Skip to content

fix(tls): validate RSA keys before marshaling #23295

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 6, 2025
Merged

fix(tls): validate RSA keys before marshaling #23295

merged 1 commit into from
Jun 6, 2025

Conversation

thevilledev
Copy link
Contributor

In Go 1.24, x509.MarshalPKCS1PrivateKey (doc ref) internally calls rsa.PrivateKey.Precompute() which panics on invalid RSA keys with nil pointer dereference.

Add validation using rsa.PrivateKey.Validate() before marshaling to prevent panics. Update pemBlockForKey to return nil for invalid keys and modify callers to handle nil returns gracefully.

Add comprehensive tests covering nil keys, validation failures, and unsupported key types to ensure robust error handling. If you run the test against master now it'll panic.

Noticed in #23294.

Checklist:

  • Either (a) I've created an enhancement proposal and discussed it with the community, (b) this is a bug fix, or (c) this does not need to be in the release notes.
  • The title of the PR states what changed and the related issues number (used for the release note).
  • The title of the PR conforms to the Toolchain Guide
  • I've included "Closes [ISSUE #]" or "Fixes [ISSUE #]" in the description to automatically close the associated issue.
  • I've updated both the CLI and UI to expose my feature, or I plan to submit a second PR with them.
  • Does this PR require documentation updates?
  • I've updated documentation as required by this PR.
  • I have signed off all my commits as required by DCO
  • I have written unit and/or e2e tests for my change. PRs without these are unlikely to be merged.
  • My build is green (troubleshooting builds).
  • My new feature complies with the feature status guidelines.
  • I have added a brief description of why this PR is necessary and/or what this PR solves.
  • Optional. My organization is added to USERS.md.
  • Optional. For bug fixes, I've indicated what older releases this fix should be cherry-picked into (this may or may not happen depending on risk/complexity).

@thevilledev
fix(tls): validate RSA keys before marshaling
6f9e6ec 
In Go 1.24, x509.MarshalPKCS1PrivateKey internally calls
rsa.PrivateKey.Precompute() which panics on invalid RSA keys
with nil pointer dereference.

Add validation using rsa.PrivateKey.Validate() before marshaling
to prevent panics. Update pemBlockForKey to return nil for
invalid keys and modify callers to handle nil returns gracefully.

Add comprehensive tests covering nil keys, validation failures,
and unsupported key types to ensure robust error handling.

Signed-off-by: Ville Vesilehto <ville@vesilehto.fi>
@thevilledev thevilledev requested a review from a team as a code owner June 6, 2025 09:10
@bunnyshell Bunnyshell
Copy link

bunnyshell bot commented Jun 6, 2025
edited
Loading

❌ Preview Environment deleted from Bunnyshell

Available commands (reply to this comment):

  • 🚀 /bns:deploy to deploy the environment

@codecov Codecov
Copy link

codecov bot commented Jun 6, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 80.00000% with 3 lines in your changes missing coverage. Please review.

Project coverage is 60.07%. Comparing base (9472273) to head (6f9e6ec).
Report is 6 commits behind head on master.

Files with missing lines Patch % Lines
util/tls/tls.go 80.00% 2 Missing and 1 partial ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##           master   #23295      +/-   ##
==========================================
+ Coverage   60.00%   60.07%   +0.06%     
==========================================
  Files         341      341              
  Lines       57818    57831      +13     
==========================================
+ Hits        34694    34742      +48     
+ Misses      20344    20322      -22     
+ Partials     2780     2767      -13

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

blakepettersson
blakepettersson approved these changes Jun 6, 2025
View reviewed changes
Copy link
Member

@blakepettersson blakepettersson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@blakepettersson blakepettersson merged commit 109cd6c into argoproj:master Jun 6, 2025
28 checks passed
@blakepettersson
Copy link
Member

/cherry-pick release-3.0

@blakepettersson
Copy link
Member

/cherry-pick release-2.14

gcp-cherry-pick-bot bot pushed a commit that referenced this pull request Jun 6, 2025
@thevilledev
fix(tls): validate RSA keys before marshaling (#23295)
12c62f3 
Signed-off-by: Ville Vesilehto <ville@vesilehto.fi>
@gcp-cherry-pick-bot gcp-cherry-pick-bot bot mentioned this pull request Jun 6, 2025
Merged
gcp-cherry-pick-bot bot pushed a commit that referenced this pull request Jun 6, 2025
@thevilledev
fix(tls): validate RSA keys before marshaling (#23295)
5799d19 
Signed-off-by: Ville Vesilehto <ville@vesilehto.fi>
@gcp-cherry-pick-bot gcp-cherry-pick-bot bot mentioned this pull request Jun 6, 2025
Closed
blakepettersson pushed a commit that referenced this pull request Jun 6, 2025
@gcp-cherry-pick-bot @thevilledev
fix(tls): validate RSA keys before marshaling (cherry-pick #23295) (#…
59d4519 
…23300)

Signed-off-by: Ville Vesilehto <ville@vesilehto.fi>
Co-authored-by: Ville Vesilehto <ville@vesilehto.fi>
thevilledev added a commit to thevilledev/argo-cd that referenced this pull request Jun 8, 2025
@thevilledev
fix(tls): validate RSA keys before marshaling (argoproj#23295)
149c0e8 
Signed-off-by: Ville Vesilehto <ville@vesilehto.fi>
dsuhinin pushed a commit to dsuhinin/argo-cd that referenced this pull request Jun 16, 2025
@thevilledev @dsuhinin
fix(tls): validate RSA keys before marshaling (argoproj#23295)
3b4ee7c 
Signed-off-by: Ville Vesilehto <ville@vesilehto.fi>
Signed-off-by: dsuhinin <suhinin.dmitriy@gmail.com>
dsuhinin pushed a commit to dsuhinin/argo-cd that referenced this pull request Jun 16, 2025
@thevilledev @dsuhinin
fix(tls): validate RSA keys before marshaling (argoproj#23295)
4c457a8 
Signed-off-by: Ville Vesilehto <ville@vesilehto.fi>
Signed-off-by: dsuhinin <suhinin.dmitriy@gmail.com>
enneitex pushed a commit to enneitex/argo-cd that referenced this pull request Aug 24, 2025
@thevilledev @enneitex
fix(tls): validate RSA keys before marshaling (argoproj#23295)
0ccb276 
Signed-off-by: Ville Vesilehto <ville@vesilehto.fi>
Signed-off-by: enneitex <etienne.divet@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@blakepettersson blakepettersson blakepettersson approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@thevilledev @blakepettersson