api: support SSL private key file decryption

.github/workflows/testing.yml

@@ -143,8 +143,8 @@ jobs:
           - sdk-version: 'bundle-2.10.0-1-gfa775b383-r486-linux-x86_64'
             coveralls: false
             ssl: true
-          - sdk-path: 'dev/linux/x86_64/master/'
-            sdk-version: 'sdk-gc64-2.11.0-entrypoint-113-g803baaffe-r529.linux.x86_64'
+          - sdk-path: 'release/linux/x86_64/2.11/'
+            sdk-version: 'sdk-gc64-2.11.0-0-r577.linux.x86_64'
             coveralls: true
             ssl: true
 

CHANGELOG.md

@@ -15,6 +15,7 @@ Versioning](http://semver.org/spec/v2.0.0.html) except to the first release.
 - IsNullable flag for Field (#302)
 - More linters on CI (#310)
 - Meaningful description for read/write socket errors (#129)
+- Support password and password file to decrypt private SSL key file (#319)
 
 ### Changed
 

connection.go

@@ -345,6 +345,14 @@ type SslOpts struct {
 	//
 	// * https://www.openssl.org/docs/man1.1.1/man1/ciphers.html
 	Ciphers string
+	// Password is a password for decrypting the private SSL key file.
+	// The priority is as follows: try to decrypt with Password, then
+	// try PasswordFile.
+	Password string
+	// PasswordFile is a path to the list of passwords for decrypting
+	// the private SSL key file. The connection tries every line from the
+	// file as a password.
+	PasswordFile string
 }
 
 // Clone returns a copy of the Opts object.

go.mod

@@ -8,7 +8,7 @@ require (
 	github.com/shopspring/decimal v1.3.1
 	github.com/stretchr/testify v1.7.1
 	github.com/tarantool/go-iproto v0.1.0
-	github.com/tarantool/go-openssl v0.0.8-0.20230307065445-720eeb389195
+	github.com/tarantool/go-openssl v0.0.8-0.20230801114713-b452431f934a
 	github.com/vmihailenco/msgpack/v5 v5.3.5
 	golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4 // indirect
 	gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f // indirect

go.sum

@@ -21,8 +21,8 @@ github.com/stretchr/testify v1.7.1 h1:5TQK59W5E3v0r2duFAb7P95B6hEeOyEnHRa8MjYSMT
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/tarantool/go-iproto v0.1.0 h1:zHN9AA8LDawT+JBD0/Nxgr/bIsWkkpDzpcMuaNPSIAQ=
 github.com/tarantool/go-iproto v0.1.0/go.mod h1:LNCtdyZxojUed8SbOiYHoc3v9NvaZTB7p96hUySMlIo=
-github.com/tarantool/go-openssl v0.0.8-0.20230307065445-720eeb389195 h1:/AN3eUPsTlvF6W+Ng/8ZjnSU6o7L0H4Wb9GMks6RkzU=
-github.com/tarantool/go-openssl v0.0.8-0.20230307065445-720eeb389195/go.mod h1:M7H4xYSbzqpW/ZRBMyH0eyqQBsnhAMfsYk5mv0yid7A=
+github.com/tarantool/go-openssl v0.0.8-0.20230801114713-b452431f934a h1:eeElglRXJ3xWKkHmDbeXrQWlZyQ4t3Ca1YlZsrfdXFU=
+github.com/tarantool/go-openssl v0.0.8-0.20230801114713-b452431f934a/go.mod h1:M7H4xYSbzqpW/ZRBMyH0eyqQBsnhAMfsYk5mv0yid7A=
 github.com/vmihailenco/msgpack/v5 v5.3.5 h1:5gO0H1iULLWGhs2H5tbAHIZTV8/cYafcFOr9znI5mJU=
 github.com/vmihailenco/msgpack/v5 v5.3.5/go.mod h1:7xyJ9e+0+9SaZT0Wt1RGleJXzli6Q/V5KbhBonMG9jc=
 github.com/vmihailenco/tagparser/v2 v2.0.0 h1:y09buUbR+b5aycVFQs/g70pqKVZNBmxwAhO7/IwNM9g=

ssl.go

@@ -4,9 +4,12 @@
 package tarantool
 
 import (
+	"bufio"
 	"errors"
 	"io/ioutil"
 	"net"
+	"os"
+	"strings"
 	"time"
 
 	"github.com/tarantool/go-openssl"
@@ -43,7 +46,7 @@ func sslCreateContext(opts SslOpts) (ctx interface{}, err error) {
 	}
 
 	if opts.KeyFile != "" {
-		if err = sslLoadKey(sslCtx, opts.KeyFile); err != nil {
+		if err = sslLoadKey(sslCtx, opts.KeyFile, opts.Password, opts.PasswordFile); err != nil {
 			return
 		}
 	}
@@ -95,16 +98,47 @@ func sslLoadCert(ctx *openssl.Ctx, certFile string) (err error) {
 	return
 }
 
-func sslLoadKey(ctx *openssl.Ctx, keyFile string) (err error) {
+func sslLoadKey(ctx *openssl.Ctx, keyFile string, password string,
+	passwordFile string) error {
 	var keyBytes []byte
+	var err, firstDecryptErr error
+
 	if keyBytes, err = ioutil.ReadFile(keyFile); err != nil {
-		return
+		return err
 	}
 
-	var key openssl.PrivateKey
-	if key, err = openssl.LoadPrivateKeyFromPEM(keyBytes); err != nil {
-		return
+	// If the key is encrypted and password is not provided,
+	// openssl.LoadPrivateKeyFromPEM(keyBytes) asks to enter PEM pass phrase
+	// interactively. On the other hand,
+	// openssl.LoadPrivateKeyFromPEMWithPassword(keyBytes, password) works fine
+	// for non-encrypted key with any password, including empty string. If
+	// the key is encrypted, we fast fail with password error instead of
+	// requesting the pass phrase interactively.
+	passwords := []string{password}
+	if passwordFile != "" {
+		file, err := os.Open(passwordFile)
+		if err == nil {
+			defer file.Close()
+
+			scanner := bufio.NewScanner(file)
+			// Tarantool itself tries each password file line.
+			for scanner.Scan() {
+				password = strings.TrimSpace(scanner.Text())
+				passwords = append(passwords, password)
+			}
+		} else {
+			firstDecryptErr = err
+		}
+	}
+
+	for _, password := range passwords {
+		key, err := openssl.LoadPrivateKeyFromPEMWithPassword(keyBytes, password)
+		if err == nil {
+			return ctx.UsePrivateKey(key)
+		} else if firstDecryptErr == nil {
+			firstDecryptErr = err
+		}
 	}
 
-	return ctx.UsePrivateKey(key)
+	return firstDecryptErr
 }