BACKPORT: use an encrypted client certificate to connect to a docker daemon

runcom · runcom · commit af23c1bc35f7 · 2017-11-15T17:21:54.000+01:00
Fix https://bugzilla.redhat.com/show_bug.cgi?id=1510170 Signed-off-by: Antonio Murdaca <runcom@redhat.com>
diff --git a/api/client/cli.go b/api/client/cli.go
@@ -19,6 +19,8 @@ import (
 	"github.com/docker/engine-api/client"
 	"github.com/docker/go-connections/sockets"
 	"github.com/docker/go-connections/tlsconfig"
+	"github.com/docker/notary/passphrase"
+	pkgerrors "github.com/pkg/errors"
 )
 
 // DockerCli represents the docker command line client.
@@ -179,6 +181,24 @@ func NewDockerCli(in io.ReadCloser, out, err io.Writer, clientFlags *cliflags.Cl
 		cli.configFile = LoadDefaultConfigFile(err)
 
 		client, err := NewAPIClientFromFlags(clientFlags, cli.configFile)
+		if tlsconfig.IsErrEncryptedKey(err) {
+			var (
+				passwd string
+				giveup bool
+			)
+			passRetriever := passphrase.PromptRetrieverWithInOut(cli.In(), cli.Out(), nil)
+			for attempts := 0; tlsconfig.IsErrEncryptedKey(err); attempts++ {
+				// some code and comments borrowed from notary/trustmanager/keystore.go
+				passwd, giveup, err = passRetriever("private", "encrypted TLS private", false, attempts)
+				// Check if the passphrase retriever got an error or if it is telling us to give up
+				if giveup || err != nil {
+					return pkgerrors.Wrap(err, "private key is encrypted, but could not get passphrase")
+				}
+
+				clientFlags.Common.TLSOptions.Passphrase = passwd
+				client, err = NewAPIClientFromFlags(clientFlags, cli.configFile)
+			}
+		}
 		if err != nil {
 			return err
 		}
diff --git a/vendor/src/github.com/docker/go-connections/tlsconfig/config.go b/vendor/src/github.com/docker/go-connections/tlsconfig/config.go
@@ -8,11 +8,13 @@ package tlsconfig
 import (
 	"crypto/tls"
 	"crypto/x509"
+	"encoding/pem"
 	"fmt"
 	"io/ioutil"
 	"os"
 
 	"github.com/Sirupsen/logrus"
+	"github.com/pkg/errors"
 )
 
 // Options represents the information needed to create client and server TLS configurations.
@@ -29,6 +31,10 @@ type Options struct {
 	InsecureSkipVerify bool
 	// server-only option
 	ClientAuth tls.ClientAuthType
+
+	// If Passphrase is set, it will be used to decrypt a TLS private key
+	// if the key is encrypted
+	Passphrase string
 }
 
 // Extra (server-side) accepted CBC cipher suites - will phase out in the future
@@ -80,6 +86,67 @@ func certPool(caFile string) (*x509.CertPool, error) {
 	return certPool, nil
 }
 
+// IsErrEncryptedKey returns true if the 'err' is an error of incorrect
+// password when tryin to decrypt a TLS private key
+func IsErrEncryptedKey(err error) bool {
+	return errors.Cause(err) == x509.IncorrectPasswordError
+}
+
+// getCert returns a Certificate from the CertFile and KeyFile in 'options',
+// if the key is encrypted, the Passphrase in 'options' will be used to
+// decrypt it.
+func getCert(options Options) ([]tls.Certificate, error) {
+	if options.CertFile == "" && options.KeyFile == "" {
+		return nil, nil
+	}
+
+	errMessage := "Could not load X509 key pair"
+
+	cert, err := ioutil.ReadFile(options.CertFile)
+	if err != nil {
+		return nil, errors.Wrap(err, errMessage)
+	}
+
+	prKeyBytes, err := ioutil.ReadFile(options.KeyFile)
+	if err != nil {
+		return nil, errors.Wrap(err, errMessage)
+	}
+
+	prKeyBytes, err = getPrivateKey(prKeyBytes, options.Passphrase)
+	if err != nil {
+		return nil, errors.Wrap(err, errMessage)
+	}
+
+	tlsCert, err := tls.X509KeyPair(cert, prKeyBytes)
+	if err != nil {
+		return nil, errors.Wrap(err, errMessage)
+	}
+
+	return []tls.Certificate{tlsCert}, nil
+}
+
+// getPrivateKey returns the private key in 'keyBytes', in PEM-encoded format.
+// If the private key is encrypted, 'passphrase' is used to decrypted the
+// private key.
+func getPrivateKey(keyBytes []byte, passphrase string) ([]byte, error) {
+	// this section makes some small changes to code from notary/tuf/utils/x509.go
+	pemBlock, _ := pem.Decode(keyBytes)
+	if pemBlock == nil {
+		return nil, fmt.Errorf("no valid private key found")
+	}
+
+	var err error
+	if x509.IsEncryptedPEMBlock(pemBlock) {
+		keyBytes, err = x509.DecryptPEMBlock(pemBlock, []byte(passphrase))
+		if err != nil {
+			return nil, errors.Wrap(err, "private key is encrypted, but could not decrypt it")
+		}
+		keyBytes = pem.EncodeToMemory(&pem.Block{Type: pemBlock.Type, Bytes: keyBytes})
+	}
+
+	return keyBytes, nil
+}
+
 // Client returns a TLS configuration meant to be used by a client.
 func Client(options Options) (*tls.Config, error) {
 	tlsConfig := ClientDefault
@@ -99,6 +166,11 @@ func Client(options Options) (*tls.Config, error) {
 		}
 		tlsConfig.Certificates = []tls.Certificate{tlsCert}
 	}
+	tlsCerts, err := getCert(options)
+	if err != nil {
+		return nil, err
+	}
+	tlsConfig.Certificates = tlsCerts
 
 	return &tlsConfig, nil
 }
