From 8a4b92c17672c6f6221c72f3de1206ddd100014e Mon Sep 17 00:00:00 2001 From: Marco Molteni Date: Wed, 8 Dec 2021 20:16:36 +0100 Subject: [PATCH 1/2] cli: consul tls: create private keys with mode 0600 This applies to consul tls ca create consul tls cert create -client consul tls cert create -server Closes: #11741 --- command/tls/ca/create/tls_ca_create.go | 2 +- command/tls/ca/create/tls_ca_create_test.go | 9 +++++++++ command/tls/cert/create/tls_cert_create.go | 2 +- command/tls/cert/create/tls_cert_create_test.go | 9 +++++++++ 4 files changed, 20 insertions(+), 2 deletions(-) diff --git a/command/tls/ca/create/tls_ca_create.go b/command/tls/ca/create/tls_ca_create.go index ceef70b376..810d452c40 100644 --- a/command/tls/ca/create/tls_ca_create.go +++ b/command/tls/ca/create/tls_ca_create.go @@ -83,7 +83,7 @@ func (c *cmd) Run(args []string) int { } c.UI.Output("==> Saved " + certFileName) - if err := file.WriteAtomicWithPerms(pkFileName, []byte(pk), 0755, 0666); err != nil { + if err := file.WriteAtomicWithPerms(pkFileName, []byte(pk), 0755, 0600); err != nil { c.UI.Error(err.Error()) return 1 } diff --git a/command/tls/ca/create/tls_ca_create_test.go b/command/tls/ca/create/tls_ca_create_test.go index 5689589598..19c5fb965c 100644 --- a/command/tls/ca/create/tls_ca_create_test.go +++ b/command/tls/ca/create/tls_ca_create_test.go @@ -3,6 +3,7 @@ package create import ( "crypto" "crypto/x509" + "io/fs" "io/ioutil" "os" "strings" @@ -120,6 +121,14 @@ func expectFiles(t *testing.T, caPath, keyPath string) (*x509.Certificate, crypt require.FileExists(t, caPath) require.FileExists(t, keyPath) + fi, err := os.Stat(keyPath) + if err != nil { + t.Fatal("should not happen", err) + } + if want, have := fs.FileMode(0600), fi.Mode().Perm(); want != have { + t.Fatalf("private key file %s: permissions: want: %o; have: %o", keyPath, want, have) + } + caData, err := ioutil.ReadFile(caPath) require.NoError(t, err) keyData, err := ioutil.ReadFile(keyPath) diff --git a/command/tls/cert/create/tls_cert_create.go b/command/tls/cert/create/tls_cert_create.go index 6281ca3ae2..b1cdaa131d 100644 --- a/command/tls/cert/create/tls_cert_create.go +++ b/command/tls/cert/create/tls_cert_create.go @@ -196,7 +196,7 @@ func (c *cmd) Run(args []string) int { } c.UI.Output("==> Saved " + certFileName) - if err := file.WriteAtomicWithPerms(pkFileName, []byte(priv), 0755, 0666); err != nil { + if err := file.WriteAtomicWithPerms(pkFileName, []byte(priv), 0755, 0600); err != nil { c.UI.Error(err.Error()) return 1 } diff --git a/command/tls/cert/create/tls_cert_create_test.go b/command/tls/cert/create/tls_cert_create_test.go index 306eed8df2..78f75eb11d 100644 --- a/command/tls/cert/create/tls_cert_create_test.go +++ b/command/tls/cert/create/tls_cert_create_test.go @@ -3,6 +3,7 @@ package create import ( "crypto" "crypto/x509" + "io/fs" "io/ioutil" "net" "os" @@ -242,6 +243,14 @@ func expectFiles(t *testing.T, certPath, keyPath string) (*x509.Certificate, cry require.FileExists(t, certPath) require.FileExists(t, keyPath) + fi, err := os.Stat(keyPath) + if err != nil { + t.Fatal("should not happen", err) + } + if want, have := fs.FileMode(0600), fi.Mode().Perm(); want != have { + t.Fatalf("private key file %s: permissions: want: %o; have: %o", keyPath, want, have) + } + certData, err := ioutil.ReadFile(certPath) require.NoError(t, err) keyData, err := ioutil.ReadFile(keyPath) From 1624aa20de5cbf066ee41c92aee1030030aabcfc Mon Sep 17 00:00:00 2001 From: Daniel Nephin Date: Tue, 21 Dec 2021 16:45:45 -0500 Subject: [PATCH 2/2] Add changelog --- .changelog/11781.txt | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 .changelog/11781.txt diff --git a/.changelog/11781.txt b/.changelog/11781.txt new file mode 100644 index 0000000000..754d9e01ba --- /dev/null +++ b/.changelog/11781.txt @@ -0,0 +1,3 @@ +```release-note:bug +cli: when creating a private key, save the file with mode 0600 so that only the user has read permission. +```