706becaf20
When using client certificates for TLS, it's possible to specify a private key file with an encrypted private key. Previously, we silently returned a nil Certificate object in this case which promptly resulted in a panic in crypto/tls when attempting to push. Instead, let's detect that the key is encrypted and prompt for a passphrase. Git usually handles this with a prompt from OpenSSL, which we aren't using, although it can be configured to use the credential helper as well. Since there isn't a portable way to turn off the echo in order to prompt for a passphrase, even among Unix systems, let's use the credential helper route for this purpose by prompting for credentials using a cert: URL for the file holding the private key; this is the type of URL that Git uses with the credential helper for this purpose. In order to make things as intuitive as possible, tell the credential code to always include the path for cert: URLs (so we don't just prompt for "cert:///") and provide the user's current username in the username field so they don't get a useless username prompt. Provide as much helpful trace output as possible for debugging; note that credential filling success and failure already have trace logging enabled elsewhere. Note that we create our own credential helper for the client object to avoid having to pass it into the HTTP client context from the LFS API context; this should be fine, since we're going to prompt and use this value only within this context and for this purpose. Finally, since we're in a context where we can't really return an error up the chain, if for whatever reason an error occurs, ensure that we don't pass nil to crypto/tls and instead skip passing a certificate altogether. This will at least make the failure case obvious later on and provide a better user experience than a panic.
203 lines
6.0 KiB
Go
203 lines
6.0 KiB
Go
package lfshttp
|
|
|
|
import (
|
|
"crypto/tls"
|
|
"crypto/x509"
|
|
"encoding/pem"
|
|
"fmt"
|
|
"io/ioutil"
|
|
"net/url"
|
|
"path/filepath"
|
|
|
|
"github.com/git-lfs/git-lfs/config"
|
|
"github.com/rubyist/tracerx"
|
|
)
|
|
|
|
// isCertVerificationDisabledForHost returns whether SSL certificate verification
|
|
// has been disabled for the given host, or globally
|
|
func isCertVerificationDisabledForHost(c *Client, host string) bool {
|
|
hostSslVerify, _ := c.uc.Get("http", fmt.Sprintf("https://%v", host), "sslverify")
|
|
if hostSslVerify == "false" {
|
|
return true
|
|
}
|
|
|
|
return c.SkipSSLVerify
|
|
}
|
|
|
|
// isClientCertEnabledForHost returns whether client certificate
|
|
// are configured for the given host
|
|
func isClientCertEnabledForHost(c *Client, host string) bool {
|
|
_, hostSslKeyOk := c.uc.Get("http", fmt.Sprintf("https://%v/", host), "sslKey")
|
|
_, hostSslCertOk := c.uc.Get("http", fmt.Sprintf("https://%v/", host), "sslCert")
|
|
|
|
return hostSslKeyOk && hostSslCertOk
|
|
}
|
|
|
|
// decryptPEMBlock decrypts an encrypted PEM block representing a private key,
|
|
// prompting for credentials using the credential helper, and returns a
|
|
// decrypted PEM block representing that same private key.
|
|
func decryptPEMBlock(c *Client, block *pem.Block, path string, key []byte) ([]byte, error) {
|
|
fileurl := fmt.Sprintf("cert:///%s", filepath.ToSlash(path))
|
|
url, err := url.Parse(fileurl)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
credHelper, input := c.credHelperContext.GetCredentialHelper(nil, url)
|
|
|
|
input["username"] = ""
|
|
|
|
creds, err := credHelper.Fill(input)
|
|
if err != nil {
|
|
tracerx.Printf("Error filling credentials for %q: %v", fileurl, err)
|
|
return nil, err
|
|
}
|
|
pass := creds["password"]
|
|
decrypted, err := x509.DecryptPEMBlock(block, []byte(pass))
|
|
if err != nil {
|
|
credHelper.Reject(creds)
|
|
return nil, err
|
|
}
|
|
credHelper.Approve(creds)
|
|
|
|
// decrypted is a DER blob, but we need a PEM-encoded block.
|
|
toEncode := &pem.Block{Type: block.Type, Headers: nil, Bytes: decrypted}
|
|
buf := pem.EncodeToMemory(toEncode)
|
|
return buf, nil
|
|
}
|
|
|
|
// getClientCertForHost returns a client certificate for a specific host (which may
|
|
// be "host:port" loaded from the gitconfig
|
|
func getClientCertForHost(c *Client, host string) *tls.Certificate {
|
|
hostSslKey, _ := c.uc.Get("http", fmt.Sprintf("https://%v/", host), "sslKey")
|
|
hostSslCert, _ := c.uc.Get("http", fmt.Sprintf("https://%v/", host), "sslCert")
|
|
|
|
cert, err := ioutil.ReadFile(hostSslCert)
|
|
if err != nil {
|
|
tracerx.Printf("Error reading client cert file %q: %v", hostSslCert, err)
|
|
return nil
|
|
}
|
|
key, err := ioutil.ReadFile(hostSslKey)
|
|
if err != nil {
|
|
tracerx.Printf("Error reading client key file %q: %v", hostSslKey, err)
|
|
return nil
|
|
}
|
|
|
|
block, _ := pem.Decode(key)
|
|
if x509.IsEncryptedPEMBlock(block) {
|
|
key, err = decryptPEMBlock(c, block, hostSslKey, key)
|
|
if err != nil {
|
|
tracerx.Printf("Unable to decrypt client key file %q: %v", hostSslKey, err)
|
|
return nil
|
|
}
|
|
}
|
|
|
|
certobj, err := tls.X509KeyPair(cert, key)
|
|
if err != nil {
|
|
tracerx.Printf("Error reading client cert/key %v", err)
|
|
return nil
|
|
}
|
|
return &certobj
|
|
}
|
|
|
|
// getRootCAsForHost returns a certificate pool for that specific host (which may
|
|
// be "host:port" loaded from either the gitconfig or from a platform-specific
|
|
// source which is not included by default in the golang certificate search)
|
|
// May return nil if it doesn't have anything to add, in which case the default
|
|
// RootCAs will be used if passed to TLSClientConfig.RootCAs
|
|
func getRootCAsForHost(c *Client, host string) *x509.CertPool {
|
|
// don't init pool, want to return nil not empty if none found; init only on successful add cert
|
|
var pool *x509.CertPool
|
|
|
|
// gitconfig first
|
|
pool = appendRootCAsForHostFromGitconfig(c.osEnv, c.gitEnv, pool, host)
|
|
// Platform specific
|
|
return appendRootCAsForHostFromPlatform(pool, host)
|
|
}
|
|
|
|
func appendRootCAsForHostFromGitconfig(osEnv, gitEnv config.Environment, pool *x509.CertPool, host string) *x509.CertPool {
|
|
// Accumulate certs from all these locations:
|
|
|
|
// GIT_SSL_CAINFO first
|
|
if cafile, _ := osEnv.Get("GIT_SSL_CAINFO"); len(cafile) > 0 {
|
|
return appendCertsFromFile(pool, cafile)
|
|
}
|
|
// http.<url>/.sslcainfo or http.<url>.sslcainfo
|
|
uc := config.NewURLConfig(gitEnv)
|
|
if cafile, ok := uc.Get("http", fmt.Sprintf("https://%v/", host), "sslcainfo"); ok {
|
|
return appendCertsFromFile(pool, cafile)
|
|
}
|
|
// GIT_SSL_CAPATH
|
|
if cadir, _ := osEnv.Get("GIT_SSL_CAPATH"); len(cadir) > 0 {
|
|
return appendCertsFromFilesInDir(pool, cadir)
|
|
}
|
|
// http.sslcapath
|
|
if cadir, ok := gitEnv.Get("http.sslcapath"); ok {
|
|
return appendCertsFromFilesInDir(pool, cadir)
|
|
}
|
|
|
|
return pool
|
|
}
|
|
|
|
func appendCertsFromFilesInDir(pool *x509.CertPool, dir string) *x509.CertPool {
|
|
files, err := ioutil.ReadDir(dir)
|
|
if err != nil {
|
|
tracerx.Printf("Error reading cert dir %q: %v", dir, err)
|
|
return pool
|
|
}
|
|
for _, f := range files {
|
|
pool = appendCertsFromFile(pool, filepath.Join(dir, f.Name()))
|
|
}
|
|
return pool
|
|
}
|
|
|
|
func appendCertsFromFile(pool *x509.CertPool, filename string) *x509.CertPool {
|
|
data, err := ioutil.ReadFile(filename)
|
|
if err != nil {
|
|
tracerx.Printf("Error reading cert file %q: %v", filename, err)
|
|
return pool
|
|
}
|
|
// Firstly, try parsing as binary certificate
|
|
if certs, err := x509.ParseCertificates(data); err == nil {
|
|
return appendCerts(pool, certs)
|
|
}
|
|
// If not binary certs, try PEM data
|
|
return appendCertsFromPEMData(pool, data)
|
|
}
|
|
|
|
func appendCerts(pool *x509.CertPool, certs []*x509.Certificate) *x509.CertPool {
|
|
if len(certs) == 0 {
|
|
// important to return unmodified (may be nil)
|
|
return pool
|
|
}
|
|
|
|
if pool == nil {
|
|
pool = x509.NewCertPool()
|
|
}
|
|
|
|
for _, cert := range certs {
|
|
pool.AddCert(cert)
|
|
}
|
|
|
|
return pool
|
|
}
|
|
|
|
func appendCertsFromPEMData(pool *x509.CertPool, data []byte) *x509.CertPool {
|
|
if len(data) == 0 {
|
|
return pool
|
|
}
|
|
|
|
// Bit of a dance, need to ensure if AppendCertsFromPEM fails we still return
|
|
// nil and not an empty pool, so system roots still get used
|
|
var ret *x509.CertPool
|
|
if pool == nil {
|
|
ret = x509.NewCertPool()
|
|
} else {
|
|
ret = pool
|
|
}
|
|
if !ret.AppendCertsFromPEM(data) {
|
|
// Return unmodified input pool (may be nil, do not replace with empty)
|
|
return pool
|
|
}
|
|
return ret
|
|
}
|