feat: support encrypted keys

Author: nadilas

main.go

@@ -77,6 +77,7 @@ func main() {
 		issuerFile    = flag.String("issuer", "", "Path to issuer certificate (PEM)")
 		responderFile = flag.String("responder", "", "Path to responder certificate (PEM)")
 		keyFile       = flag.String("key", "", "Path to responder private key (PEM)")
+		keyPassword   = flag.String("key-password", "", "Password for encrypted private key (if key is encrypted)")
 		interval      = flag.Duration("interval", 24*time.Hour, "OCSP response validity interval")
 
 		// CRL source options
@@ -101,12 +102,14 @@ func main() {
 		fmt.Fprintf(os.Stderr, "  # With local CRL file:\n")
 		fmt.Fprintf(os.Stderr, "  %s -issuer ca.pem -responder ocsp.pem -key ocsp-key.pem -crl-file /path/to/crl.der\n\n", os.Args[0])
 		fmt.Fprintf(os.Stderr, "  # Fetch issuer and responder certs from URL:\n")
-		fmt.Fprintf(os.Stderr, "  %s -issuer https://pki.example.com/ca.crt -responder https://pki.example.com/ca.crt -key ocsp-key.pem\n", os.Args[0])
+		fmt.Fprintf(os.Stderr, "  %s -issuer https://pki.example.com/ca.crt -responder https://pki.example.com/ca.crt -key ocsp-key.pem\n\n", os.Args[0])
+		fmt.Fprintf(os.Stderr, "  # With encrypted private key:\n")
+		fmt.Fprintf(os.Stderr, "  %s -issuer ca.pem -responder ocsp.pem -key ocsp-key.pem -key-password 'mypassword'\n", os.Args[0])
 		os.Exit(1)
 	}
 
 	// Create signer from paths (certs can be files or URLs, key must be file)
-	signer, err := ocsp.NewSignerFromPaths(*issuerFile, *responderFile, *keyFile, *interval, *insecureSkipTLS)
+	signer, err := ocsp.NewSignerFromPaths(*issuerFile, *responderFile, *keyFile, *keyPassword, *interval, *insecureSkipTLS)
 	if err != nil {
 		log.Fatalf("Failed to create signer: %v", err)
 	}

ocsp/helpers.go

@@ -8,6 +8,7 @@ import (
 	"crypto/x509"
 	"encoding/pem"
 	"errors"
+	"fmt"
 )
 
 // ParseCertificatePEM parses a PEM-encoded certificate
@@ -24,32 +25,54 @@ func ParseCertificatePEM(data []byte) (*x509.Certificate, error) {
 	return x509.ParseCertificate(block.Bytes)
 }
 
-// ParsePrivateKeyPEM parses a PEM-encoded private key
+// ParsePrivateKeyPEM parses a PEM-encoded private key (unencrypted)
 func ParsePrivateKeyPEM(data []byte) (crypto.Signer, error) {
+	return ParsePrivateKeyPEMWithPassword(data, "")
+}
+
+// ParsePrivateKeyPEMWithPassword parses a PEM-encoded private key, decrypting if necessary
+func ParsePrivateKeyPEMWithPassword(data []byte, password string) (crypto.Signer, error) {
 	block, _ := pem.Decode(data)
 	if block == nil {
 		return nil, errors.New("failed to decode PEM block")
 	}
 
+	keyBytes := block.Bytes
+
+	// Check if the key is encrypted (legacy PEM encryption)
+	//nolint:staticcheck // x509.IsEncryptedPEMBlock is deprecated but needed for legacy format
+	if x509.IsEncryptedPEMBlock(block) {
+		if password == "" {
+			return nil, errors.New("private key is encrypted but no password provided (use -key-password)")
+		}
+		var err error
+		//nolint:staticcheck // x509.DecryptPEMBlock is deprecated but needed for legacy format
+		keyBytes, err = x509.DecryptPEMBlock(block, []byte(password))
+		if err != nil {
+			return nil, fmt.Errorf("failed to decrypt private key: %w", err)
+		}
+	}
+
 	switch block.Type {
 	case "RSA PRIVATE KEY":
-		key, err := x509.ParsePKCS1PrivateKey(block.Bytes)
+		key, err := x509.ParsePKCS1PrivateKey(keyBytes)
 		if err != nil {
-			return nil, err
+			return nil, fmt.Errorf("failed to parse RSA private key: %w", err)
 		}
 		return key, nil
 
 	case "EC PRIVATE KEY":
-		key, err := x509.ParseECPrivateKey(block.Bytes)
+		key, err := x509.ParseECPrivateKey(keyBytes)
 		if err != nil {
-			return nil, err
+			return nil, fmt.Errorf("failed to parse EC private key: %w", err)
 		}
 		return key, nil
 
 	case "PRIVATE KEY":
-		key, err := x509.ParsePKCS8PrivateKey(block.Bytes)
+		// PKCS#8 format (may be encrypted with PBES2, not legacy PEM encryption)
+		key, err := x509.ParsePKCS8PrivateKey(keyBytes)
 		if err != nil {
-			return nil, err
+			return nil, fmt.Errorf("failed to parse PKCS#8 private key: %w", err)
 		}
 		switch k := key.(type) {
 		case *rsa.PrivateKey:
@@ -59,10 +82,14 @@ func ParsePrivateKeyPEM(data []byte) (crypto.Signer, error) {
 		case ed25519.PrivateKey:
 			return k, nil
 		default:
-			return nil, errors.New("unsupported private key type")
+			return nil, errors.New("unsupported private key type in PKCS#8 container")
 		}
 
+	case "ENCRYPTED PRIVATE KEY":
+		// PKCS#8 encrypted format - requires different handling
+		return nil, errors.New("PKCS#8 encrypted keys (ENCRYPTED PRIVATE KEY) are not yet supported; use legacy PEM encryption or unencrypted keys")
+
 	default:
-		return nil, errors.New("unsupported PEM block type: " + block.Type)
+		return nil, fmt.Errorf("unsupported PEM block type: %s", block.Type)
 	}
 }

ocsp/helpers_test.go

@@ -208,3 +208,119 @@ func TestParsePrivateKeyPEM_InvalidPKCS8Key(t *testing.T) {
 		t.Error("Expected error for invalid PKCS8 key")
 	}
 }
+
+func TestParsePrivateKeyPEMWithPassword_EncryptedEC(t *testing.T) {
+	// Generate an EC key
+	key, _ := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	keyDER, _ := x509.MarshalECPrivateKey(key)
+
+	// Encrypt the PEM block with a password
+	password := []byte("testpassword123")
+	//nolint:staticcheck // x509.EncryptPEMBlock is deprecated but needed for testing legacy format
+	encryptedBlock, err := x509.EncryptPEMBlock(rand.Reader, "EC PRIVATE KEY", keyDER, password, x509.PEMCipherAES256)
+	if err != nil {
+		t.Fatalf("Failed to encrypt PEM block: %v", err)
+	}
+
+	encryptedPEM := pem.EncodeToMemory(encryptedBlock)
+
+	// Test successful decryption with correct password
+	parsed, err := ParsePrivateKeyPEMWithPassword(encryptedPEM, "testpassword123")
+	if err != nil {
+		t.Fatalf("Failed to parse encrypted EC key: %v", err)
+	}
+	if _, ok := parsed.(*ecdsa.PrivateKey); !ok {
+		t.Error("Expected ECDSA private key")
+	}
+}
+
+func TestParsePrivateKeyPEMWithPassword_WrongPassword(t *testing.T) {
+	// Generate an EC key
+	key, _ := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	keyDER, _ := x509.MarshalECPrivateKey(key)
+
+	// Encrypt the PEM block with a password
+	password := []byte("correctpassword")
+	//nolint:staticcheck // x509.EncryptPEMBlock is deprecated but needed for testing legacy format
+	encryptedBlock, err := x509.EncryptPEMBlock(rand.Reader, "EC PRIVATE KEY", keyDER, password, x509.PEMCipherAES256)
+	if err != nil {
+		t.Fatalf("Failed to encrypt PEM block: %v", err)
+	}
+
+	encryptedPEM := pem.EncodeToMemory(encryptedBlock)
+
+	// Test with wrong password
+	_, err = ParsePrivateKeyPEMWithPassword(encryptedPEM, "wrongpassword")
+	if err == nil {
+		t.Error("Expected error for wrong password")
+	}
+}
+
+func TestParsePrivateKeyPEMWithPassword_EncryptedNoPassword(t *testing.T) {
+	// Generate an EC key
+	key, _ := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	keyDER, _ := x509.MarshalECPrivateKey(key)
+
+	// Encrypt the PEM block with a password
+	password := []byte("testpassword")
+	//nolint:staticcheck // x509.EncryptPEMBlock is deprecated but needed for testing legacy format
+	encryptedBlock, err := x509.EncryptPEMBlock(rand.Reader, "EC PRIVATE KEY", keyDER, password, x509.PEMCipherAES256)
+	if err != nil {
+		t.Fatalf("Failed to encrypt PEM block: %v", err)
+	}
+
+	encryptedPEM := pem.EncodeToMemory(encryptedBlock)
+
+	// Test without providing password
+	_, err = ParsePrivateKeyPEMWithPassword(encryptedPEM, "")
+	if err == nil {
+		t.Error("Expected error when no password provided for encrypted key")
+	}
+	if err.Error() != "private key is encrypted but no password provided (use -key-password)" {
+		t.Errorf("Unexpected error message: %v", err)
+	}
+}
+
+func TestParsePrivateKeyPEMWithPassword_UnencryptedWithPassword(t *testing.T) {
+	// Generate an EC key (unencrypted)
+	key, _ := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	keyDER, _ := x509.MarshalECPrivateKey(key)
+	keyPEM := pem.EncodeToMemory(&pem.Block{
+		Type:  "EC PRIVATE KEY",
+		Bytes: keyDER,
+	})
+
+	// Providing a password for unencrypted key should still work (password is ignored)
+	parsed, err := ParsePrivateKeyPEMWithPassword(keyPEM, "unnecessarypassword")
+	if err != nil {
+		t.Fatalf("Failed to parse unencrypted key with password: %v", err)
+	}
+	if _, ok := parsed.(*ecdsa.PrivateKey); !ok {
+		t.Error("Expected ECDSA private key")
+	}
+}
+
+func TestParsePrivateKeyPEMWithPassword_EncryptedRSA(t *testing.T) {
+	// Generate an RSA key
+	key, _ := rsa.GenerateKey(rand.Reader, 2048)
+	keyDER := x509.MarshalPKCS1PrivateKey(key)
+
+	// Encrypt the PEM block with a password
+	password := []byte("rsapassword")
+	//nolint:staticcheck // x509.EncryptPEMBlock is deprecated but needed for testing legacy format
+	encryptedBlock, err := x509.EncryptPEMBlock(rand.Reader, "RSA PRIVATE KEY", keyDER, password, x509.PEMCipherAES256)
+	if err != nil {
+		t.Fatalf("Failed to encrypt PEM block: %v", err)
+	}
+
+	encryptedPEM := pem.EncodeToMemory(encryptedBlock)
+
+	// Test successful decryption
+	parsed, err := ParsePrivateKeyPEMWithPassword(encryptedPEM, "rsapassword")
+	if err != nil {
+		t.Fatalf("Failed to parse encrypted RSA key: %v", err)
+	}
+	if _, ok := parsed.(*rsa.PrivateKey); !ok {
+		t.Error("Expected RSA private key")
+	}
+}

ocsp/loader_test.go

@@ -110,7 +110,7 @@ func TestNewSignerFromPaths_Files(t *testing.T) {
 	files := createTestFiles(t)
 	defer files.cleanup()
 
-	signer, err := NewSignerFromPaths(files.issuerFile, files.responderFile, files.keyFile, 0, false)
+	signer, err := NewSignerFromPaths(files.issuerFile, files.responderFile, files.keyFile, "", 0, false)
 	if err != nil {
 		t.Fatalf("Failed to create signer: %v", err)
 	}
@@ -137,7 +137,7 @@ func TestNewSignerFromPaths_IssuerFromURL(t *testing.T) {
 	defer server.Close()
 
 	// Load issuer from URL, responder and key from files
-	signer, err := NewSignerFromPaths(server.URL+"/issuer.pem", files.responderFile, files.keyFile, 0, false)
+	signer, err := NewSignerFromPaths(server.URL+"/issuer.pem", files.responderFile, files.keyFile, "", 0, false)
 	if err != nil {
 		t.Fatalf("Failed to create signer: %v", err)
 	}
@@ -172,7 +172,7 @@ func TestNewSignerFromPaths_BothCertsFromURL(t *testing.T) {
 	defer server.Close()
 
 	// Load both certs from URL, key from file
-	signer, err := NewSignerFromPaths(server.URL+"/issuer.pem", server.URL+"/responder.pem", files.keyFile, 0, false)
+	signer, err := NewSignerFromPaths(server.URL+"/issuer.pem", server.URL+"/responder.pem", files.keyFile, "", 0, false)
 	if err != nil {
 		t.Fatalf("Failed to create signer: %v", err)
 	}
@@ -191,7 +191,7 @@ func TestNewSignerFromPaths_InvalidIssuerURL(t *testing.T) {
 	}))
 	defer server.Close()
 
-	_, err := NewSignerFromPaths(server.URL+"/issuer.pem", files.responderFile, files.keyFile, 0, false)
+	_, err := NewSignerFromPaths(server.URL+"/issuer.pem", files.responderFile, files.keyFile, "", 0, false)
 	if err == nil {
 		t.Error("Expected error for 404 on issuer URL")
 	}
@@ -207,7 +207,7 @@ func TestNewSignerFromPaths_InvalidCertData(t *testing.T) {
 	}))
 	defer server.Close()
 
-	_, err := NewSignerFromPaths(server.URL+"/issuer.pem", files.responderFile, files.keyFile, 0, false)
+	_, err := NewSignerFromPaths(server.URL+"/issuer.pem", files.responderFile, files.keyFile, "", 0, false)
 	if err == nil {
 		t.Error("Expected error for invalid certificate data")
 	}
@@ -217,7 +217,7 @@ func TestNewSignerFromPaths_MissingKeyFile(t *testing.T) {
 	files := createTestFiles(t)
 	defer files.cleanup()
 
-	_, err := NewSignerFromPaths(files.issuerFile, files.responderFile, "/nonexistent/key.pem", 0, false)
+	_, err := NewSignerFromPaths(files.issuerFile, files.responderFile, "/nonexistent/key.pem", "", 0, false)
 	if err == nil {
 		t.Error("Expected error for missing key file")
 	}

ocsp/signer.go

@@ -85,7 +85,8 @@ func NewSignerFromFile(issuerFile, responderFile, keyFile string, interval time.
 // NewSignerFromPaths loads certs from file paths or URLs, and key from file only.
 // For -issuer and -responder: paths starting with http:// or https:// are fetched via HTTP GET.
 // For -key: only file paths are supported (private keys should not be fetched over network).
-func NewSignerFromPaths(issuerPath, responderPath, keyFile string, interval time.Duration, insecureSkipVerify bool) (Signer, error) {
+// If keyPassword is non-empty, it will be used to decrypt an encrypted private key.
+func NewSignerFromPaths(issuerPath, responderPath, keyFile, keyPassword string, interval time.Duration, insecureSkipVerify bool) (Signer, error) {
 	// Load issuer certificate (file or URL)
 	issuerBytes, err := LoadPEM(issuerPath, insecureSkipVerify)
 	if err != nil {
@@ -114,7 +115,7 @@ func NewSignerFromPaths(issuerPath, responderPath, keyFile string, interval time
 		return nil, fmt.Errorf("failed to parse responder certificate: %w", err)
 	}
 
-	key, err := ParsePrivateKeyPEM(keyBytes)
+	key, err := ParsePrivateKeyPEMWithPassword(keyBytes, keyPassword)
 	if err != nil {
 		return nil, fmt.Errorf("failed to parse responder key: %w", err)
 	}