Check if key has a passphrase

mrmarkuz · mrmarkuz · commit ff409a9db84d · 2026-02-05T09:53:10.000+01:00
diff --git a/imageroot/actions/upload-certificate/21validate_certificates b/imageroot/actions/upload-certificate/21validate_certificates
@@ -9,13 +9,27 @@ set -e
 
 CERT_FILE=uploaded_cert
 KEY_FILE=uploaded_key
+PASSPHRASE_KEY=0
 VALID_KEY=0
 TYPE_KEY=""
 
 del_certs() {
     rm -f $KEY_FILE $CERT_FILE
 }
 
+# checking if key has a passphrase
+if openssl rsa -check -in $KEY_FILE -passin pass:1234 >/dev/null 2>&1; then
+    PASSPHRASE_KEY=1
+fi
+
+if [ $PASSPHRASE_KEY -eq 0 ]; then
+    echo "A key with a passphrase is not allowed." 1>&2
+    echo "set-status validation-failed" >&${AGENT_COMFD:-2}
+    printf '[{"field":"keyFile","parameter":"keyFile","value":"","error":"invalid_key"}]\n'
+    del_certs
+    exit 2
+fi
+
 # checking if key is valid
 if openssl rsa -check -in $KEY_FILE >/dev/null 2>&1; then
     VALID_KEY=1
