Merge branch 'main' into file-rotation-symlink

elastic · Feb 18, 2025 · 73f044f · 73f044f
2 parents 1540370 + 977d131
commit 73f044f
Show file tree

Hide file tree

Showing 6 changed files with 118 additions and 57 deletions.
diff --git a/.go-version b/.go-version
@@ -1 +1 @@
-1.22.11
+1.22.12
diff --git a/.golangci.yml b/.golangci.yml
@@ -84,7 +84,7 @@ linters-settings:
 
   gosimple:
     # Select the Go version to target. The default is '1.13'.
-    go: "1.22.11"
+    go: "1.22.12"
 
   nakedret:
     # make an issue if func has more lines of code than this setting and it has naked returns; default is 30
@@ -126,19 +126,19 @@ linters-settings:
 
   staticcheck:
     # Select the Go version to target. The default is '1.13'.
-    go: "1.22.11"
+    go: "1.22.12"
     # https://staticcheck.io/docs/options#checks
     checks: ["all"]
 
   stylecheck:
     # Select the Go version to target. The default is '1.13'.
-    go: "1.22.11"
+    go: "1.22.12"
     # https://staticcheck.io/docs/options#checks
     checks: ["all"]
 
   unused:
     # Select the Go version to target. The default is '1.13'.
-    go: "1.22.11"
+    go: "1.22.12"
 
   gosec:
     excludes:

diff --git a/go.mod b/go.mod
@@ -1,6 +1,6 @@
 module github.com/elastic/elastic-agent-libs
 
-go 1.22.10
+go 1.22.12
 
 require (
 	github.com/Microsoft/go-winio v0.5.2

diff --git a/transport/tlscommon/decrypt_block_fips.go b/transport/tlscommon/decrypt_block_fips.go
@@ -0,0 +1,33 @@
+// Licensed to Elasticsearch B.V. under one or more contributor
+// license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright
+// ownership. Elasticsearch B.V. licenses this file to you under
+// the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+//go:build requirefips
+
+package tlscommon
+
+import (
+	"encoding/pem"
+	"errors"
+	"fmt"
+)
+
+func decryptPKCS1Key(block pem.Block, passphrase []byte) (pem.Block, error) {
+	return block, fmt.Errorf("encrypted private keys are unsupported in FIPS mode: %w", errors.ErrUnsupported)
+}
+func decryptPKCS8Key(block pem.Block, passphrase []byte) (pem.Block, error) {
+	return block, fmt.Errorf("encrypted private keys are unsupported in FIPS mode: %w", errors.ErrUnsupported)
+}
diff --git a/transport/tlscommon/decrypt_block_nofips.go b/transport/tlscommon/decrypt_block_nofips.go
@@ -0,0 +1,79 @@
+// Licensed to Elasticsearch B.V. under one or more contributor
+// license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright
+// ownership. Elasticsearch B.V. licenses this file to you under
+// the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+//go:build !requirefips
+
+package tlscommon
+
+import (
+	"crypto/ecdsa"
+	"crypto/rsa"
+	"crypto/x509"
+	"encoding/pem"
+	"errors"
+	"fmt"
+
+	"github.com/elastic/pkcs8"
+)
+
+func decryptPKCS1Key(block pem.Block, passphrase []byte) (pem.Block, error) {
+	if len(passphrase) == 0 {
+		return block, errors.New("no passphrase available")
+	}
+
+	// Note, decrypting pem might succeed even with wrong password, but
+	// only noise will be stored in buffer in this case.
+	buffer, err := x509.DecryptPEMBlock(&block, passphrase) //nolint: staticcheck // deprecated, we have to get rid of it
+	if err != nil {
+		return block, fmt.Errorf("failed to decrypt pem: %w", err)
+	}
+
+	// DEK-Info contains encryption info. Remove header to mark block as
+	// unencrypted.
+	delete(block.Headers, "DEK-Info")
+	block.Bytes = buffer
+
+	return block, nil
+}
+
+func decryptPKCS8Key(block pem.Block, passphrase []byte) (pem.Block, error) {
+	if len(passphrase) == 0 {
+		return block, errors.New("no passphrase available")
+	}
+
+	key, err := pkcs8.ParsePKCS8PrivateKey(block.Bytes, passphrase)
+	if err != nil {
+		return block, fmt.Errorf("failed to parse key: %w", err)
+	}
+
+	switch key.(type) {
+	case *rsa.PrivateKey:
+		block.Type = "RSA PRIVATE KEY"
+	case *ecdsa.PrivateKey:
+		block.Type = "ECDSA PRIVATE KEY"
+	default:
+		return block, fmt.Errorf("unknown key type %T", key)
+	}
+
+	buffer, err := x509.MarshalPKCS8PrivateKey(key)
+	if err != nil {
+		return block, fmt.Errorf("failed to marshal decrypted private key: %w", err)
+	}
+	block.Bytes = buffer
+
+	return block, nil
+}
diff --git a/transport/tlscommon/tls.go b/transport/tlscommon/tls.go
@@ -19,8 +19,6 @@ package tlscommon
 
 import (
 	"bytes"
-	"crypto/ecdsa"
-	"crypto/rsa"
 	"crypto/tls"
 	"crypto/x509"
 	"encoding/pem"
@@ -31,7 +29,6 @@ import (
 	"strings"
 
 	"github.com/elastic/elastic-agent-libs/logp"
-	"github.com/elastic/pkcs8"
 )
 
 const logSelector = "tls"
@@ -150,54 +147,6 @@ func ReadPEMFile(log *logp.Logger, s, passphrase string) ([]byte, error) {
 	return buffer.Bytes(), nil
 }
 
-func decryptPKCS1Key(block pem.Block, passphrase []byte) (pem.Block, error) {
-	if len(passphrase) == 0 {
-		return block, errors.New("no passphrase available")
-	}
-
-	// Note, decrypting pem might succeed even with wrong password, but
-	// only noise will be stored in buffer in this case.
-	buffer, err := x509.DecryptPEMBlock(&block, passphrase) //nolint: staticcheck // deprecated, we have to get rid of it
-	if err != nil {
-		return block, fmt.Errorf("failed to decrypt pem: %w", err)
-	}
-
-	// DEK-Info contains encryption info. Remove header to mark block as
-	// unencrypted.
-	delete(block.Headers, "DEK-Info")
-	block.Bytes = buffer
-
-	return block, nil
-}
-
-func decryptPKCS8Key(block pem.Block, passphrase []byte) (pem.Block, error) {
-	if len(passphrase) == 0 {
-		return block, errors.New("no passphrase available")
-	}
-
-	key, err := pkcs8.ParsePKCS8PrivateKey(block.Bytes, passphrase)
-	if err != nil {
-		return block, fmt.Errorf("failed to parse key: %w", err)
-	}
-
-	switch key.(type) {
-	case *rsa.PrivateKey:
-		block.Type = "RSA PRIVATE KEY"
-	case *ecdsa.PrivateKey:
-		block.Type = "ECDSA PRIVATE KEY"
-	default:
-		return block, fmt.Errorf("unknown key type %T", key)
-	}
-
-	buffer, err := x509.MarshalPKCS8PrivateKey(key)
-	if err != nil {
-		return block, fmt.Errorf("failed to marshal decrypted private key: %w", err)
-	}
-	block.Bytes = buffer
-
-	return block, nil
-}
-
 // LoadCertificateAuthorities read the slice of CAcert and return a Certpool.
 func LoadCertificateAuthorities(CAs []string) (*x509.CertPool, []error) {
 	errors := []error{}