Remove support for encrypted TLS private keys #3220
Conversation
|
Note that there's still support for encrypted keys as part of cli/cli/command/trust/key_generate.go Lines 77 to 81 in a32cd16 Not sure if that should be changed /cc @justincormack |
thaJeztah
force-pushed
the
remove_encrypted_tls_support
branch
from
8c1da14 to
13c982f
Compare
Codecov Report
@@ Coverage Diff @@
## master #3220 +/- ##
==========================================
+ Coverage 56.36% 57.99% +1.63%
==========================================
Files 304 302 -2
Lines 26833 21734 -5099
==========================================
- Hits 15124 12605 -2519
+ Misses 10789 8206 -2583
- Partials 920 923 +3 |
|
@justincormack @cpuguy83 PTAL |
cli/context/docker/load.go
Outdated
| return nil, errors.Wrap(err, "private key is encrypted, but could not decrypt it") | ||
| } | ||
| keyBytes = pem.EncodeToMemory(&pem.Block{Type: pemBlock.Type, Bytes: keyBytes}) | ||
| return nil, errors.New("private key is encrypted - support for encrypted private keys has been removed") |
There was a problem hiding this comment.
We could link to an issue here rather than just saying "has been removed"? or docs?
There was a problem hiding this comment.
Opened docker/docs#13329, and added a link to https://docs.docker.com/go/deprecated/ (which will contain the information from docs/deprecated.md from this PR)
| Use of encrypted TLS private keys has been deprecated, and has been removed. | ||
| Golang has deprecated support for legacy PEM encryption (as specified in | ||
| [RFC 1423](https://datatracker.ietf.org/doc/html/rfc1423)), as it is insecure by | ||
| design (see [https://go-review.googlesource.com/c/go/+/264159](https://go-review.googlesource.com/c/go/+/264159)). |
There was a problem hiding this comment.
This could say what to do? Basically as the password was next to the key anyway, it wasnt secure.
There was a problem hiding this comment.
I added a paragraph below, but I can remove the Golang quote if you think it doesn't make sense to include.
I had trouble finding a "canonical" walk-through on removing password-encryption (openssl is fun, as there's many ways to do things), so I left that as an exercise to the user, but if you know of a good resource we should link to, I can add that
thaJeztah
force-pushed
the
remove_encrypted_tls_support
branch
from
13c982f to
4fa9695
Compare
|
@justincormack ptal |
|
@justincormack ptal if this the description looks OK now |
> Legacy PEM encryption as specified in RFC 1423 is insecure by design. Since > it does not authenticate the ciphertext, it is vulnerable to padding oracle > attacks that can let an attacker recover the plaintext From https://go-review.googlesource.com/c/go/+/264159 > It's unfortunate that we don't implement PKCS#8 encryption so we can't > recommend an alternative but PEM encryption is so broken that it's worth > deprecating outright. This feature allowed using an encrypted private key with a supplied password, but did not provide additional security as the encryption is known to be broken, and the key is sitting next to the password in the filesystem. Users are recommended to decrypt the private key, and store it un-encrypted to continue using it. Signed-off-by: Sebastiaan van Stijn <[email protected]>
thaJeztah
force-pushed
the
remove_encrypted_tls_support
branch
from
4fa9695 to
08a1ccc
Compare
4 participants
From https://go-review.googlesource.com/c/go/+/264159
- What I did
- How I did it
- How to verify it
- Description for the changelog
- A picture of a cute animal (not mandatory but encouraged)