Skip to content

api: support SSL private key file decryption #319

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Aug 3, 2023
Merged

api: support SSL private key file decryption #319

merged 4 commits into from
Aug 3, 2023
+304 −36

Conversation

DifferentialOrange
Copy link
Member

@DifferentialOrange DifferentialOrange commented Jul 26, 2023
edited
Loading

See commit messages for detailed info.

I didn't forget about (remove if it is not applicable):

@DifferentialOrange DifferentialOrange force-pushed the DifferentialOrange/ssl-key-decryption branch from e915bb8 to 1c49429 Compare July 26, 2023 12:03
oleg-jukovec
oleg-jukovec reviewed Jul 26, 2023
View reviewed changes
oleg-jukovec
oleg-jukovec reviewed Jul 26, 2023
View reviewed changes
@DifferentialOrange DifferentialOrange force-pushed the DifferentialOrange/ssl-key-decryption branch 4 times, most recently from 2f20c34 to 7023bbc Compare July 26, 2023 13:43
@DifferentialOrange
Copy link
Member Author

I'm inspecting flaky tests right now, follow tarantool/go-openssl#9

@DifferentialOrange DifferentialOrange force-pushed the DifferentialOrange/ssl-key-decryption branch 2 times, most recently from 3ab5960 to 1a2250e Compare August 1, 2023 13:09
@DifferentialOrange
Copy link
Member Author

DifferentialOrange commented Aug 1, 2023
edited
Loading

I'm inspecting flaky tests right now, follow tarantool/go-openssl#9

Fix was introduced, everything should be fine now. (Last fail was due to missing deps bump.)

@DifferentialOrange DifferentialOrange force-pushed the DifferentialOrange/ssl-key-decryption branch from 1a2250e to 6e7d9a7 Compare August 1, 2023 13:19
oleg-jukovec
oleg-jukovec reviewed Aug 1, 2023
View reviewed changes
@DifferentialOrange
ci: bump latest EE SDK
e8d3d25 
Run with release 2.11.0 SDK instead of a dev one.

1. tarantool/tt@12bf404
@DifferentialOrange
test: remove core tarantool server SSL cases
cccc461 
"empty" and "key_crt_client" test cases do not provide SSL files to
a server started with SSL transport. In these cases server fails to
start, and tests ensures that server fails. It doesn't related to
go-tarantool connector testing in any way -- it's the test of
a tarantool binary. Since testing core tarantool is not the part of
go-tarantool project, this patch removes these cases.

The main motivation of this patch is the next commit in the patchset,
which separates check for server start and client success of fail.
@DifferentialOrange DifferentialOrange force-pushed the DifferentialOrange/ssl-key-decryption branch from 6e7d9a7 to 0d06b1c Compare August 1, 2023 13:23
@DifferentialOrange DifferentialOrange marked this pull request as ready for review August 1, 2023 13:30
oleg-jukovec
oleg-jukovec reviewed Aug 1, 2023
View reviewed changes
oleg-jukovec
oleg-jukovec reviewed Aug 1, 2023
View reviewed changes
oleg-jukovec
oleg-jukovec reviewed Aug 1, 2023
View reviewed changes
@oleg-jukovec oleg-jukovec requested a review from DerekBum August 1, 2023 19:34
DerekBum
DerekBum reviewed Aug 2, 2023
View reviewed changes
@DifferentialOrange
test: separate SSL server and client check
09b35c7 
Current SSL tests are as follows. We start a Tarantool server with
default helpers. "ok" tests are successful if everything had started,
"fail" tests are successful if ping check had failed (aka we failed to
connect). This is a dangerous approach, since "server had failed to
start" here is indistinguishable from "client cannot connect". Moreover,
because of it each tnt_fail test runs for 5 seconds
(10 retry attempts * 500 ms retry wait), which is frustrating. After
this patch, there is a separate check for a server start and for
a client success or fail.
@DifferentialOrange DifferentialOrange force-pushed the DifferentialOrange/ssl-key-decryption branch 2 times, most recently from 037bd6f to b8d9740 Compare August 3, 2023 08:27
@DifferentialOrange
Copy link
Member Author

I've also added a couple of test cases with non-existing file

@DifferentialOrange DifferentialOrange force-pushed the DifferentialOrange/ssl-key-decryption branch from b8d9740 to 0c7939c Compare August 3, 2023 09:44
oleg-jukovec
oleg-jukovec reviewed Aug 3, 2023
View reviewed changes
@DifferentialOrange
api: support SSL private key file decryption
afa063b 
Support `ssl_password` and `ssl_password_file` options in SslOpts.
Tarantool EE supports SSL passwords and password files since 2.11.0 [1].
Since it is possible to use corresponding non-encrypted key, cert and CA
on server, tests works fine even for Tarantool EE 2.10.0.

Same as in Tarantool, we try `SslOpts.Password`, then each line in
`SslOpts.PasswordFile`. If all of the above fail, we re-raise errors.

If the key is encrypted and password is not provided,
`openssl.LoadPrivateKeyFromPEM(keyBytes)` asks to enter PEM pass phrase
interactively. On the other hand,
`openssl.LoadPrivateKeyFromPEMWithPassword(keyBytes, password)` works
fine for non-encrypted key with any password, including empty string.
If the key is encrypted, we fast fail with password error instead of
requesting the pass phrase interactively.

The patch also bumps go-openssl since latest patch fixes flaky
tests [2].

The patch is based on a similar patch for tarantool-python [3].

1. tarantool/tarantool-ee#22
2. tarantool/go-openssl#9
3. tarantool/tarantool-python#274
@DifferentialOrange DifferentialOrange force-pushed the DifferentialOrange/ssl-key-decryption branch from 0c7939c to afa063b Compare August 3, 2023 10:43
oleg-jukovec
oleg-jukovec approved these changes Aug 3, 2023
View reviewed changes
Copy link
Collaborator

@oleg-jukovec oleg-jukovec left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the patch!

@oleg-jukovec oleg-jukovec merged commit b17735b into master Aug 3, 2023
@oleg-jukovec oleg-jukovec deleted the DifferentialOrange/ssl-key-decryption branch August 3, 2023 11:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@oleg-jukovec oleg-jukovec oleg-jukovec approved these changes

@DerekBum DerekBum DerekBum approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@DifferentialOrange @oleg-jukovec @DerekBum