From 25c2308c63af0b386898e0860c05dba970967620 Mon Sep 17 00:00:00 2001 From: Davide De Rosa Date: Thu, 1 Nov 2018 14:08:02 +0100 Subject: [PATCH] Reject encrypted certificate key Do at least a poor-man check on the PEM header. Fixes #15 --- CHANGELOG.md | 1 + .../VPN/TunnelKitProvider+FileConfiguration.swift | 12 +++++++++++- README.md | 2 +- 3 files changed, 13 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a6554886..e5914488 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,6 +9,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Added +- Explicit rejection of encrypted client certificate keys. [#15](https://github.com/keeshux/passepartout-ios/issues/15) - Attach .ovpn when reporting a connectivity issue, stripped of sensitive data. [#13](https://github.com/keeshux/passepartout-ios/pull/13) - iTunes File Sharing (skythedesu). [#14](https://github.com/keeshux/passepartout-ios/pull/14) - Tunnel failure reporting in UI. [#8](https://github.com/keeshux/passepartout-ios/pull/8) diff --git a/Passepartout/Sources/VPN/TunnelKitProvider+FileConfiguration.swift b/Passepartout/Sources/VPN/TunnelKitProvider+FileConfiguration.swift index 77a7a633..a38bdb55 100644 --- a/Passepartout/Sources/VPN/TunnelKitProvider+FileConfiguration.swift +++ b/Passepartout/Sources/VPN/TunnelKitProvider+FileConfiguration.swift @@ -145,7 +145,11 @@ extension TunnelKitProvider.Configuration { clientCertificate = CryptoContainer(pem: currentBlock.joined(separator: "\n")) case "key": - clientKey = CryptoContainer(pem: currentBlock.joined(separator: "\n")) + let container = CryptoContainer(pem: currentBlock.joined(separator: "\n")) + clientKey = container + if container.isEncrypted { + unsupportedError = ApplicationError.unsupportedConfiguration(option: "encrypted client certificate key") + } case "tls-auth": tlsKeyLines = currentBlock.map { Substring($0) } @@ -382,3 +386,9 @@ private extension NSRegularExpression { } } } + +extension CryptoContainer { + var isEncrypted: Bool { + return pem.contains("ENCRYPTED") + } +} diff --git a/README.md b/README.md index 2d0e4617..15467013 100644 --- a/README.md +++ b/README.md @@ -73,7 +73,7 @@ Unsupported: - `--compress` other than empty - Proxy - External file references (inline `` only) -- Encrypted certificate private key (will raise error TunnelKitNative Code=205) +- Encrypted client certificate keys Ignored: