From bf2c19cfe23acb25ff31435fa2641bfd6fb20028 Mon Sep 17 00:00:00 2001 From: Nora Koirala Date: Wed, 18 Sep 2024 14:44:44 -0700 Subject: [PATCH 1/2] init --- main/handlersettingscommon.go | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) diff --git a/main/handlersettingscommon.go b/main/handlersettingscommon.go index 0caf991..5c2fb80 100644 --- a/main/handlersettingscommon.go +++ b/main/handlersettingscommon.go @@ -4,11 +4,12 @@ import ( "bytes" "encoding/base64" "encoding/json" - "errors" "fmt" "io/ioutil" "os/exec" "path/filepath" + + "github.com/pkg/errors" ) const ( @@ -124,14 +125,27 @@ func unmarshalProtectedSettings(configFolder string, hs handlerSettingsCommon, v // we use os/exec instead of azure-docker-extension/pkg/executil here as // other extension handlers depend on this package for parsing handler // settings. - cmd := exec.Command("openssl", "smime", "-inform", "DER", "-decrypt", "-recip", crt, "-inkey", prv) + + //using cms command to support for FIPS 140-3 + cmd := exec.Command("openssl", "cms", "-inform", "DER", "-decrypt", "-recip", crt, "-inkey", prv) var bOut, bErr bytes.Buffer + var errMsg error cmd.Stdin = bytes.NewReader(decoded) cmd.Stdout = &bOut cmd.Stderr = &bErr + //back up smime command in case cms fails if err := cmd.Run(); err != nil { - return fmt.Errorf("decrypting protected settings failed: error=%v stderr=%s", err, string(bErr.Bytes())) + errMsg = fmt.Errorf("decrypting protected settings with cms command failed: error=%v stderr=%s \n now decrypting with smime command", err, string(bErr.Bytes())) + cmd = exec.Command("openssl", "smime", "-inform", "DER", "-decrypt", "-recip", crt, "-inkey", prv) + cmd.Stdin = bytes.NewReader(decoded) + bOut.Reset() + bErr.Reset() + cmd.Stdout = &bOut + cmd.Stderr = &bErr + if err := cmd.Run(); err != nil { + return errors.Wrapf(errMsg, "decrypting protected settings with smime command failed: error=%v stderr=%s", err, string(bErr.Bytes())) + } } // decrypted: json object for protected settings From f0dda35be074d25832fad2d3c11ce9d35228ac70 Mon Sep 17 00:00:00 2001 From: Nora Koirala Date: Thu, 19 Sep 2024 10:27:46 -0700 Subject: [PATCH 2/2] nit --- main/handlersettingscommon.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/main/handlersettingscommon.go b/main/handlersettingscommon.go index 5c2fb80..fe24989 100644 --- a/main/handlersettingscommon.go +++ b/main/handlersettingscommon.go @@ -136,7 +136,7 @@ func unmarshalProtectedSettings(configFolder string, hs handlerSettingsCommon, v //back up smime command in case cms fails if err := cmd.Run(); err != nil { - errMsg = fmt.Errorf("decrypting protected settings with cms command failed: error=%v stderr=%s \n now decrypting with smime command", err, string(bErr.Bytes())) + errMsg = fmt.Errorf("decrypting protected settings with cms command failed: error=%v stderr=%s \n now decrypting with smime command", err, bErr.String()) cmd = exec.Command("openssl", "smime", "-inform", "DER", "-decrypt", "-recip", crt, "-inkey", prv) cmd.Stdin = bytes.NewReader(decoded) bOut.Reset() @@ -144,7 +144,7 @@ func unmarshalProtectedSettings(configFolder string, hs handlerSettingsCommon, v cmd.Stdout = &bOut cmd.Stderr = &bErr if err := cmd.Run(); err != nil { - return errors.Wrapf(errMsg, "decrypting protected settings with smime command failed: error=%v stderr=%s", err, string(bErr.Bytes())) + return errors.Wrapf(errMsg, "decrypting protected settings with smime command failed: error=%v stderr=%s", err, bErr.String()) } }