api: support SSL private key file decryption

Support `ssl_password` and `ssl_password_file` options in SslOpts.
Tarantool EE supports SSL passwords and password files since 2.11.0 [1].

Same as in Tarantool, we try `SslOpts.Password`, then each line in
`SslOpts.PasswordFile`. If all of the above fail, we re-raise errors.

The patch is based on a similar patch from tarantool-python [2].

1. tarantool/tarantool-ee#22
2. tarantool/tarantool-python#274

Author: DifferentialOrange

.gitignore

@@ -4,3 +4,15 @@
 work_dir*
 .rocks
 bench*
+
+testdata/*.crt
+!testdata/ca.crt
+!testdata/invalidhost.crt
+!testdata/localhost.crt
+testdata/*.csr
+testdata/*.ext
+testdata/*.key
+!testdata/localhost.key
+!testdata/localhost.enc.key
+testdata/*.pem
+testdata/*.srl

CHANGELOG.md

@@ -15,6 +15,7 @@ Versioning](http://semver.org/spec/v2.0.0.html) except to the first release.
 - IsNullable flag for Field (#302)
 - More linters on CI (#310)
 - Meaningful description for read/write socket errors (#129)
+- Support password and password file to decrypt private SSL key file (#319)
 
 ### Changed
 

connection.go

@@ -345,6 +345,12 @@ type SslOpts struct {
 	//
 	// * https://www.openssl.org/docs/man1.1.1/man1/ciphers.html
 	Ciphers string
+	// Password is a password for decrypting the private SSL key file.
+	Password string
+	// PasswordFile is a path to the list of passwords for decrypting
+	// the private SSL key file. The connection tries every line from the
+	// file as a password.
+	PasswordFile string
 }
 
 // Clone returns a copy of the Opts object.

ssl.go

@@ -4,9 +4,13 @@
 package tarantool
 
 import (
+	"bufio"
 	"errors"
+	"fmt"
 	"io/ioutil"
 	"net"
+	"os"
+	"strings"
 	"time"
 
 	"github.com/tarantool/go-openssl"
@@ -43,7 +47,7 @@ func sslCreateContext(opts SslOpts) (ctx interface{}, err error) {
 	}
 
 	if opts.KeyFile != "" {
-		if err = sslLoadKey(sslCtx, opts.KeyFile); err != nil {
+		if err = sslLoadKey(sslCtx, opts.KeyFile, opts.Password, opts.PasswordFile); err != nil {
 			return
 		}
 	}
@@ -95,16 +99,71 @@ func sslLoadCert(ctx *openssl.Ctx, certFile string) (err error) {
 	return
 }
 
-func sslLoadKey(ctx *openssl.Ctx, keyFile string) (err error) {
+func sslLoadKey(ctx *openssl.Ctx, keyFile string, password string,
+	passwordFile string) error {
 	var keyBytes []byte
+	var err error
+
 	if keyBytes, err = ioutil.ReadFile(keyFile); err != nil {
-		return
+		return err
 	}
 
 	var key openssl.PrivateKey
-	if key, err = openssl.LoadPrivateKeyFromPEM(keyBytes); err != nil {
-		return
+	var errs []error
+
+	// If key is encrypted and password is not provided,
+	// openssl.LoadPrivateKeyFromPEM(keyBytes) asks to enter PEM pass phrase
+	// interactively. On the other hand, empty password
+	// openssl.LoadPrivateKeyFromPEMWithPassword(keyBytes, '') works fine for
+	// non-encrypted key. If key is encrypted, we fast fail with password
+	// error instead of requesting the pass phrase.
+	key, err = openssl.LoadPrivateKeyFromPEMWithPassword(keyBytes, password)
+	if err == nil {
+		return ctx.UsePrivateKey(key)
+	} else {
+		errs = append(errs, err)
+	}
+
+	if passwordFile != "" {
+		var file *os.File
+		file, err = os.Open(passwordFile)
+		if err == nil {
+			defer file.Close()
+
+			scanner := bufio.NewScanner(file)
+			// Tarantool itself tries each password file line.
+			for scanner.Scan() {
+				password = strings.TrimSpace(scanner.Text())
+
+				key, err = openssl.LoadPrivateKeyFromPEMWithPassword(keyBytes, password)
+				if err == nil {
+					return ctx.UsePrivateKey(key)
+				} else {
+					errs = append(errs, err)
+				}
+			}
+		} else {
+			errs = append(errs, err)
+		}
+	}
+
+	if len(errs) > 1 {
+		// Convenient multiple error wrapping was introduced only in Go 1.20
+		// https://pkg.go.dev/errors#example-Join
+		// https://github.com/golang/go/issues/53435
+		rerr := errors.New("got multiple errors on SSL decryption")
+		var i int
+		for i, err = range errs {
+			if i == 0 {
+				// gofmt forbids error strings to end with punctuation or newlines
+				rerr = fmt.Errorf("%s: %w", rerr, err)
+			} else {
+				rerr = fmt.Errorf("%s, %w", rerr, err)
+			}
+		}
+
+		return rerr
 	}
 
-	return ctx.UsePrivateKey(key)
+	return errs[0]
 }

ssl_test.go

@@ -117,6 +117,16 @@ func serverTnt(serverOpts, clientOpts SslOpts, auth Auth) (test_helpers.Tarantoo
 		listen += fmt.Sprintf("ssl_ciphers=%s&", ciphers)
 	}
 
+	password := serverOpts.Password
+	if password != "" {
+		listen += fmt.Sprintf("ssl_password=%s&", password)
+	}
+
+	passwordFile := serverOpts.PasswordFile
+	if passwordFile != "" {
+		listen += fmt.Sprintf("ssl_password_file=%s&", passwordFile)
+	}
+
 	listen = listen[:len(listen)-1]
 
 	return test_helpers.StartTarantool(test_helpers.StartOpts{
@@ -431,6 +441,142 @@ var tests = []test{
 			Ciphers:  "TLS_AES_128_GCM_SHA256",
 		},
 	},
+	{
+		"pass_no_key_encrypt",
+		true,
+		SslOpts{
+			KeyFile:  "testdata/localhost.key",
+			CertFile: "testdata/localhost.crt",
+			CaFile:   "testdata/ca.crt",
+		},
+		SslOpts{
+			KeyFile:  "testdata/localhost.enc.key",
+			CertFile: "testdata/localhost.crt",
+			Password: "mysslpassword",
+		},
+	},
+	{
+		"pass_file_no_key_encrypt",
+		true,
+		SslOpts{
+			KeyFile:  "testdata/localhost.key",
+			CertFile: "testdata/localhost.crt",
+			CaFile:   "testdata/ca.crt",
+		},
+		SslOpts{
+			KeyFile:      "testdata/localhost.enc.key",
+			CertFile:     "testdata/localhost.crt",
+			PasswordFile: "testdata/passwords",
+		},
+	},
+	{
+		"pass_key_encrypt",
+		true,
+		SslOpts{
+			KeyFile:  "testdata/localhost.enc.key",
+			CertFile: "testdata/localhost.crt",
+			CaFile:   "testdata/ca.crt",
+			Password: "mysslpassword",
+		},
+		SslOpts{
+			KeyFile:  "testdata/localhost.enc.key",
+			CertFile: "testdata/localhost.crt",
+			Password: "mysslpassword",
+		},
+	},
+	{
+		"pass_file_key_encrypt",
+		true,
+		SslOpts{
+			KeyFile:      "testdata/localhost.enc.key",
+			CertFile:     "testdata/localhost.crt",
+			CaFile:       "testdata/ca.crt",
+			PasswordFile: "testdata/passwords",
+		},
+		SslOpts{
+			KeyFile:      "testdata/localhost.enc.key",
+			CertFile:     "testdata/localhost.crt",
+			PasswordFile: "testdata/passwords",
+		},
+	},
+	{
+		"pass_and_pass_file_key_encrypt",
+		true,
+		SslOpts{
+			KeyFile:      "testdata/localhost.enc.key",
+			CertFile:     "testdata/localhost.crt",
+			CaFile:       "testdata/ca.crt",
+			PasswordFile: "testdata/passwords",
+		},
+		SslOpts{
+			KeyFile:      "testdata/localhost.enc.key",
+			CertFile:     "testdata/localhost.crt",
+			Password:     "mysslpassword",
+			PasswordFile: "testdata/passwords",
+		},
+	},
+	{
+		"inv_pass_and_pass_file_key_encrypt",
+		true,
+		SslOpts{
+			KeyFile:      "testdata/localhost.enc.key",
+			CertFile:     "testdata/localhost.crt",
+			CaFile:       "testdata/ca.crt",
+			PasswordFile: "testdata/passwords",
+		},
+		SslOpts{
+			KeyFile:      "testdata/localhost.enc.key",
+			CertFile:     "testdata/localhost.crt",
+			Password:     "invalidpassword",
+			PasswordFile: "testdata/passwords",
+		},
+	},
+	{
+		"pass_and_inv_pass_file_key_encrypt",
+		true,
+		SslOpts{
+			KeyFile:      "testdata/localhost.enc.key",
+			CertFile:     "testdata/localhost.crt",
+			CaFile:       "testdata/ca.crt",
+			PasswordFile: "testdata/passwords",
+		},
+		SslOpts{
+			KeyFile:      "testdata/localhost.enc.key",
+			CertFile:     "testdata/localhost.crt",
+			Password:     "mysslpassword",
+			PasswordFile: "testdata/invalidpasswords",
+		},
+	},
+	{
+		"pass_and_inv_pass_file_key_encrypt",
+		false,
+		SslOpts{
+			KeyFile:      "testdata/localhost.enc.key",
+			CertFile:     "testdata/localhost.crt",
+			CaFile:       "testdata/ca.crt",
+			PasswordFile: "testdata/passwords",
+		},
+		SslOpts{
+			KeyFile:      "testdata/localhost.enc.key",
+			CertFile:     "testdata/localhost.crt",
+			Password:     "invalidpassword",
+			PasswordFile: "testdata/invalidpasswords",
+		},
+	},
+	{
+		"no_pass_key_encrypt",
+		false,
+		SslOpts{
+			KeyFile:      "testdata/localhost.enc.key",
+			CertFile:     "testdata/localhost.crt",
+			CaFile:       "testdata/ca.crt",
+			PasswordFile: "testdata/passwords",
+		},
+		SslOpts{
+			KeyFile:  "testdata/localhost.enc.key",
+			CertFile: "testdata/localhost.crt",
+		},
+	},
 }
 
 func isTestTntSsl() bool {
@@ -457,10 +603,16 @@ func TestSslOpts(t *testing.T) {
 		}
 		if test.ok {
 			t.Run("ok_tnt_"+test.name, func(t *testing.T) {
+				if test.serverOpts.Password != "" || test.serverOpts.PasswordFile != "" {
+					test_helpers.SkipIfSSLEncryptedUnsupported(t)
+				}
 				assertConnectionTntOk(t, test.serverOpts, test.clientOpts)
 			})
 		} else {
 			t.Run("fail_tnt_"+test.name, func(t *testing.T) {
+				if test.serverOpts.Password != "" || test.serverOpts.PasswordFile != "" {
+					test_helpers.SkipIfSSLEncryptedUnsupported(t)
+				}
 				assertConnectionTntFail(t, test.serverOpts, test.clientOpts)
 			})
 		}

test_helpers/utils.go

@@ -190,6 +190,14 @@ func SkipIfPaginationUnsupported(t *testing.T) {
 	SkipIfFeatureUnsupported(t, "pagination", 2, 11, 0)
 }
 
+// SkipIfSSLEncryptedUnsupported skips test run if Tarantool without
+// SSL encryption support is used.
+func SkipIfSSLEncryptedUnsupported(t *testing.T) {
+	t.Helper()
+
+	SkipIfFeatureUnsupported(t, "SSL encryption", 2, 11, 0)
+}
+
 // CheckEqualBoxErrors checks equivalence of tarantool.BoxError objects.
 //
 // Tarantool errors are not comparable by nature:

testdata/ca.crt

@@ -1,20 +1,20 @@
 -----BEGIN CERTIFICATE-----
-MIIDLzCCAhegAwIBAgIUMMZTmNkhr4qOfSwInVk2dAJvoBEwDQYJKoZIhvcNAQEL
+MIIDLzCCAhegAwIBAgIUaw6WTgYBXFRqlGbKRYczFApoNU4wDQYJKoZIhvcNAQEL
 BQAwJzELMAkGA1UEBhMCVVMxGDAWBgNVBAMMD0V4YW1wbGUtUm9vdC1DQTAeFw0y
-MjA1MjYwNjE3NDBaFw00NDEwMjkwNjE3NDBaMCcxCzAJBgNVBAYTAlVTMRgwFgYD
+MzA3MjYwODM3MTZaFw00NTEyMjkwODM3MTZaMCcxCzAJBgNVBAYTAlVTMRgwFgYD
 VQQDDA9FeGFtcGxlLVJvb3QtQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
-AoIBAQCRq/eaA3I6CB8t770H2XDdzcp1yuC/+TZOxV5o0LuRkogTvL2kYULBrfx1
-rVZu8zQJTx1fmSRj1cN8j+IrmXN5goZ3mYFTnnIOgkyi+hJysVlo5s0Kp0qtLLGM
-OuaVbxw2oAy75if5X3pFpiDaMvFBtJKsh8+SkncBIC5bbKC5AoLdFANLmPiH0CGr
-Mv3rL3ycnbciI6J4uKHcWnYGGiMjBomaZ7jd/cOjcjmGfpI5d0nq13G11omkyEyR
-wNX0eJRL02W+93Xu7tD+FEFMxFvak+70GvX+XWomwYw/Pjlio8KbTAlJxhfK2Lh6
-H798k17VfxIrOk0KjzZS7+a20hZ/AgMBAAGjUzBRMB0GA1UdDgQWBBT2f5o8r75C
-PWST36akpkKRRTbhvjAfBgNVHSMEGDAWgBT2f5o8r75CPWST36akpkKRRTbhvjAP
-BgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQA9pb75p6mnqp2MQHSr
-5SKRf2UV4wQIUtXgF6V9vNfvVzJii+Lzrqir1YMk5QgavCzD96KlJcqJCcH559RY
-5743AxI3tdWfA3wajBctoy35oYnT4M30qbkryYLTUlv7PmeNWvrksTURchyyDt5/
-3T73yj5ZalmzKN6+xLfUDdnudspfWlUMutKU50MU1iuQESf4Fwd53vOg9jMcWJ2E
-vAgfVI0XAvYdU3ybJrUvBq5zokYR2RzGv14uHxwVPnLBjrBEHRnbrXvLZJhuIS2b
-xZ3CqwWi+9bvNqHz09HvhkU2b6fCGweKaAUGSo8OfQ5FRkjTUomMI/ZLs/qtJ6JR
-zzVt
+AoIBAQCunm5E+dyoYw+ECp0vOabsA4L7C+dUQLhfqdOEwFSpSanjBTuUEAPB+fEr
+wqaZXI2EnUSxYEYO03TkZmWoJgRJq+00laWPA4AuKHpg4SS/LUoveQiQdsie+kUj
+YMFu3rtP2CvTMpC4HMRK2CviOnU9iA4hPvRx4o5tESxLW31jNnBDeC/tsEVVR/6i
+lwB9Oh1RbZI/c429N67qq5C2rpU5+o+YszDou36WTxw6XeXdkw7QF4W2BNLysPLJ
+AY+aPrUVxKDOgDNk77h41HDqu+SuDg6mg528yfRqyAd4ooEE8MLcT0xztn1U8HvZ
+SKwWTnS8TSzCmQptRGPlb5oES/NlAgMBAAGjUzBRMB0GA1UdDgQWBBQ/S0H0dFUy
+OuEQ/kgDzGarWm2vlDAfBgNVHSMEGDAWgBQ/S0H0dFUyOuEQ/kgDzGarWm2vlDAP
+BgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCoP+kH96+b6GWByPTo
+LRK/QJmpPRWiZ5naV6CXJQNYg+nVG9wdiGXxEx4BBZs6yGdeHdiWCWbuRPMyH0Wp
+w2ajMmK7pC8+MGKzMSC/EISPFwKYumwe/6zNnde7eZ19n7EFwrOihgEf+hNfjOCj
+CqDIfMb2ztEHY7mEABMXDviKI80om2P1oIkHj5MD7z8ZetJRf1qCH7ke2cdTJ+Zr
+XNGiJ7sz3xRQO/QRCkbBbr/d4zeX3A5/+MXHLtzbPiWs+/XaDbGJTQIO5hFfwwAC
+v1/VrNmsy+3YYLLTZzmfpa60Sk3NsZbIQdvwLJJj8pOmH/zae7UZlrxlGWjQKvH5
+evsP
 -----END CERTIFICATE-----