Skip to content

Centralize password handling tool-openssl #2555

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 43 commits into
base: main
Choose a base branch
from
Open

Centralize password handling tool-openssl #2555

wants to merge 43 commits into from
+1,053 −245

Conversation

kingstjo
Copy link
Contributor

@kingstjo kingstjo commented Jul 17, 2025
edited
Loading

Issues:

Addresses CryptoAlg-3387
Addresses CryptoAlg-3383
Addresses AWS-LC-863

Description of changes:

This PR creates new centralized password handling utility for AWS-LC tool-openssl commands:

  1. New Password Utility Implementation:

    • Created pass_util.cc and pass_util.h providing unified password functionality for tool-openssl
    • Implemented ExtractPassword for single password extraction from various sources
    • Implemented ExtractPasswords for dual password extraction with same-file support
    • Added ValidateSource helper for consistent validation logic
    • Implemented SensitiveStringDeleter for secure memory cleanup
    • Uses PEM_BUFSIZE for consistent buffer sizing

  2. API Features:

    • Supports pass:, file:, env:, stdin, and fd password sources for tool-openssl commands
    • fd is not supported for Windows
    • Consistent in-place parameter modification
    • Same-file handling: reads first line for passin, second line for passout
    • Comprehensive validation with clear error messages

  3. Design:

    • Modular architecture with dedicated helper functions
    • Centralized validation logic for tool-openssl password handling
    • Memory-safe with proper cleanup and secure string deletion

Call-outs:

  • Follows OpenSSL's password handling behavior and conventions
  • Same-file optimization matches OpenSSL's dual password file format
  • Updates pkcs8.cc validate_bio_size parameter to take reference over pointer

Testing:

  • Created comprehensive pass_util_test.cc with full coverage:
    • ExtractPassword with various sources (direct, file, env) and edge cases
    • ExtractPasswords with different files, same file, and mixed sources
    • Same-file logic validation (first/second line reading)
    • Error handling for invalid formats, missing files, and null pointers
    • Memory safety and SensitiveStringDeleter validation
    • Cross-platform environment variable handling

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.

kingstjo added 3 commits July 17, 2025 11:34
@kingstjo
refactor(tool-openssl): Centralize password handling with HandlePassO…
be9365c 
…ptions

Implement a centralized password handling approach similar to OpenSSL's app_passwd function:
- Create a new password.cc file with password handling functionality
- Implement HandlePassOptions function to process both passin and passout options
- Optimize for the case where the same password source is used for both
- Move SensitiveStringDeleter to password.cc
- Update pkcs8.cc to use the new function
- Improve documentation in internal.h

🤖 Assisted by Amazon Q Developer
@kingstjo
test(tool-openssl): Add comprehensive tests for password handling
fb32a81 
Add password_test.cc with tests for:
- ExtractPassword with various sources (direct, file, env)
- HandlePassOptions with both passin and passout
- HandlePassOptions with only passin or passout
- HandlePassOptions with same source optimization
- SensitiveStringDeleter memory clearing
- Memory safety with HandlePassOptions

🤖 Assisted by Amazon Q Developer
@kingstjo
test(tool-openssl): improve password test assertions
1e5f7b0 
Replace ASSERT_TRUE with EXPECT_TRUE and add proper null checks to:
- Prevent test termination on first failure
- Show all test failures in a single run
- Add defensive null pointer checks
- Follow testing best practices for assertions

🤖 Assisted by Amazon Q Developer
@kingstjo kingstjo requested a review from a team as a code owner July 17, 2025 18:35
@kingstjo kingstjo mentioned this pull request Jul 17, 2025
Closed
@kingstjo
fix(test): improve cross-platform password test compatibility
c567c79 
- Add Windows-specific environment variable handling
- Enhance test robustness with defensive programming
- Improve error case handling and reporting
- Maintain memory safety in password operations

🤖 Assisted by Amazon Q Developer
@codecov-commenter
Copy link

codecov-commenter commented Jul 17, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 86.78304% with 53 lines in your changes missing coverage. Please review.
✅ Project coverage is 78.82%. Comparing base (6d2eb62) to head (f664a99).
⚠️ Report is 2 commits behind head on main.

Files with missing lines Patch % Lines
tool-openssl/pkcs8.cc 54.28% 32 Missing ⚠️
tool-openssl/pass_util.cc 89.14% 19 Missing ⚠️
crypto/fipsmodule/evp/evp.c 0.00% 1 Missing ⚠️
tool-openssl/pass_util_test.cc 99.34% 0 Missing and 1 partial ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #2555      +/-   ##
==========================================
+ Coverage   78.74%   78.82%   +0.08%     
==========================================
  Files         646      648       +2     
  Lines      111238   111540     +302     
  Branches    15712    15730      +18     
==========================================
+ Hits        87591    87924     +333     
+ Misses      22953    22922      -31     
  Partials      694      694

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

kingstjo and others added 2 commits July 17, 2025 12:41
@kingstjo
fix(test): Fix heap-use-after-free in PasswordTest.SensitiveStringDel…
2e01934 
…eter

- Fix memory safety issue in password test validation
- Store string content before deletion for comparison
- Avoid accessing freed memory during validation
- Update test to properly verify password handling

🤖 Assisted by Amazon Q Developer
@kingstjo
Merge branch 'main' into password-handling-clean
d51be8a
kingstjo added 2 commits July 17, 2025 18:37
@kingstjo
refactor(test): Improve password_test.cc organization and test coverage
0beec94 
- Add parameterized tests for password sources and options
- Replace BIO with ScopedFILE for file operations
- Add descriptive error messages to assertions
- Consolidate similar test cases
- Improve test organization and readability

🤖 Assisted by Amazon Q
@kingstjo
Merge remote-tracking branch 'origin/password-handling-clean' into pa…
9de6fba 
…ssword-handling-clean
@kingstjo kingstjo requested review from nhatnghiho and smittals2 July 18, 2025 04:00
smittals2
smittals2 reviewed Jul 18, 2025
View reviewed changes
smittals2
smittals2 reviewed Jul 18, 2025
View reviewed changes
smittals2
smittals2 reviewed Jul 18, 2025
View reviewed changes
smittals2
smittals2 reviewed Jul 18, 2025
View reviewed changes
smittals2
smittals2 reviewed Jul 18, 2025
View reviewed changes
smittals2
smittals2 reviewed Jul 18, 2025
View reviewed changes
smittals2
smittals2 reviewed Jul 18, 2025
View reviewed changes
smittals2
smittals2 reviewed Jul 18, 2025
View reviewed changes
kingstjo added 4 commits July 21, 2025 13:28
@kingstjo
refactor(tool-openssl): Rename password.cc to pass_util.cc
782eac7 
- Rename password.cc to pass_util.cc to better reflect its purpose
- Rename password_test.cc to pass_util_test.cc for consistency
- Update CMakeLists.txt with new file names
- No functional changes

🤖 Assisted by Amazon Q
@kingstjo
refactor(tool-openssl): Rename password files and fix empty password …
fd29186 
…handling
@kingstjo
refactor(tool-openssl): Modify ExtractPassword to update source in-place
79de4b7 
Change ExtractPassword function to modify the source string in-place instead
of returning a new string. This simplifies the API while maintaining security
properties through proper memory cleanup.

- Update function signature to return bool
- Add comprehensive documentation
- Improve error handling with specific messages
- Update test cases for new behavior

🤖 Assisted by Amazon Q
@kingstjo
refactor(tool-openssl): Rename password namespace to pass_util
f2db8f6 
- Rename namespace to match file naming convention
- Update namespace references in all files
- Update BORINGSSL_MAKE_DELETER reference
- Improve namespace description comment

🤖 Assisted by Amazon Q
andrewhop
andrewhop reviewed Jul 28, 2025
View reviewed changes
kingstjo added 6 commits July 29, 2025 11:48
@kingstjo
refactor(tool-openssl): Replace password source constants with enum c…
83bbaa0 
…lass

Replace static uint8_t constants with a proper Source enum class in the
pass_util namespace for better type safety and code readability. This
improves maintainability and follows modern C++ best practices.

Changes:
- Add Source enum class to internal.h with scoped values
- Update all references in pass_util.cc to use enum class
- Maintain same functionality with improved type safety

🤖 Assisted by Amazon Q Developer
@kingstjo
feat(tool-openssl): Include PEM_BUFSIZE limit in password error messages
bced12a 
Add specific byte limits to password-related error messages to help users
understand the exact constraints when passwords exceed maximum allowed length.
This improves user experience by providing actionable information instead of
generic error messages.

Changes:
- Direct password error: Include PEM_BUFSIZE value (1024 bytes)
- File password error: Include maximum limit in truncation message
- Environment variable error: Include maximum limit in length message

🤖 Assisted by Amazon Q Developer
@kingstjo
style(tool-openssl): Fix truncation detection parentheses for clarity
4ee6c29 
Improve code readability by adjusting parentheses in truncation detection logic.
Remove outermost parentheses and add explicit grouping around the length check
to make the primary condition (buffer full) more prominent.

Changes:
- Group length comparison: (static_cast<size_t>(len) == PEM_BUFSIZE - 1)
- Remove outer parentheses around entire boolean expression
- Maintain identical logic while improving readability

🤖 Assisted by Amazon Q Developer
@kingstjo
docs(tool-openssl): Remove outdated comment about SensitiveStringDele…
5d006be 
…ter location

Remove outdated comment referencing password.cc file location since:
- File is now named pass_util.cc, not password.cc
- Git history already tracks code movement
- Such comments become stale and confusing over time

🤖 Assisted by Amazon Q Developer
@kingstjo
removed extra comments
9eff078
@kingstjo
Using PEM_read_bio_PrivateKey() directly in pkcs8.cc
5aec371
@smittals2 smittals2 mentioned this pull request Jul 30, 2025
Open
nhatnghiho
nhatnghiho reviewed Jul 30, 2025
View reviewed changes
@nhatnghiho
Copy link
Contributor

nhatnghiho commented Jul 30, 2025
edited by kingstjo
Loading

Not sure if I missed something but OpenSSL looks like they also support stdin and fd. Did we make a decision to not include those?

**kingstjo: added support for stdin and fd with commits a22bf96 and a6164da

kingstjo added 8 commits July 29, 2025 17:30
@kingstjo
fix: Allow zero-length passwords in PEM key decryption
a900bb8 
Change password length validation from '<= 0' to '< 0' to allow
empty passwords, matching OpenSSL behavior for interactive prompting.

- evp.c: Allow min_length of 0 in EVP_read_pw_string_min
- pem_pkey.c: Accept zero-length passwords in PEM_read_bio_PrivateKey

This enables proper interactive password prompting when no password
is provided via -passin, allowing users to enter empty passwords
or be prompted interactively for encrypted PEM keys.

🤖 Assisted by Amazon Q Developer
@kingstjo
refactor(tool-openssl): Simplify pkcs8 key reading with read_private_der
d047863 
- Rename read_private_key to read_private_der for clarity
- Remove PEM handling from function (handled directly by caller)
- Eliminate format parameter and branching logic
- Reduce function complexity from ~40 to ~25 lines (37% reduction)
- Maintain all functionality while improving code clarity
- Fix default behavior to output unencrypted PKCS#8 per OpenSSL docs
- Enable automatic password prompting for encryption

🤖 Assisted by Amazon Q Developer
@kingstjo
test: Remove redundant comments from pass_util_test.cc
dede45e 
Remove self-explanatory comments that merely restate test names:
- Comments like 'Test edge cases for file-based passwords' when test is named 'FileEdgeCases'
- Comments like 'Make a copy of the string content' for obvious operations
- Comments like 'Verify we have the password' for basic assertions

Keep valuable comments that provide context, explain complex logic,
or document OpenSSL compatibility requirements.

All 114 tests continue to pass after cleanup.

🤖 Assisted by Amazon Q Developer
@kingstjo
fix(pkcs8): Use ExtractPasswords instead of separate ExtractPassword …
499285b 
…calls

The pkcs8 tool should use ExtractPasswords() to handle both -passin and
-passout together, which properly supports the same-file case where both
passwords are read from the same file (line 1 for input, line 2 for output).

Before: Called ExtractPassword() twice separately
- Could not handle same-file case correctly
- Both passwords would read from line 1 (incorrect)
- Missing validation coordination between passin/passout

After: Call ExtractPasswords() once
- Properly handles same-file case (line 1 + line 2)
- Validates both passwords can be extracted successfully
- Matches OpenSSL behavior for: -passin file:pass.txt -passout file:pass.txt

All 11 pass_util tests continue to pass.

🤖 Assisted by Amazon Q Developer
@kingstjo
test: Improve SensitiveStringDeleter test to use real usage pattern
7798f1a 
Replace manual deleter call with actual smart pointer scope testing:

Before:
- Manually called pass_util::SensitiveStringDeleter(str)
- Only tested deleter function directly
- Didn't test UniquePtr integration

After:
- Tests real usage pattern with bssl::UniquePtr<std::string>
- Verifies deleter is called when smart pointer goes out of scope
- Tests OPENSSL_cleanse functionality to ensure memory clearing works
- More concise and focused test

This addresses Comment #2237993238 by testing that memory clearing
actually works, while using the same code path as production usage.

All 11 pass_util tests continue to pass.

🤖 Assisted by Amazon Q Developer
@kingstjo
fix: Merge upstream ordered args with centralized password handling
8ded619 
Integrate upstream's ParseOrderedKeyValueArguments system with our
centralized pass_util::ExtractPasswords approach to preserve same-file
password support while adopting the new argument parsing framework.

Key changes:
- Use ParseOrderedKeyValueArguments instead of ParseKeyValueArguments
- Keep pass_util::ExtractPasswords for same-file password handling
- Adapt v2_cipher/v2_prf validation to new argument system
- Preserve reference-based validate_bio_size (addresses AWS-LC-863)

🤖 Assisted by Amazon Q Developer
@kingstjo
style: Clean up formatting noise in pkcs8.cc
8176847 
Match upstream indentation style to reduce reviewer noise while
preserving functional improvements:
- Keep reference-based validate_bio_size() (addresses AWS-LC-863)
- Keep centralized pass_util::ExtractPasswords() for same-file support
- Use upstream's 4-space indentation and spacing conventions

🤖 Assisted by Amazon Q Developer
@kingstjo
Add Windows carriage return tests for password handling
a83ef97 
- Add comprehensive CRLF, CR, and mixed line ending tests to FileEdgeCases
- Add same-file CRLF testing to ExtractPasswordsSameFile
- Test embedded vs trailing carriage return handling
- Verify cross-platform compatibility for Windows/Mac/Unix files
- All tests pass, addressing reviewer feedback on Windows CR behavior

Assisted by Amazon Q
@nhatnghiho nhatnghiho mentioned this pull request Aug 25, 2025
Open
kingstjo and others added 4 commits August 27, 2025 15:14
@kingstjo
Add dual stdin support for password extraction
a22bf96 
- Support using stdin for both -passin and -passout options
- Read first line for input password, second line for output password
- Matches OpenSSL behavior for dual stdin usage
- Refactor ExtractPasswordFromFile to ExtractPasswordFromStream
- Use lambda to eliminate code duplication
- Update documentation to reflect stdin support
- All tests pass, backward compatibility maintained
@kingstjo
Add fd: password support for Unix platforms
a6164da 
- Add fd:N password source support (Unix only, excluded on Windows)
- Refactor ExtractPasswordFromStream to use pass_util::Source enum
- Support dual fd usage (same fd for both passin and passout)
- Read first line for passin, second line for passout from same fd
- Use BIO_new_fd directly without buffering (AWS-LC supports BIO_gets on fd)
- Update documentation to include fd: option
- Maintain backward compatibility with existing functionality
- All tests pass, manual testing confirms fd functionality works
@kingstjo
Fix MSVC format string warning in error messages
b4577f8 
- Replace ternary operator with explicit if-else for fprintf calls
- Resolves C4774 warning treated as error on Windows CI
- Maintains same functionality with MSVC-compatible format strings
@kingstjo
Merge branch 'main' into password-handling-clean
2df64ba
@smittals2
Copy link
Contributor

Can we add some tests for stdin and fd options as well?

@kingstjo
minimal fd and stdin testing
eda3525
@kingstjo
Add tests for fd and stdin password extraction
9f10e3d 
- Add FdExtraction test for valid fd, invalid fd (-1), and non-numeric fd
- Add StdinExtraction test for single password from stdin
- Add StdinExtractPasswords test for dual passwords from stdin
- Fix write() return value checking for CI compatibility
@kingstjo
Fix Windows CI by wrapping stdin tests with Unix guard
f664a99 
- Wrap StdinExtraction and StdinExtractPasswords tests with #ifndef _WIN32
- pipe(), dup(), dup2(), STDIN_FILENO are Unix-only functions
- Tests will only run on Unix platforms where stdin redirection is supported
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@smittals2 smittals2 Awaiting requested review from smittals2

@andrewhop andrewhop Awaiting requested review from andrewhop

@nhatnghiho nhatnghiho Awaiting requested review from nhatnghiho

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@kingstjo @codecov-commenter @nhatnghiho @smittals2 @andrewhop