[SA-22196] store cert.Raw in base64

this PR is built on top of #443 where we already parse the certificate during user input for validation pem_filepath can be removed in the future, but removing it right now would break backwards compability, we might want to add migration logic for this.
appgate · Jul 17, 2023 · b5ae8b8 · b5ae8b8
1 parent e97560b
commit b5ae8b8
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 4 deletions.
diff --git a/cmd/configure/configure.go b/cmd/configure/configure.go
@@ -4,6 +4,7 @@ import (
 	"crypto/sha1"
 	"crypto/sha256"
 	"crypto/x509"
+	"encoding/base64"
 	"encoding/pem"
 	"errors"
 	"fmt"
@@ -163,8 +164,8 @@ func configRun(cmd *cobra.Command, args []string, opts *configureOptions) error
 		}
 		fmt.Fprintln(opts.Out, "Added PEM as trusted source for sdpctl")
 		fmt.Fprintln(opts.Out, certificateDetails(cert))
-
-		viper.Set("pem_filepath", opts.PEM)
+		viper.Set("pem_base64", base64.StdEncoding.EncodeToString(cert.Raw))
+		viper.Set("pem_filepath", opts.PEM) // deprecated: TODO remove in future version
 	}
 	u, err := configuration.NormalizeConfigurationURL(opts.URL)
 	if err != nil {

diff --git a/pkg/configuration/configuration.go b/pkg/configuration/configuration.go
@@ -30,7 +30,8 @@ type Config struct {
 	BearerToken         *string `mapstructure:"bearer:squash"` // current logged in user token
 	ExpiresAt           *string `mapstructure:"expires_at"`
 	DeviceID            string  `mapstructure:"device_id"`
-	PemFilePath         string  `mapstructure:"pem_filepath"`
+	PemFilePath         string  `mapstructure:"pem_filepath"` // deprecated in favor of pem_base64, kept for backwards compatibility
+	PemBase64           *string `mapstructure:"pem_base64"`
 	DisableVersionCheck bool    `mapstructure:"disable_version_check"`
 	LastVersionCheck    string  `mapstructure:"last_version_check"`
 }

diff --git a/pkg/factory/http.go b/pkg/factory/http.go
@@ -3,6 +3,7 @@ package factory
 import (
 	"crypto/tls"
 	"crypto/x509"
+	"encoding/base64"
 	"fmt"
 	"io"
 	"net/http"
@@ -118,7 +119,18 @@ func httpTransport(f *Factory) func() (*http.Transport, error) {
 		if rootCAs == nil {
 			rootCAs = x509.NewCertPool()
 		}
-		if ok, err := util.FileExists(cfg.PemFilePath); err == nil && ok {
+		if cfg.PemBase64 != nil {
+			data, err := base64.StdEncoding.DecodeString(*cfg.PemBase64)
+			if err != nil {
+				return nil, fmt.Errorf("could not decode stored certificate %w", err)
+			}
+			cert, err := x509.ParseCertificate(data)
+			if err != nil {
+				return nil, fmt.Errorf("could not parse certificate %w", err)
+			}
+			rootCAs.AddCert(cert)
+		} else if ok, err := util.FileExists(cfg.PemFilePath); err == nil && ok {
+			// deprecated: TODO remove in future version
 			certs, err := os.ReadFile(cfg.PemFilePath)
 			if err != nil {
 				return nil, err