Add WithMinLengthPasswordFile pemutil option (#711)

dopey · web-flow · commit 84f676bc58c4 · 2025-02-27T11:14:38.000-08:00
diff --git a/pemutil/pem.go b/pemutil/pem.go
@@ -68,7 +68,7 @@ type context struct {
 func newContext(name string) *context {
 	return &context{
 		filename: name,
-		perm:     0600,
+		perm:     0o600,
 	}
 }
 
@@ -128,7 +128,7 @@ func WithFilename(name string) Options {
 		ctx.filename = name
 		// Default perm mode if not set
 		if ctx.perm == 0 {
-			ctx.perm = 0600
+			ctx.perm = 0o600
 		}
 		return nil
 	}
@@ -164,6 +164,23 @@ func WithPasswordFile(filename string) Options {
 	}
 }
 
+// WithMinLengthPasswordFile is a method that adds the password in a file to the
+// context. If the password does not meet the minimum length requirement an
+// error is returned. If minimum length input is <=0 then the requirement is
+// ignored.
+func WithMinLengthPasswordFile(filename string, minLength int) Options {
+	return func(ctx *context) error {
+		if err := WithPasswordFile(filename)(ctx); err != nil {
+			return err
+		}
+
+		if minLength > 0 && len(ctx.password) < minLength {
+			return fmt.Errorf("password does not meet minimum length requirement; must be at least %v characters", minLength)
+		}
+		return nil
+	}
+}
+
 // WithPasswordPrompt ask the user for a password and adds it to the context.
 func WithPasswordPrompt(prompt string, fn PasswordPrompter) Options {
 	return func(ctx *context) error {
diff --git a/pemutil/pem_test.go b/pemutil/pem_test.go
@@ -648,15 +648,15 @@ func TestSerialize(t *testing.T) {
 		case test.pass == "" && test.file == "":
 			p, err = Serialize(in)
 		case test.pass != "" && test.file != "":
-			p, err = Serialize(in, WithPassword([]byte(test.pass)), ToFile(test.file, 0600))
+			p, err = Serialize(in, WithPassword([]byte(test.pass)), ToFile(test.file, 0o600))
 		case test.pass != "" && test.pkcs8:
 			p, err = Serialize(in, WithPKCS8(true), WithPasswordPrompt("Please enter the password to encrypt the key", func(prompt string) ([]byte, error) {
 				return []byte(test.pass), nil
 			}))
 		case test.pass != "":
 			p, err = Serialize(in, WithPassword([]byte(test.pass)))
 		default:
-			p, err = Serialize(in, ToFile(test.file, 0600))
+			p, err = Serialize(in, ToFile(test.file, 0o600))
 		}
 
 		if err != nil {
@@ -722,7 +722,7 @@ func TestSerialize(t *testing.T) {
 						var fileInfo os.FileInfo
 						fileInfo, err = os.Stat(test.file)
 						require.NoError(t, err)
-						assert.Equal(t, fileInfo.Mode(), os.FileMode(0600))
+						assert.Equal(t, fileInfo.Mode(), os.FileMode(0o600))
 						// Verify that key written to file is correct
 						var keyFileBytes []byte
 						keyFileBytes, err = os.ReadFile(test.file)
@@ -1024,6 +1024,7 @@ func TestRead_options(t *testing.T) {
 		{"withPasswordPromptError", args{"testdata/openssl.p256.enc.pem", []Options{WithPasswordPrompt("Enter the password", func(s string) ([]byte, error) {
 			return nil, errors.New("an error")
 		})}}, nil, true},
+		{"withPasswordFile", args{"testdata/openssl.p256.enc.pem", []Options{WithPasswordFile("testdata/password.txt")}}, p256Key, false},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -1039,6 +1040,80 @@ func TestRead_options(t *testing.T) {
 	}
 }
 
+func TestWithMinLengthPasswordFile(t *testing.T) {
+	tests := []struct {
+		name    string
+		length  int
+		file    string
+		want    []byte
+		wantErr bool
+	}{
+		{
+			name:    "negative",
+			length:  -5,
+			file:    "testdata/password.txt",
+			wantErr: false,
+			want:    []byte("mypassword"),
+		},
+		{
+			name:    "zero",
+			length:  0,
+			file:    "testdata/password.txt",
+			wantErr: false,
+			want:    []byte("mypassword"),
+		},
+		{
+			name:    "greater-than-min-length",
+			length:  9,
+			file:    "testdata/password.txt",
+			wantErr: false,
+			want:    []byte("mypassword"),
+		},
+		{
+			name:    "equal-min-length",
+			length:  10,
+			file:    "testdata/password.txt",
+			wantErr: false,
+			want:    []byte("mypassword"),
+		},
+		{
+			name:    "less-than-min-length",
+			length:  11,
+			file:    "testdata/password.txt",
+			wantErr: true,
+		},
+		{
+			name:    "ignore-pre-post-whitespace-characters",
+			length:  7,
+			file:    "testdata/password2.txt",
+			wantErr: true,
+		},
+		{
+			name:    "ignore-pre-post-whitespace-characters-ok",
+			length:  6,
+			file:    "testdata/password2.txt",
+			wantErr: false,
+			want:    []byte("  pass"),
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			ctx := newContext(tt.name)
+			gotErr := WithMinLengthPasswordFile(tt.file, tt.length)(ctx) != nil
+			if gotErr != tt.wantErr {
+				t.Errorf("WithMinLengthPasswordFile(%v, %v) = %v, want %v", tt.file, tt.length, gotErr, tt.wantErr)
+				return
+			}
+			if gotErr {
+				return
+			}
+			if !bytes.Equal(ctx.password, tt.want) {
+				t.Errorf("Expected %v, but got %v", tt.want, ctx.password)
+			}
+		})
+	}
+}
+
 func TestRead_promptPassword(t *testing.T) {
 	mustKey := func(filename string) interface{} {
 		b, err := os.ReadFile(filename)
diff --git a/pemutil/testdata/password2.txt b/pemutil/testdata/password2.txt
@@ -0,0 +1 @@
+  pass
