cli: consul tls: create private keys with mode 0600

This applies to consul tls ca create consul tls cert create -client consul tls cert create -server Closes: #11741
2021-12-08 20:16:36 +01:00 · 2021-12-08 20:16:36 +01:00 · db5f4eaadc
parent 54ac9b90db
commit db5f4eaadc
4 changed files with 20 additions and 2 deletions
--- a/command/tls/ca/create/tls_ca_create.go
+++ b/command/tls/ca/create/tls_ca_create.go
@ -83,7 +83,7 @@ func (c *cmd) Run(args []string) int {
 	}
 	c.UI.Output("==> Saved " + certFileName)

-	if err := file.WriteAtomicWithPerms(pkFileName, []byte(pk), 0755, 0666); err != nil {
+	if err := file.WriteAtomicWithPerms(pkFileName, []byte(pk), 0755, 0600); err != nil {
 		c.UI.Error(err.Error())
 		return 1
 	}
--- a/command/tls/ca/create/tls_ca_create_test.go
+++ b/command/tls/ca/create/tls_ca_create_test.go
@ -3,6 +3,7 @@ package create
 import (
 	"crypto"
 	"crypto/x509"
+	"io/fs"
 	"io/ioutil"
 	"os"
 	"strings"
@ -120,6 +121,14 @@ func expectFiles(t *testing.T, caPath, keyPath string) (*x509.Certificate, crypt
 	require.FileExists(t, caPath)
 	require.FileExists(t, keyPath)

+	fi, err := os.Stat(keyPath)
+	if err != nil {
+		t.Fatal("should not happen", err)
+	}
+	if want, have := fs.FileMode(0600), fi.Mode().Perm(); want != have {
+		t.Fatalf("private key file %s: permissions: want: %o; have: %o", keyPath, want, have)
+	}
+
 	caData, err := ioutil.ReadFile(caPath)
 	require.NoError(t, err)
 	keyData, err := ioutil.ReadFile(keyPath)
--- a/command/tls/cert/create/tls_cert_create.go
+++ b/command/tls/cert/create/tls_cert_create.go
@ -196,7 +196,7 @@ func (c *cmd) Run(args []string) int {
 	}
 	c.UI.Output("==> Saved " + certFileName)

-	if err := file.WriteAtomicWithPerms(pkFileName, []byte(priv), 0755, 0666); err != nil {
+	if err := file.WriteAtomicWithPerms(pkFileName, []byte(priv), 0755, 0600); err != nil {
 		c.UI.Error(err.Error())
 		return 1
 	}
--- a/command/tls/cert/create/tls_cert_create_test.go
+++ b/command/tls/cert/create/tls_cert_create_test.go
@ -3,6 +3,7 @@ package create
 import (
 	"crypto"
 	"crypto/x509"
+	"io/fs"
 	"io/ioutil"
 	"net"
 	"os"
@ -242,6 +243,14 @@ func expectFiles(t *testing.T, certPath, keyPath string) (*x509.Certificate, cry
 	require.FileExists(t, certPath)
 	require.FileExists(t, keyPath)

+	fi, err := os.Stat(keyPath)
+	if err != nil {
+		t.Fatal("should not happen", err)
+	}
+	if want, have := fs.FileMode(0600), fi.Mode().Perm(); want != have {
+		t.Fatalf("private key file %s: permissions: want: %o; have: %o", keyPath, want, have)
+	}
+
 	certData, err := ioutil.ReadFile(certPath)
 	require.NoError(t, err)
 	keyData, err := ioutil.ReadFile(keyPath)