func DecryptProtectedSettings()

in pkg/decrypt/decrypt_linux.go [20:53]

• 24 lines of code
• 3 McCabe index (conditional complexity)

func DecryptProtectedSettings(configFolder string, thumbprint string, decoded []byte) (string, error) {
	// go two levels up where certs are placed (/var/lib/waagent)
	crt := filepath.Join(getCertificateDir(configFolder), fmt.Sprintf("%s.crt", thumbprint))
	prv := filepath.Join(getCertificateDir(configFolder), fmt.Sprintf("%s.prv", thumbprint))

	// we use os/exec instead of azure-docker-extension/pkg/executil here as
	// other extension handlers depend on this package for parsing handler
	// settings.

	//using cms command to support for FIPS 140-3
	cmd := exec.Command("openssl", "cms", "-inform", "DER", "-decrypt", "-recip", crt, "-inkey", prv)
	var bOut, bErr bytes.Buffer
	var errMsg error
	cmd.Stdin = bytes.NewReader(decoded)
	cmd.Stdout = &bOut
	cmd.Stderr = &bErr

	//back up smime command in case cms fails
	if err := cmd.Run(); err != nil {
		errMsg = fmt.Errorf("decrypting protected settings with cms command failed: error=%v stderr=%s \n now decrypting with smime command", err, bErr.String())
		cmd = exec.Command("openssl", "smime", "-inform", "DER", "-decrypt", "-recip", crt, "-inkey", prv)
		cmd.Stdin = bytes.NewReader(decoded)
		bOut.Reset()
		bErr.Reset()
		cmd.Stdout = &bOut
		cmd.Stderr = &bErr
		if err := cmd.Run(); err != nil {
			return "", errors.Wrapf(errMsg, "decrypting protected settings with smime command failed: error=%v stderr=%s", err, bErr.String())
		}
	}

	v := bOut.String()
	return v, nil
}