From 8c3d0703ed71e9ac166b221146176a3ea7e23989 Mon Sep 17 00:00:00 2001 From: Vladimir Shushlin Date: Sat, 7 Sep 2019 00:29:03 +0000 Subject: Allow to load ECDSA certificates for pages domains Just replace RSA.new with PKey.read --- app/models/pages_domain.rb | 4 ++-- app/validators/certificate_key_validator.rb | 4 ++-- app/validators/named_ecdsa_key_validator.rb | 34 +++++++++++++++++++++++++++++ 3 files changed, 38 insertions(+), 4 deletions(-) create mode 100644 app/validators/named_ecdsa_key_validator.rb (limited to 'app') diff --git a/app/models/pages_domain.rb b/app/models/pages_domain.rb index 12ce717efd7..a2a471074a9 100644 --- a/app/models/pages_domain.rb +++ b/app/models/pages_domain.rb @@ -17,7 +17,7 @@ class PagesDomain < ApplicationRecord validates :certificate, certificate: true, if: ->(domain) { domain.certificate.present? } validates :key, presence: { message: 'must be present if HTTPS-only is enabled' }, if: :certificate_should_be_present? - validates :key, certificate_key: true, if: ->(domain) { domain.key.present? } + validates :key, certificate_key: true, named_ecdsa_key: true, if: ->(domain) { domain.key.present? } validates :verification_code, presence: true, allow_blank: false validate :validate_pages_domain @@ -247,7 +247,7 @@ class PagesDomain < ApplicationRecord def pkey return unless key - @pkey ||= OpenSSL::PKey::RSA.new(key) + @pkey ||= OpenSSL::PKey.read(key) rescue OpenSSL::PKey::PKeyError, OpenSSL::Cipher::CipherError nil end diff --git a/app/validators/certificate_key_validator.rb b/app/validators/certificate_key_validator.rb index 5b2bbffc066..b9d54d9636e 100644 --- a/app/validators/certificate_key_validator.rb +++ b/app/validators/certificate_key_validator.rb @@ -1,6 +1,6 @@ # frozen_string_literal: true -# UrlValidator +# CertificateKeyValidator # # Custom validator for private keys. # @@ -20,7 +20,7 @@ class CertificateKeyValidator < ActiveModel::EachValidator def valid_private_key_pem?(value) return false unless value - pkey = OpenSSL::PKey::RSA.new(value) + pkey = OpenSSL::PKey.read(value) pkey.private? rescue OpenSSL::PKey::PKeyError false diff --git a/app/validators/named_ecdsa_key_validator.rb b/app/validators/named_ecdsa_key_validator.rb new file mode 100644 index 00000000000..42ee02b6ad4 --- /dev/null +++ b/app/validators/named_ecdsa_key_validator.rb @@ -0,0 +1,34 @@ +# frozen_string_literal: true + +# NamedEcdsaKeyValidator +# +# Custom validator for ecdsa private keys. +# Golang currently doesn't support explicit curves for ECDSA certificates +# This validator checks if curve is set by name, not by parameters +# +# class Project < ActiveRecord::Base +# validates :certificate_key, named_ecdsa_key: true +# end +# +class NamedEcdsaKeyValidator < ActiveModel::EachValidator + def validate_each(record, attribute, value) + if explicit_ec?(value) + record.errors.add(attribute, "ECDSA keys with explicit curves are not supported") + end + end + + private + + UNNAMED_CURVE = "UNDEF" + + def explicit_ec?(value) + return false unless value + + pkey = OpenSSL::PKey.read(value) + return false unless pkey.is_a?(OpenSSL::PKey::EC) + + pkey.group.curve_name == UNNAMED_CURVE + rescue OpenSSL::PKey::PKeyError + false + end +end -- cgit v1.2.1