in internal/handlersettings/handlersettingscommon.go [95:143]
func unmarshalProtectedSettings(configFolder string, hs settings.SettingsCommon, v interface{}) error {
if hs.ProtectedSettingsBase64 == "" {
return nil
}
if hs.SettingsCertThumbprint == "" {
return errors.New("HandlerSettings has protected settings but no cert thumbprint")
}
decoded, err := base64.StdEncoding.DecodeString(hs.ProtectedSettingsBase64)
if err != nil {
return fmt.Errorf("failed to decode base64: %v", err)
}
// go two levels up where certs are placed (/var/lib/waagent)
crt := filepath.Join(configFolder, "..", "..", fmt.Sprintf("%s.crt", hs.SettingsCertThumbprint))
prv := filepath.Join(configFolder, "..", "..", fmt.Sprintf("%s.prv", hs.SettingsCertThumbprint))
// we use os/exec instead of azure-docker-extension/pkg/executil here as
// other extension handlers depend on this package for parsing handler
// settings.
//using cms command to support for FIPS 140-3
cmd := exec.Command("openssl", "cms", "-inform", "DER", "-decrypt", "-recip", crt, "-inkey", prv)
var bOut, bErr bytes.Buffer
var errMsg error
cmd.Stdin = bytes.NewReader(decoded)
cmd.Stdout = &bOut
cmd.Stderr = &bErr
//back up smime command in case cms fails
if err := cmd.Run(); err != nil {
errMsg = fmt.Errorf("decrypting protected settings with cms command failed: error=%v stderr=%s \n now decrypting with smime command", err, bErr.String())
cmd = exec.Command("openssl", "smime", "-inform", "DER", "-decrypt", "-recip", crt, "-inkey", prv)
cmd.Stdin = bytes.NewReader(decoded)
bOut.Reset()
bErr.Reset()
cmd.Stdout = &bOut
cmd.Stderr = &bErr
if err := cmd.Run(); err != nil {
return errors.Wrapf(errMsg, "decrypting protected settings with smime command failed: error=%v stderr=%s", err, bErr.String())
}
}
// decrypted: json object for protected settings
if err := json.Unmarshal(bOut.Bytes(), &v); err != nil {
return fmt.Errorf("failed to unmarshal decrypted settings json: %v", err)
}
return nil
}