Allow unlocking PKCS12 with FORTANIX_PKCS12_PASSPHRASE (#69)

fortanix · Sep 20, 2022 · bd7422a · bd7422a
1 parent 13c4004
commit bd7422a
Show file tree

Hide file tree

Showing 4 changed files with 20 additions and 7 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/README.md b/README.md
@@ -1,5 +1,5 @@
 sq-dsm
-========
+======
 
 This fork of [Sequoia-PGP][Sequoia] leverages
 [sdkms-client-rust][sdkms-client-rust] to perform OpenPGP operations with keys
@@ -30,7 +30,11 @@ variables need to be set in order to communicate with DSM.
   openssl pkcs12 -export -out identity.pfx -inkey private.key -in public.crt
   ```
   If a password is set for the PKCS12 file, then `sq-dsm` will ask for it on
-  each key usage (which can happen several times on one PGP operation).
+  each key usage (which can happen several times on one PGP operation), unless
+  the `FORTANIX_PKCS12_PASSPHRASE` environment variable is set (see below).
+- `FORTANIX_PKCS12_PASSPHRASE`, the passphrase to unlock the identity file
+  generated above. If the password is incorrect, `sq-dsm` will ask for it on
+  each operation.
 - `FORTANIX_APP_UUID`, the UUID of your DSM app, for certificate-based
   authentication (e.g., this environment variable is used together with
   `FORTANIX_PKCS12_ID`).

diff --git a/openpgp-dsm/Cargo.toml b/openpgp-dsm/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "openpgp-dsm"
-version = "1.0.1"
+version = "1.0.2"
 authors = ["zugzwang <[email protected]>"]
 edition = "2018"
 

diff --git a/openpgp-dsm/src/lib.rs b/openpgp-dsm/src/lib.rs
@@ -37,7 +37,7 @@ use hyper::net::HttpsConnector;
 use hyper_native_tls::native_tls::{Identity, TlsConnector};
 use hyper_native_tls::NativeTlsClient;
 use ipnetwork::IpNetwork;
-use log::info;
+use log::{info, warn};
 use sdkms::api_model::Algorithm::Rsa;
 use sdkms::api_model::{
     AgreeKeyMechanism, AgreeKeyRequest, ApprovalStatus, DecryptRequest,
@@ -96,6 +96,7 @@ const ENV_APP_UUID:       &str = "FORTANIX_APP_UUID";
 const ENV_HTTP_PROXY:     &str = "http_proxy";
 const ENV_NO_PROXY:       &str = "no_proxy";
 const ENV_P12:            &str = "FORTANIX_PKCS12_ID";
+const ENV_P12_PASS:       &str = "FORTANIX_PKCS12_PASSPHRASE";
 const MIN_DSM_VERSION:    &str = "4.2.0";
 // As seen on sdkms-client-rust/blob/master/examples/approval_request.rs
 const OP_APPROVAL_MSG:    &str = "This operation requires approval";
@@ -1855,8 +1856,16 @@ fn try_unlock_p12(cert_file: String) -> Result<Identity> {
     // Try to unlock certificate without password first
     let mut first = true;
     if let Ok(id) = Identity::from_pkcs12(&cert, "") {
-        Ok(id)
+        return Ok(id)
     } else {
+        // Try to unlock with env var passphrase
+        if let Ok(pass) = env::var(ENV_P12_PASS) {
+            if let Ok(id) = Identity::from_pkcs12(&cert, &pass) {
+                return Ok(id)
+            } else {
+                warn!("could not unlock PKCS12 identity with {:?}", ENV_P12_PASS);
+            }
+        }
         loop {
             // Prompt the user for PKCS12 password
             match rpassword::read_password_from_tty(
@@ -1869,7 +1878,7 @@ fn try_unlock_p12(cert_file: String) -> Result<Identity> {
                 Ok(p) => {
                     first = false;
                     if let Ok(id) = Identity::from_pkcs12(&cert, &p) {
-                        break Ok(id)
+                        return Ok(id)
                     }
                 },
                 Err(err) => {