Reject encrypted certificate key

Do at least a poor-man check on the PEM header.

Fixes #15
This commit is contained in:
Davide De Rosa 2018-11-01 14:08:02 +01:00
parent 0ab2244c36
commit 25c2308c63
3 changed files with 13 additions and 2 deletions

View File

@ -9,6 +9,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
### Added ### Added
- Explicit rejection of encrypted client certificate keys. [#15](https://github.com/keeshux/passepartout-ios/issues/15)
- Attach .ovpn when reporting a connectivity issue, stripped of sensitive data. [#13](https://github.com/keeshux/passepartout-ios/pull/13) - Attach .ovpn when reporting a connectivity issue, stripped of sensitive data. [#13](https://github.com/keeshux/passepartout-ios/pull/13)
- iTunes File Sharing (skythedesu). [#14](https://github.com/keeshux/passepartout-ios/pull/14) - iTunes File Sharing (skythedesu). [#14](https://github.com/keeshux/passepartout-ios/pull/14)
- Tunnel failure reporting in UI. [#8](https://github.com/keeshux/passepartout-ios/pull/8) - Tunnel failure reporting in UI. [#8](https://github.com/keeshux/passepartout-ios/pull/8)

View File

@ -145,7 +145,11 @@ extension TunnelKitProvider.Configuration {
clientCertificate = CryptoContainer(pem: currentBlock.joined(separator: "\n")) clientCertificate = CryptoContainer(pem: currentBlock.joined(separator: "\n"))
case "key": case "key":
clientKey = CryptoContainer(pem: currentBlock.joined(separator: "\n")) let container = CryptoContainer(pem: currentBlock.joined(separator: "\n"))
clientKey = container
if container.isEncrypted {
unsupportedError = ApplicationError.unsupportedConfiguration(option: "encrypted client certificate key")
}
case "tls-auth": case "tls-auth":
tlsKeyLines = currentBlock.map { Substring($0) } tlsKeyLines = currentBlock.map { Substring($0) }
@ -382,3 +386,9 @@ private extension NSRegularExpression {
} }
} }
} }
extension CryptoContainer {
var isEncrypted: Bool {
return pem.contains("ENCRYPTED")
}
}

View File

@ -73,7 +73,7 @@ Unsupported:
- `--compress` other than empty - `--compress` other than empty
- Proxy - Proxy
- External file references (inline `<block>` only) - External file references (inline `<block>` only)
- Encrypted certificate private key (will raise error TunnelKitNative Code=205) - Encrypted client certificate keys
Ignored: Ignored: