⬆️ Update vendor

2025-09-21 19:18:09 +00:00 · 2022-03-21 15:00:51 +01:00
parent 114d4899f6
commit 2f60504da3
38 changed files with 14105 additions and 64 deletions
--- a/vendor/github.com/Masterminds/sprig/v3/crypto.go
+++ b/vendor/github.com/Masterminds/sprig/v3/crypto.go
@@ -2,10 +2,12 @@ package sprig

 import (
 	"bytes"
+	"crypto"
 	"crypto/aes"
 	"crypto/cipher"
 	"crypto/dsa"
 	"crypto/ecdsa"
+	"crypto/ed25519"
 	"crypto/elliptic"
 	"crypto/hmac"
 	"crypto/rand"
@@ -30,7 +32,7 @@ import (
 	"strings"

 	"github.com/google/uuid"
-	"golang.org/x/crypto/bcrypt"
+	bcrypt_lib "golang.org/x/crypto/bcrypt"
 	"golang.org/x/crypto/scrypt"
 )

@@ -49,15 +51,28 @@ func adler32sum(input string) string {
 	return fmt.Sprintf("%d", hash)
 }

+func bcrypt(input string) string {
+	hash, err := bcrypt_lib.GenerateFromPassword([]byte(input), bcrypt_lib.DefaultCost)
+	if err != nil {
+		return fmt.Sprintf("failed to encrypt string with bcrypt: %s", err)
+	}
+
+	return string(hash)
+}
+
 func htpasswd(username string, password string) string {
 	if strings.Contains(username, ":") {
 		return fmt.Sprintf("invalid username: %s", username)
 	}
-	hash, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
-	if err != nil {
-		return fmt.Sprintf("failed to create htpasswd: %s", err)
+	return fmt.Sprintf("%s:%s", username, bcrypt(password))
+}
+
+func randBytes(count int) (string, error) {
+	buf := make([]byte, count)
+	if _, err := rand.Read(buf); err != nil {
+		return "", err
 	}
-	return fmt.Sprintf("%s:%s", username, hash)
+	return base64.StdEncoding.EncodeToString(buf), nil
 }

 // uuidv4 provides a safe and secure UUID v4 implementation
@@ -147,6 +162,8 @@ func generatePrivateKey(typ string) string {
 	case "ecdsa":
 		// again, good enough for government work
 		priv, err = ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	case "ed25519":
+		_, priv, err = ed25519.GenerateKey(rand.Reader)
 	default:
 		return "Unknown type " + typ
 	}
@@ -179,7 +196,73 @@ func pemBlockForKey(priv interface{}) *pem.Block {
 		b, _ := x509.MarshalECPrivateKey(k)
 		return &pem.Block{Type: "EC PRIVATE KEY", Bytes: b}
 	default:
-		return nil
+		// attempt PKCS#8 format for all other keys
+		b, err := x509.MarshalPKCS8PrivateKey(k)
+		if err != nil {
+			return nil
+		}
+		return &pem.Block{Type: "PRIVATE KEY", Bytes: b}
+	}
+}
+
+func parsePrivateKeyPEM(pemBlock string) (crypto.PrivateKey, error) {
+	block, _ := pem.Decode([]byte(pemBlock))
+	if block == nil {
+		return nil, errors.New("no PEM data in input")
+	}
+
+	if block.Type == "PRIVATE KEY" {
+		priv, err := x509.ParsePKCS8PrivateKey(block.Bytes)
+		if err != nil {
+			return nil, fmt.Errorf("decoding PEM as PKCS#8: %s", err)
+		}
+		return priv, nil
+	} else if !strings.HasSuffix(block.Type, " PRIVATE KEY") {
+		return nil, fmt.Errorf("no private key data in PEM block of type %s", block.Type)
+	}
+
+	switch block.Type[:len(block.Type)-12] { // strip " PRIVATE KEY"
+	case "RSA":
+		priv, err := x509.ParsePKCS1PrivateKey(block.Bytes)
+		if err != nil {
+			return nil, fmt.Errorf("parsing RSA private key from PEM: %s", err)
+		}
+		return priv, nil
+	case "EC":
+		priv, err := x509.ParseECPrivateKey(block.Bytes)
+		if err != nil {
+			return nil, fmt.Errorf("parsing EC private key from PEM: %s", err)
+		}
+		return priv, nil
+	case "DSA":
+		var k DSAKeyFormat
+		_, err := asn1.Unmarshal(block.Bytes, &k)
+		if err != nil {
+			return nil, fmt.Errorf("parsing DSA private key from PEM: %s", err)
+		}
+		priv := &dsa.PrivateKey{
+			PublicKey: dsa.PublicKey{
+				Parameters: dsa.Parameters{
+					P: k.P, Q: k.Q, G: k.G,
+				},
+				Y: k.Y,
+			},
+			X: k.X,
+		}
+		return priv, nil
+	default:
+		return nil, fmt.Errorf("invalid private key type %s", block.Type)
+	}
+}
+
+func getPublicKey(priv crypto.PrivateKey) (crypto.PublicKey, error) {
+	switch k := priv.(type) {
+	case interface{ Public() crypto.PublicKey }:
+		return k.Public(), nil
+	case *dsa.PrivateKey:
+		return &k.PublicKey, nil
+	default:
+		return nil, fmt.Errorf("unable to get public key for type %T", priv)
 	}
 }

@@ -213,14 +296,10 @@ func buildCustomCertificate(b64cert string, b64key string) (certificate, error)
 		)
 	}

-	decodedKey, _ := pem.Decode(key)
-	if decodedKey == nil {
-		return crt, errors.New("unable to decode key")
-	}
-	_, err = x509.ParsePKCS1PrivateKey(decodedKey.Bytes)
+	_, err = parsePrivateKeyPEM(string(key))
 	if err != nil {
 		return crt, fmt.Errorf(
-			"error parsing prive key: decodedKey.Bytes: %s",
+			"error parsing private key: %s",
 			err,
 		)
 	}
@@ -234,6 +313,31 @@ func buildCustomCertificate(b64cert string, b64key string) (certificate, error)
 func generateCertificateAuthority(
 	cn string,
 	daysValid int,
+) (certificate, error) {
+	priv, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		return certificate{}, fmt.Errorf("error generating rsa key: %s", err)
+	}
+
+	return generateCertificateAuthorityWithKeyInternal(cn, daysValid, priv)
+}
+
+func generateCertificateAuthorityWithPEMKey(
+	cn string,
+	daysValid int,
+	privPEM string,
+) (certificate, error) {
+	priv, err := parsePrivateKeyPEM(privPEM)
+	if err != nil {
+		return certificate{}, fmt.Errorf("parsing private key: %s", err)
+	}
+	return generateCertificateAuthorityWithKeyInternal(cn, daysValid, priv)
+}
+
+func generateCertificateAuthorityWithKeyInternal(
+	cn string,
+	daysValid int,
+	priv crypto.PrivateKey,
 ) (certificate, error) {
 	ca := certificate{}

@@ -247,11 +351,6 @@ func generateCertificateAuthority(
 		x509.KeyUsageCertSign
 	template.IsCA = true

-	priv, err := rsa.GenerateKey(rand.Reader, 2048)
-	if err != nil {
-		return ca, fmt.Errorf("error generating rsa key: %s", err)
-	}
-
 	ca.Cert, ca.Key, err = getCertAndKey(template, priv, template, priv)

 	return ca, err
@@ -262,6 +361,34 @@ func generateSelfSignedCertificate(
 	ips []interface{},
 	alternateDNS []interface{},
 	daysValid int,
+) (certificate, error) {
+	priv, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		return certificate{}, fmt.Errorf("error generating rsa key: %s", err)
+	}
+	return generateSelfSignedCertificateWithKeyInternal(cn, ips, alternateDNS, daysValid, priv)
+}
+
+func generateSelfSignedCertificateWithPEMKey(
+	cn string,
+	ips []interface{},
+	alternateDNS []interface{},
+	daysValid int,
+	privPEM string,
+) (certificate, error) {
+	priv, err := parsePrivateKeyPEM(privPEM)
+	if err != nil {
+		return certificate{}, fmt.Errorf("parsing private key: %s", err)
+	}
+	return generateSelfSignedCertificateWithKeyInternal(cn, ips, alternateDNS, daysValid, priv)
+}
+
+func generateSelfSignedCertificateWithKeyInternal(
+	cn string,
+	ips []interface{},
+	alternateDNS []interface{},
+	daysValid int,
+	priv crypto.PrivateKey,
 ) (certificate, error) {
 	cert := certificate{}

@@ -270,11 +397,6 @@ func generateSelfSignedCertificate(
 		return cert, err
 	}

-	priv, err := rsa.GenerateKey(rand.Reader, 2048)
-	if err != nil {
-		return cert, fmt.Errorf("error generating rsa key: %s", err)
-	}
-
 	cert.Cert, cert.Key, err = getCertAndKey(template, priv, template, priv)

 	return cert, err
@@ -286,6 +408,36 @@ func generateSignedCertificate(
 	alternateDNS []interface{},
 	daysValid int,
 	ca certificate,
+) (certificate, error) {
+	priv, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		return certificate{}, fmt.Errorf("error generating rsa key: %s", err)
+	}
+	return generateSignedCertificateWithKeyInternal(cn, ips, alternateDNS, daysValid, ca, priv)
+}
+
+func generateSignedCertificateWithPEMKey(
+	cn string,
+	ips []interface{},
+	alternateDNS []interface{},
+	daysValid int,
+	ca certificate,
+	privPEM string,
+) (certificate, error) {
+	priv, err := parsePrivateKeyPEM(privPEM)
+	if err != nil {
+		return certificate{}, fmt.Errorf("parsing private key: %s", err)
+	}
+	return generateSignedCertificateWithKeyInternal(cn, ips, alternateDNS, daysValid, ca, priv)
+}
+
+func generateSignedCertificateWithKeyInternal(
+	cn string,
+	ips []interface{},
+	alternateDNS []interface{},
+	daysValid int,
+	ca certificate,
+	priv crypto.PrivateKey,
 ) (certificate, error) {
 	cert := certificate{}

@@ -300,14 +452,10 @@ func generateSignedCertificate(
 			err,
 		)
 	}
-	decodedSignerKey, _ := pem.Decode([]byte(ca.Key))
-	if decodedSignerKey == nil {
-		return cert, errors.New("unable to decode key")
-	}
-	signerKey, err := x509.ParsePKCS1PrivateKey(decodedSignerKey.Bytes)
+	signerKey, err := parsePrivateKeyPEM(ca.Key)
 	if err != nil {
 		return cert, fmt.Errorf(
-			"error parsing prive key: decodedSignerKey.Bytes: %s",
+			"error parsing private key: %s",
 			err,
 		)
 	}
@@ -317,11 +465,6 @@ func generateSignedCertificate(
 		return cert, err
 	}

-	priv, err := rsa.GenerateKey(rand.Reader, 2048)
-	if err != nil {
-		return cert, fmt.Errorf("error generating rsa key: %s", err)
-	}
-
 	cert.Cert, cert.Key, err = getCertAndKey(
 		template,
 		priv,
@@ -334,15 +477,19 @@ func generateSignedCertificate(

 func getCertAndKey(
 	template *x509.Certificate,
-	signeeKey *rsa.PrivateKey,
+	signeeKey crypto.PrivateKey,
 	parent *x509.Certificate,
-	signingKey *rsa.PrivateKey,
+	signingKey crypto.PrivateKey,
 ) (string, string, error) {
+	signeePubKey, err := getPublicKey(signeeKey)
+	if err != nil {
+		return "", "", fmt.Errorf("error retrieving public key from signee key: %s", err)
+	}
 	derBytes, err := x509.CreateCertificate(
 		rand.Reader,
 		template,
 		parent,
-		&signeeKey.PublicKey,
+		signeePubKey,
 		signingKey,
 	)
 	if err != nil {
@@ -360,10 +507,7 @@ func getCertAndKey(
 	keyBuffer := bytes.Buffer{}
 	if err := pem.Encode(
 		&keyBuffer,
-		&pem.Block{
-			Type:  "RSA PRIVATE KEY",
-			Bytes: x509.MarshalPKCS1PrivateKey(signeeKey),
-		},
+		pemBlockForKey(signeeKey),
 	); err != nil {
 		return "", "", fmt.Errorf("error pem-encoding key: %s", err)
 	}