Ignore data before TLS key encapsulation boundary.

Resolves #2281.

Co-authored-by: Julian Büttner <me@julianbuettner.dev>
This commit is contained in:
Sergio Benitez 2023-03-23 12:11:03 -07:00
parent 06d255b52b
commit daa157f872
2 changed files with 14 additions and 7 deletions

View File

@ -16,16 +16,21 @@ pub fn load_certs(reader: &mut dyn io::BufRead) -> io::Result<Vec<Certificate>>
pub fn load_private_key(reader: &mut dyn io::BufRead) -> io::Result<PrivateKey> {
// "rsa" (PKCS1) PEM files have a different first-line header than PKCS8
// PEM files, use that to determine the parse function to use.
let mut first_line = String::new();
reader.read_line(&mut first_line)?;
let mut header = String::new();
let private_keys_fn = loop {
header.clear();
if reader.read_line(&mut header)? == 0 {
return Err(err("failed to find key header; supported formats are: RSA, PKCS8"));
}
let private_keys_fn = match first_line.trim_end() {
"-----BEGIN RSA PRIVATE KEY-----" => rustls_pemfile::rsa_private_keys,
"-----BEGIN PRIVATE KEY-----" => rustls_pemfile::pkcs8_private_keys,
_ => return Err(err("invalid key header; supported formats are: RSA, PKCS8"))
break match header.trim_end() {
"-----BEGIN RSA PRIVATE KEY-----" => rustls_pemfile::rsa_private_keys,
"-----BEGIN PRIVATE KEY-----" => rustls_pemfile::pkcs8_private_keys,
_ => continue,
};
};
let key = private_keys_fn(&mut Cursor::new(first_line).chain(reader))
let key = private_keys_fn(&mut Cursor::new(header).chain(reader))
.map_err(|_| err("invalid key file"))
.and_then(|mut keys| match keys.len() {
0 => Err(err("no valid keys found; is the file malformed?")),

View File

@ -1,3 +1,5 @@
# COMMENTARY
-----BEGIN PRIVATE KEY-----
MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDHZ4WW3kg1XXYi
gzn/mV45QoaYLIiIs35Ryx7uLFqG92a8FgYiAqNn3s02aI3LxWjCaKKI5UoRDbiy