tarantool
diff --git a/‎.gitignore
Lines changed: 12 additions & 0 deletions b/‎.gitignore
Lines changed: 12 additions & 0 deletions
diff --git a/‎connection.go
Lines changed: 5 additions & 0 deletions b/‎connection.go
Lines changed: 5 additions & 0 deletions
diff --git a/‎ssl.go
Lines changed: 55 additions & 6 deletions b/‎ssl.go
Lines changed: 55 additions & 6 deletions
diff --git a/‎ssl_test.go
Lines changed: 155 additions & 0 deletions b/‎ssl_test.go
Lines changed: 155 additions & 0 deletions
diff --git a/‎testdata/ca.crt
Lines changed: 16 additions & 16 deletions b/‎testdata/ca.crt
Lines changed: 16 additions & 16 deletions
diff --git a/‎testdata/generate.sh
Lines changed: 26 additions & 2 deletions b/‎testdata/generate.sh
Lines changed: 26 additions & 2 deletions
diff --git a/‎testdata/invalidhost.crt
Lines changed: 22 additions & 0 deletions b/‎testdata/invalidhost.crt
Lines changed: 22 additions & 0 deletions
@@ -4,3 +4,15 @@
 work_dir*
 .rocks
 bench*
+
+testdata/*.crt
+!testdata/ca.crt
+!testdata/invalidhost.crt
+!testdata/localhost.crt
+testdata/*.csr
+testdata/*.ext
+testdata/*.key
+!testdata/localhost.key
+!testdata/localhost.enc.key
+testdata/*.pem
+testdata/*.srl
@@ -345,6 +345,11 @@ type SslOpts struct {
 	//
 	// * https://www.openssl.org/docs/man1.1.1/man1/ciphers.html
 	Ciphers string
+	// Password is a password for decrypting private SSL key file.
+	Password string
+	// PasswordFile is a path to the list of passwords for decrypting private SSL
+	// key file. Connection tries every line from the file as a password.
+	PasswordFile string
 }
 
 // Clone returns a copy of the Opts object.
 
@@ -4,9 +4,13 @@
 package tarantool
 
 import (
+	"bufio"
 	"errors"
+	"fmt"
 	"io/ioutil"
 	"net"
+	"os"
+	"strings"
 	"time"
 
 	"github.com/tarantool/go-openssl"
@@ -43,7 +47,7 @@ func sslCreateContext(opts SslOpts) (ctx interface{}, err error) {
 	}
 
 	if opts.KeyFile != "" {
-		if err = sslLoadKey(sslCtx, opts.KeyFile); err != nil {
+		if err = sslLoadKey(sslCtx, opts.KeyFile, opts.Password, opts.PasswordFile); err != nil {
 			return
 		}
 	}
@@ -95,16 +99,61 @@ func sslLoadCert(ctx *openssl.Ctx, certFile string) (err error) {
 	return
 }
 
-func sslLoadKey(ctx *openssl.Ctx, keyFile string) (err error) {
+func sslLoadKey(ctx *openssl.Ctx, keyFile string, password string,
+	passwordFile string) error {
 	var keyBytes []byte
+	var err error
+
 	if keyBytes, err = ioutil.ReadFile(keyFile); err != nil {
-		return
+		return err
 	}
 
 	var key openssl.PrivateKey
-	if key, err = openssl.LoadPrivateKeyFromPEM(keyBytes); err != nil {
-		return
+	var errs []error
+
+	// If key is encrypted and password is not provided,
+	// openssl.LoadPrivateKeyFromPEM(keyBytes) asks to enter PEM pass phrase
+	// interactively. On the other hand,
+	// openssl.LoadPrivateKeyFromPEMWithPassword(keyBytes, '') works fine for
+	// non-encrypted key.
+	if key, err = openssl.LoadPrivateKeyFromPEMWithPassword(keyBytes, password); err == nil {
+		return ctx.UsePrivateKey(key)
+	} else {
+		errs = append(errs, err)
+	}
+
+	if passwordFile != "" {
+		var file *os.File
+		file, err = os.Open(passwordFile)
+		if err == nil {
+			defer file.Close()
+
+			scanner := bufio.NewScanner(file)
+			for scanner.Scan() {
+				password = strings.TrimSpace(scanner.Text())
+
+				if key, err = openssl.LoadPrivateKeyFromPEMWithPassword(keyBytes, password); err == nil {
+					return ctx.UsePrivateKey(key)
+				} else {
+					errs = append(errs, err)
+				}
+			}
+		} else {
+			errs = append(errs, err)
+		}
+	}
+
+	if len(errs) > 1 {
+		// Convenient multiple error wrapping was introduced only in Go 1.20
+		// https://pkg.go.dev/errors#example-Join
+		// https://github.com/golang/go/issues/53435
+		rerr := errors.New("Got multiple errors on SSL decryption:")
+		for _, err = range errs {
+			rerr = fmt.Errorf("%s, %w", rerr, err)
+		}
+
+		return rerr
 	}
 
-	return ctx.UsePrivateKey(key)
+	return errs[0]
 }
@@ -139,9 +139,26 @@ func serverTntStop(inst test_helpers.TarantoolInstance) {
 	test_helpers.StopTarantoolWithCleanup(inst)
 }
 
+func skipEncrypted(t testing.TB, serverOpts SslOpts) {
+	if serverOpts.Password == "" && serverOpts.PasswordFile == "" {
+		return
+	}
+
+	isLess, err := test_helpers.IsTarantoolVersionLess(2, 11, 0)
+	if err != nil {
+		t.Fatalf("Could not check the Tarantool version")
+	}
+
+	if isLess {
+		t.Skipf("Skipping test for Tarantool without SSL encryption support")
+	}
+}
+
 func assertConnectionSslFail(t testing.TB, serverOpts, clientOpts SslOpts) {
 	t.Helper()
 
+	skipEncrypted(t, serverOpts)
+
 	l, c, _, _, err := createClientServerSsl(t, serverOpts, clientOpts)
 	l.Close()
 	if err == nil {
@@ -153,6 +170,8 @@ func assertConnectionSslFail(t testing.TB, serverOpts, clientOpts SslOpts) {
 func assertConnectionSslOk(t testing.TB, serverOpts, clientOpts SslOpts) {
 	t.Helper()
 
+	skipEncrypted(t, serverOpts)
+
 	l, c, msgs, errs := createClientServerSslOk(t, serverOpts, clientOpts)
 	const message = "any test string"
 	c.Write([]byte(message))
@@ -431,6 +450,142 @@ var tests = []test{
 			Ciphers:  "TLS_AES_128_GCM_SHA256",
 		},
 	},
+	{
+		"pass_no_key_encrypt",
+		true,
+		SslOpts{
+			KeyFile:  "testdata/localhost.key",
+			CertFile: "testdata/localhost.crt",
+			CaFile:   "testdata/ca.crt",
+		},
+		SslOpts{
+			KeyFile:  "testdata/localhost.enc.key",
+			CertFile: "testdata/localhost.crt",
+			Password: "mysslpassword",
+		},
+	},
+	{
+		"pass_file_no_key_encrypt",
+		true,
+		SslOpts{
+			KeyFile:  "testdata/localhost.key",
+			CertFile: "testdata/localhost.crt",
+			CaFile:   "testdata/ca.crt",
+		},
+		SslOpts{
+			KeyFile:      "testdata/localhost.enc.key",
+			CertFile:     "testdata/localhost.crt",
+			PasswordFile: "testdata/passwords",
+		},
+	},
+	{
+		"pass_key_encrypt",
+		true,
+		SslOpts{
+			KeyFile:  "testdata/localhost.enc.key",
+			CertFile: "testdata/localhost.crt",
+			CaFile:   "testdata/ca.crt",
+			Password: "mysslpassword",
+		},
+		SslOpts{
+			KeyFile:  "testdata/localhost.enc.key",
+			CertFile: "testdata/localhost.crt",
+			Password: "mysslpassword",
+		},
+	},
+	{
+		"pass_file_key_encrypt",
+		true,
+		SslOpts{
+			KeyFile:      "testdata/localhost.enc.key",
+			CertFile:     "testdata/localhost.crt",
+			CaFile:       "testdata/ca.crt",
+			PasswordFile: "testdata/passwords",
+		},
+		SslOpts{
+			KeyFile:      "testdata/localhost.enc.key",
+			CertFile:     "testdata/localhost.crt",
+			PasswordFile: "testdata/passwords",
+		},
+	},
+	{
+		"pass_and_pass_file_key_encrypt",
+		true,
+		SslOpts{
+			KeyFile:      "testdata/localhost.enc.key",
+			CertFile:     "testdata/localhost.crt",
+			CaFile:       "testdata/ca.crt",
+			PasswordFile: "testdata/passwords",
+		},
+		SslOpts{
+			KeyFile:      "testdata/localhost.enc.key",
+			CertFile:     "testdata/localhost.crt",
+			Password:     "mysslpassword",
+			PasswordFile: "testdata/passwords",
+		},
+	},
+	{
+		"inv_pass_and_pass_file_key_encrypt",
+		true,
+		SslOpts{
+			KeyFile:      "testdata/localhost.enc.key",
+			CertFile:     "testdata/localhost.crt",
+			CaFile:       "testdata/ca.crt",
+			PasswordFile: "testdata/passwords",
+		},
+		SslOpts{
+			KeyFile:      "testdata/localhost.enc.key",
+			CertFile:     "testdata/localhost.crt",
+			Password:     "invalidpassword",
+			PasswordFile: "testdata/passwords",
+		},
+	},
+	{
+		"pass_and_inv_pass_file_key_encrypt",
+		true,
+		SslOpts{
+			KeyFile:      "testdata/localhost.enc.key",
+			CertFile:     "testdata/localhost.crt",
+			CaFile:       "testdata/ca.crt",
+			PasswordFile: "testdata/passwords",
+		},
+		SslOpts{
+			KeyFile:      "testdata/localhost.enc.key",
+			CertFile:     "testdata/localhost.crt",
+			Password:     "mysslpassword",
+			PasswordFile: "testdata/invalidpasswords",
+		},
+	},
+	{
+		"pass_and_inv_pass_file_key_encrypt",
+		false,
+		SslOpts{
+			KeyFile:      "testdata/localhost.enc.key",
+			CertFile:     "testdata/localhost.crt",
+			CaFile:       "testdata/ca.crt",
+			PasswordFile: "testdata/passwords",
+		},
+		SslOpts{
+			KeyFile:      "testdata/localhost.enc.key",
+			CertFile:     "testdata/localhost.crt",
+			Password:     "invalidpassword",
+			PasswordFile: "testdata/invalidpasswords",
+		},
+	},
+	{
+		"no_pass_key_encrypt",
+		false,
+		SslOpts{
+			KeyFile:      "testdata/localhost.enc.key",
+			CertFile:     "testdata/localhost.crt",
+			CaFile:       "testdata/ca.crt",
+			PasswordFile: "testdata/passwords",
+		},
+		SslOpts{
+			KeyFile:  "testdata/localhost.enc.key",
+			CertFile: "testdata/localhost.crt",
+		},
+	},
 }
 
 func isTestTntSsl() bool {
 
@@ -1,20 +1,20 @@
 -----BEGIN CERTIFICATE-----
-MIIDLzCCAhegAwIBAgIUMMZTmNkhr4qOfSwInVk2dAJvoBEwDQYJKoZIhvcNAQEL
+MIIDLzCCAhegAwIBAgIUaw6WTgYBXFRqlGbKRYczFApoNU4wDQYJKoZIhvcNAQEL
 BQAwJzELMAkGA1UEBhMCVVMxGDAWBgNVBAMMD0V4YW1wbGUtUm9vdC1DQTAeFw0y
-MjA1MjYwNjE3NDBaFw00NDEwMjkwNjE3NDBaMCcxCzAJBgNVBAYTAlVTMRgwFgYD
+MzA3MjYwODM3MTZaFw00NTEyMjkwODM3MTZaMCcxCzAJBgNVBAYTAlVTMRgwFgYD
 VQQDDA9FeGFtcGxlLVJvb3QtQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
-AoIBAQCRq/eaA3I6CB8t770H2XDdzcp1yuC/+TZOxV5o0LuRkogTvL2kYULBrfx1
-rVZu8zQJTx1fmSRj1cN8j+IrmXN5goZ3mYFTnnIOgkyi+hJysVlo5s0Kp0qtLLGM
-OuaVbxw2oAy75if5X3pFpiDaMvFBtJKsh8+SkncBIC5bbKC5AoLdFANLmPiH0CGr
-Mv3rL3ycnbciI6J4uKHcWnYGGiMjBomaZ7jd/cOjcjmGfpI5d0nq13G11omkyEyR
-wNX0eJRL02W+93Xu7tD+FEFMxFvak+70GvX+XWomwYw/Pjlio8KbTAlJxhfK2Lh6
-H798k17VfxIrOk0KjzZS7+a20hZ/AgMBAAGjUzBRMB0GA1UdDgQWBBT2f5o8r75C
-PWST36akpkKRRTbhvjAfBgNVHSMEGDAWgBT2f5o8r75CPWST36akpkKRRTbhvjAP
-BgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQA9pb75p6mnqp2MQHSr
-5SKRf2UV4wQIUtXgF6V9vNfvVzJii+Lzrqir1YMk5QgavCzD96KlJcqJCcH559RY
-5743AxI3tdWfA3wajBctoy35oYnT4M30qbkryYLTUlv7PmeNWvrksTURchyyDt5/
-3T73yj5ZalmzKN6+xLfUDdnudspfWlUMutKU50MU1iuQESf4Fwd53vOg9jMcWJ2E
-vAgfVI0XAvYdU3ybJrUvBq5zokYR2RzGv14uHxwVPnLBjrBEHRnbrXvLZJhuIS2b
-xZ3CqwWi+9bvNqHz09HvhkU2b6fCGweKaAUGSo8OfQ5FRkjTUomMI/ZLs/qtJ6JR
-zzVt
+AoIBAQCunm5E+dyoYw+ECp0vOabsA4L7C+dUQLhfqdOEwFSpSanjBTuUEAPB+fEr
+wqaZXI2EnUSxYEYO03TkZmWoJgRJq+00laWPA4AuKHpg4SS/LUoveQiQdsie+kUj
+YMFu3rtP2CvTMpC4HMRK2CviOnU9iA4hPvRx4o5tESxLW31jNnBDeC/tsEVVR/6i
+lwB9Oh1RbZI/c429N67qq5C2rpU5+o+YszDou36WTxw6XeXdkw7QF4W2BNLysPLJ
+AY+aPrUVxKDOgDNk77h41HDqu+SuDg6mg528yfRqyAd4ooEE8MLcT0xztn1U8HvZ
+SKwWTnS8TSzCmQptRGPlb5oES/NlAgMBAAGjUzBRMB0GA1UdDgQWBBQ/S0H0dFUy
+OuEQ/kgDzGarWm2vlDAfBgNVHSMEGDAWgBQ/S0H0dFUyOuEQ/kgDzGarWm2vlDAP
+BgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCoP+kH96+b6GWByPTo
+LRK/QJmpPRWiZ5naV6CXJQNYg+nVG9wdiGXxEx4BBZs6yGdeHdiWCWbuRPMyH0Wp
+w2ajMmK7pC8+MGKzMSC/EISPFwKYumwe/6zNnde7eZ19n7EFwrOihgEf+hNfjOCj
+CqDIfMb2ztEHY7mEABMXDviKI80om2P1oIkHj5MD7z8ZetJRf1qCH7ke2cdTJ+Zr
+XNGiJ7sz3xRQO/QRCkbBbr/d4zeX3A5/+MXHLtzbPiWs+/XaDbGJTQIO5hFfwwAC
+v1/VrNmsy+3YYLLTZzmfpa60Sk3NsZbIQdvwLJJj8pOmH/zae7UZlrxlGWjQKvH5
+evsP
 -----END CERTIFICATE-----
@@ -8,7 +8,7 @@ set -xeuo pipefail
 # $ openssl version
 # OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
 
-cat <<EOF > domains.ext
+cat <<EOF > domains_localhost.ext
 authorityKeyIdentifier=keyid,issuer
 basicConstraints=CA:FALSE
 keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
@@ -18,8 +18,32 @@ DNS.1 = localhost
 IP.1 = 127.0.0.1
 EOF
 
+cat <<EOF > domains_invalidhost.ext
+authorityKeyIdentifier=keyid,issuer
+basicConstraints=CA:FALSE
+keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
+subjectAltName = @alt_names
+[alt_names]
+DNS.1 = invalidhostname
+EOF
+
 openssl req -x509 -nodes -new -sha256 -days 8192 -newkey rsa:2048 -keyout ca.key -out ca.pem -subj "/C=US/CN=Example-Root-CA"
 openssl x509 -outform pem -in ca.pem -out ca.crt
 
 openssl req -new -nodes -newkey rsa:2048 -keyout localhost.key -out localhost.csr -subj "/C=US/ST=YourState/L=YourCity/O=Example-Certificates/CN=localhost"
-openssl x509 -req -sha256 -days 8192 -in localhost.csr -CA ca.pem -CAkey ca.key -CAcreateserial -extfile domains.ext -out localhost.crt
+openssl x509 -req -sha256 -days 8192 -in localhost.csr -CA ca.pem -CAkey ca.key -CAcreateserial -extfile domains_localhost.ext -out localhost.crt
+openssl x509 -req -sha256 -days 8192 -in localhost.csr -CA ca.pem -CAkey ca.key -CAcreateserial -extfile domains_invalidhost.ext -out invalidhost.crt
+
+password=mysslpassword
+
+# Tarantool tries every line from the password file.
+cat <<EOF > passwords
+unusedpassword
+$password
+EOF
+
+cat <<EOF > invalidpasswords
+unusedpassword1
+EOF
+
+openssl rsa -aes256 -passout "pass:${password}" -in localhost.key -out localhost.enc.key
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDkjCCAnqgAwIBAgIUQLHZRFM5sRy6sRCuHaevk+YGFpEwDQYJKoZIhvcNAQEL
+BQAwJzELMAkGA1UEBhMCVVMxGDAWBgNVBAMMD0V4YW1wbGUtUm9vdC1DQTAeFw0y
+MzA3MjYwODM3MTZaFw00NTEyMjkwODM3MTZaMGcxCzAJBgNVBAYTAlVTMRIwEAYD
+VQQIDAlZb3VyU3RhdGUxETAPBgNVBAcMCFlvdXJDaXR5MR0wGwYDVQQKDBRFeGFt
+cGxlLUNlcnRpZmljYXRlczESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqG67dtzioYKHDkF4FN2ObVpSNHkX5JgN8cR6
+iOyoAlppZO3upwRePQX0Ra9SMoL4GNuHZrr4daABYW15H9utlT2E8kzZTIcL+7VQ
+rhGGrqzQRIXXOb6vGyKVnAC1FJ2mrnB7BfOCDcdMG1FeDcbhD3gyVzmr1wmXSvLh
+Zq5XmHc2uinfGgt5Q1HauEso1aQqJ0VjkK0Xh+4O2tP9E1tnzJoetUQt2f2NmigY
+hFURUsK+H2w9whWD9ynLkzD7xtNaPZ3o2WI4i/Eu9YHgAgnnSOkuKB0VjmirFWCz
+YnrYWdGEdhYC62Wx58vX5vOOeDsZNJyKagh+0/JOLZCKPKbh6QIDAQABo3YwdDAf
+BgNVHSMEGDAWgBQ/S0H0dFUyOuEQ/kgDzGarWm2vlDAJBgNVHRMEAjAAMAsGA1Ud
+DwQEAwIE8DAaBgNVHREEEzARgg9pbnZhbGlkaG9zdG5hbWUwHQYDVR0OBBYEFEMm
+fZC+zfSDniXFevQwlLQ8o1O1MA0GCSqGSIb3DQEBCwUAA4IBAQB/gE4CZdIma4sr
++HHyosi13KuLewUydfwWlPQoBD4s+lbOelhylKj7u+AL/QOiPvYIcreFv7rwXXzj
+FTyT79G5pTNhlyMai+ehWRNxPIjksnZnDfa8dDciC3+w8wzWaJOXp/FEH0qfOs87
+F7smnKvOTVFcbshWq9u/bKTlA2dpuVKJub+ISfvbqLSxoaz5/NeBUFBIe8SllpWd
+EW+GKbROa2spChpECEEbYOhWgTZ0dVdrnWd0xq34gSnzA6H+gTQ6wSCSMHl7YKJs
+yCnPJz++Fl5hmwYGFA6HP60r0GZ4vAHUdfirehwJt/y0PRylFh0cXxDIY84UqRJa
+80SDNfZQ
+-----END CERTIFICATE-----