Provide PKCS12 keystore support to encrypt secrets#521
Conversation
📝 WalkthroughOverviewThis pull request adds PKCS12 keystore support for secret encryption in the WSO2 Micro Integrator tooling project, extending the existing JKS-only keystore functionality. Key ChangesCommand Updates
Encryption Utilities
Dependencies
Documentation & Testing
ImpactUsers can now encrypt secrets using either JKS or PKCS12 keystores, with backward compatibility maintained for existing JKS-based configurations. WalkthroughThe changes extend the secret encryption feature to support PKCS12 keystores alongside the existing JKS support. In 🚥 Pre-merge checks | ✅ 3 | ❌ 2❌ Failed checks (2 warnings)
✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Warning There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure. 🔧 golangci-lint (2.12.2)level=error msg="[linters_context] typechecking error: pattern ./...: directory prefix . does not contain main module or its selected dependencies" Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
🧹 Nitpick comments (1)
cmd/utils/encryptionUtils.go (1)
184-190: ⚡ Quick winConsider handling base64 decode errors for clearer diagnostics.
Lines 185 and 198 ignore the error return from
base64.StdEncoding.DecodeString. If the stored password is malformed base64, the decode will fail silently, and the resulting empty/partial bytes will cause a downstream authentication failure with a less informative error message.♻️ Proposed fix
func getEncryptionKey(keyStoreConfig *KeyStoreConfig) (*rsa.PublicKey, error) { - keyStorePassword, _ := base64.StdEncoding.DecodeString(keyStoreConfig.KeyStorePassword) + keyStorePassword, err := base64.StdEncoding.DecodeString(keyStoreConfig.KeyStorePassword) + if err != nil { + return nil, errors.New("Invalid Key Store password encoding: " + err.Error()) + } if IsPKCS12KeyStore(keyStoreConfig.KeyStoreType) { return getEncryptionKeyFromPKCS12(keyStoreConfig.KeyStorePath, string(keyStorePassword)) } return getEncryptionKeyFromJKS(keyStoreConfig, keyStorePassword) }Apply a similar pattern at line 198 for
keyPassworddecoding.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@cmd/utils/encryptionUtils.go` around lines 184 - 190, The getEncryptionKey function ignores the error return value when calling base64.StdEncoding.DecodeString on keyStoreConfig.KeyStorePassword at line 185. Modify the code to capture both the decoded bytes and the error from the DecodeString call, then check if the error is not nil and return it early with a descriptive error message. Apply the same pattern to the keyPassword decoding at line 198 to ensure all base64 decode operations are properly validated before being used in downstream operations.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In `@cmd/utils/encryptionUtils.go`:
- Around line 184-190: The getEncryptionKey function ignores the error return
value when calling base64.StdEncoding.DecodeString on
keyStoreConfig.KeyStorePassword at line 185. Modify the code to capture both the
decoded bytes and the error from the DecodeString call, then check if the error
is not nil and return it early with a descriptive error message. Apply the same
pattern to the keyPassword decoding at line 198 to ensure all base64 decode
operations are properly validated before being used in downstream operations.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 758404b4-9a08-4b62-80a1-68953cef3aec
⛔ Files ignored due to path filters (1)
cmd/go.sumis excluded by!**/*.sum
📒 Files selected for processing (5)
cmd/cmd/secret/init.gocmd/docs/mi_secret_init.mdcmd/go.modcmd/utils/encryptionUtils.gocmd/utils/encryptionUtils_test.go
Purpose
$subject
Currently, our CLI supports only JKS type keystore files when encrypting keys. This PR will add an improvement to support PKCS12 type keystore when encrypting keys.