Ignore data before TLS key encapsulation boundary.

Resolves #2281. Co-authored-by: Julian Büttner <me@julianbuettner.dev>
2023-03-23 12:11:03 -07:00 · 2023-03-23 12:11:03 -07:00 · daa157f872
parent 06d255b52b
commit daa157f872
2 changed files with 14 additions and 7 deletions
--- a/core/http/src/tls/util.rs
+++ b/core/http/src/tls/util.rs
@ -16,16 +16,21 @@ pub fn load_certs(reader: &mut dyn io::BufRead) -> io::Result<Vec<Certificate>>
 pub fn load_private_key(reader: &mut dyn io::BufRead) -> io::Result<PrivateKey> {
    // "rsa" (PKCS1) PEM files have a different first-line header than PKCS8
    // PEM files, use that to determine the parse function to use.
-    let mut first_line = String::new();
-    reader.read_line(&mut first_line)?;
+    let mut header = String::new();
+    let private_keys_fn = loop {
+        header.clear();
+        if reader.read_line(&mut header)? == 0 {
+            return Err(err("failed to find key header; supported formats are: RSA, PKCS8"));
+        }

-    let private_keys_fn = match first_line.trim_end() {
+        break match header.trim_end() {
            "-----BEGIN RSA PRIVATE KEY-----" => rustls_pemfile::rsa_private_keys,
            "-----BEGIN PRIVATE KEY-----" => rustls_pemfile::pkcs8_private_keys,
-        _ => return Err(err("invalid key header; supported formats are: RSA, PKCS8"))
+            _ => continue,
+        };
    };

-    let key = private_keys_fn(&mut Cursor::new(first_line).chain(reader))
+    let key = private_keys_fn(&mut Cursor::new(header).chain(reader))
        .map_err(|_| err("invalid key file"))
        .and_then(|mut keys| match keys.len() {
            0 => Err(err("no valid keys found; is the file malformed?")),
--- a/examples/tls/private/rsa_sha256_key.pem
+++ b/examples/tls/private/rsa_sha256_key.pem
@ -1,3 +1,5 @@
+# COMMENTARY
+
 -----BEGIN PRIVATE KEY-----
 MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDHZ4WW3kg1XXYi
 gzn/mV45QoaYLIiIs35Ryx7uLFqG92a8FgYiAqNn3s02aI3LxWjCaKKI5UoRDbiy