMCcxCzAJBgNVBAYTAlVTMRgwFgYD
+MzA3MjYwODM3MTZaFw00NTEyMjkwODM3MTZaMCcxCzAJBgNVBAYTAlVTMRgwFgYD
 VQQDDA9FeGFtcGxlLVJvb3QtQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
-AoIBAQCRq/eaA3I6CB8t770H2XDdzcp1yuC/+TZOxV5o0LuRkogTvL2kYULBrfx1
-rVZu8zQJTx1fmSRj1cN8j+IrmXN5goZ3mYFTnnIOgkyi+hJysVlo5s0Kp0qtLLGM
-OuaVbxw2oAy75if5X3pFpiDaMvFBtJKsh8+SkncBIC5bbKC5AoLdFANLmPiH0CGr
-Mv3rL3ycnbciI6J4uKHcWnYGGiMjBomaZ7jd/cOjcjmGfpI5d0nq13G11omkyEyR
-wNX0eJRL02W+93Xu7tD+FEFMxFvak+70GvX+XWomwYw/Pjlio8KbTAlJxhfK2Lh6
-H798k17VfxIrOk0KjzZS7+a20hZ/AgMBAAGjUzBRMB0GA1UdDgQWBBT2f5o8r75C
-PWST36akpkKRRTbhvjAfBgNVHSMEGDAWgBT2f5o8r75CPWST36akpkKRRTbhvjAP
-BgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQA9pb75p6mnqp2MQHSr
-5SKRf2UV4wQIUtXgF6V9vNfvVzJii+Lzrqir1YMk5QgavCzD96KlJcqJCcH559RY
-5743AxI3tdWfA3wajBctoy35oYnT4M30qbkryYLTUlv7PmeNWvrksTURchyyDt5/
-3T73yj5ZalmzKN6+xLfUDdnudspfWlUMutKU50MU1iuQESf4Fwd53vOg9jMcWJ2E
-vAgfVI0XAvYdU3ybJrUvBq5zokYR2RzGv14uHxwVPnLBjrBEHRnbrXvLZJhuIS2b
-xZ3CqwWi+9bvNqHz09HvhkU2b6fCGweKaAUGSo8OfQ5FRkjTUomMI/ZLs/qtJ6JR
-zzVt
+AoIBAQCunm5E+dyoYw+ECp0vOabsA4L7C+dUQLhfqdOEwFSpSanjBTuUEAPB+fEr
+wqaZXI2EnUSxYEYO03TkZmWoJgRJq+00laWPA4AuKHpg4SS/LUoveQiQdsie+kUj
+YMFu3rtP2CvTMpC4HMRK2CviOnU9iA4hPvRx4o5tESxLW31jNnBDeC/tsEVVR/6i
+lwB9Oh1RbZI/c429N67qq5C2rpU5+o+YszDou36WTxw6XeXdkw7QF4W2BNLysPLJ
+AY+aPrUVxKDOgDNk77h41HDqu+SuDg6mg528yfRqyAd4ooEE8MLcT0xztn1U8HvZ
+SKwWTnS8TSzCmQptRGPlb5oES/NlAgMBAAGjUzBRMB0GA1UdDgQWBBQ/S0H0dFUy
+OuEQ/kgDzGarWm2vlDAfBgNVHSMEGDAWgBQ/S0H0dFUyOuEQ/kgDzGarWm2vlDAP
+BgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCoP+kH96+b6GWByPTo
+LRK/QJmpPRWiZ5naV6CXJQNYg+nVG9wdiGXxEx4BBZs6yGdeHdiWCWbuRPMyH0Wp
+w2ajMmK7pC8+MGKzMSC/EISPFwKYumwe/6zNnde7eZ19n7EFwrOihgEf+hNfjOCj
+CqDIfMb2ztEHY7mEABMXDviKI80om2P1oIkHj5MD7z8ZetJRf1qCH7ke2cdTJ+Zr
+XNGiJ7sz3xRQO/QRCkbBbr/d4zeX3A5/+MXHLtzbPiWs+/XaDbGJTQIO5hFfwwAC
+v1/VrNmsy+3YYLLTZzmfpa60Sk3NsZbIQdvwLJJj8pOmH/zae7UZlrxlGWjQKvH5
+evsP
 -----END CERTIFICATE-----

testdata/generate.sh

@@ -8,7 +8,7 @@ set -xeuo pipefail
 # $ openssl version
 # OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
 
-cat <<EOF > domains.ext
+cat <<EOF > domains_localhost.ext
 authorityKeyIdentifier=keyid,issuer
 basicConstraints=CA:FALSE
 keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
@@ -18,8 +18,32 @@ DNS.1 = localhost
 IP.1 = 127.0.0.1
 EOF
 
+cat <<EOF > domains_invalidhost.ext
+authorityKeyIdentifier=keyid,issuer
+basicConstraints=CA:FALSE
+keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
+subjectAltName = @alt_names
+[alt_names]
+DNS.1 = invalidhostname
+EOF
+
 openssl req -x509 -nodes -new -sha256 -days 8192 -newkey rsa:2048 -keyout ca.key -out ca.pem -subj "/C=US/CN=Example-Root-CA"
 openssl x509 -outform pem -in ca.pem -out ca.crt
 
 openssl req -new -nodes -newkey rsa:2048 -keyout localhost.key -out localhost.csr -subj "/C=US/ST=YourState/L=YourCity/O=Example-Certificates/CN=localhost"
-openssl x509 -req -sha256 -days 8192 -in localhost.csr -CA ca.pem -CAkey ca.key -CAcreateserial -extfile domains.ext -out localhost.crt
+openssl x509 -req -sha256 -days 8192 -in localhost.csr -CA ca.pem -CAkey ca.key -CAcreateserial -extfile domains_localhost.ext -out localhost.crt
+openssl x509 -req -sha256 -days 8192 -in localhost.csr -CA ca.pem -CAkey ca.key -CAcreateserial -extfile domains_invalidhost.ext -out invalidhost.crt
+
+password=mysslpassword
+
+# Tarantool tries every line from the password file.
+cat <<EOF > passwords
+unusedpassword
+$password
+EOF
+
+cat <<EOF > invalidpasswords
+unusedpassword1
+EOF
+
+openssl rsa -aes256 -passout "pass:${password}" -in localhost.key -out localhost.enc.key