Reject encrypted certificate key

Do at least a poor-man check on the PEM header.

Fixes #15

CHANGELOG.md

@@ -9,6 +9,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Added
 
+- Explicit rejection of encrypted client certificate keys. [#15](https://github.com/keeshux/passepartout-ios/issues/15)
 - Attach .ovpn when reporting a connectivity issue, stripped of sensitive data. [#13](https://github.com/keeshux/passepartout-ios/pull/13)
 - iTunes File Sharing (skythedesu). [#14](https://github.com/keeshux/passepartout-ios/pull/14)
 - Tunnel failure reporting in UI. [#8](https://github.com/keeshux/passepartout-ios/pull/8)

Passepartout/Sources/VPN/TunnelKitProvider+FileConfiguration.swift

@@ -145,7 +145,11 @@ extension TunnelKitProvider.Configuration {
                     clientCertificate = CryptoContainer(pem: currentBlock.joined(separator: "\n"))
                     
                 case "key":
-                    clientKey = CryptoContainer(pem: currentBlock.joined(separator: "\n"))
+                    let container = CryptoContainer(pem: currentBlock.joined(separator: "\n"))
+                    clientKey = container
+                    if container.isEncrypted {
+                        unsupportedError = ApplicationError.unsupportedConfiguration(option: "encrypted client certificate key")
+                    }
                     
                 case "tls-auth":
                     tlsKeyLines = currentBlock.map { Substring($0) }
@@ -382,3 +386,9 @@ private extension NSRegularExpression {
         }
     }
 }
+
+extension CryptoContainer {
+    var isEncrypted: Bool {
+        return pem.contains("ENCRYPTED")
+    }
+}

README.md

@@ -73,7 +73,7 @@ Unsupported:
     - `--compress` other than empty
 - Proxy
 - External file references (inline `<block>` only)
-- Encrypted certificate private key (will raise error TunnelKitNative Code=205)
+- Encrypted client certificate keys
 
 Ignored: