Send passwords via environment variables

When passing secrets via the command line, they are visible in the process list. Regardless of how brief that is, it is a security issue because non-privileged users can read them. This passes them in via environment variables, which on the supported operating systems can be considered safe.
voxpupuli · Aug 19, 2024 · 25df787 · 25df787
1 parent 6e1c856
commit 25df787
Show file tree

Hide file tree

Showing 6 changed files with 58 additions and 30 deletions.
diff --git a/lib/puppet/provider/x509_cert/openssl.rb b/lib/puppet/provider/x509_cert/openssl.rb
@@ -57,6 +57,8 @@ def exists?
   end
 
   def create
+    env = {}
+
     if resource[:csr]
       options = [
         'x509',
@@ -92,9 +94,12 @@ def create
 
     password = resource[:cakey_password] || resource[:password]
 
-    options << ['-passin', "pass:#{password}"] if password
+    if password
+      options << ['-passin', 'env:CERTIFICATE_PASSIN']
+      env['CERTIFICATE_PASSIN'] = password
+    end
     options << ['-extensions', 'v3_req'] if resource[:req_ext] != :false
-    openssl options
+    openssl options, environment: env
   end
 
   def destroy

diff --git a/lib/puppet/provider/x509_request/openssl.rb b/lib/puppet/provider/x509_request/openssl.rb
@@ -28,17 +28,21 @@ def exists?
   end
 
   def create
+    env = {}
     options = [
       'req', '-new',
       '-key', resource[:private_key],
       '-config', resource[:template],
       '-out', resource[:path]
     ]
 
-    options << ['-passin', "pass:#{resource[:password]}"] if resource[:password]
+    if resource[:password]
+      options << ['-passin', 'env:CERTIFICATE_PASSIN']
+      env['CERTIFICATE_PASSIN'] = resource[:password]
+    end
     options << ['-nodes'] unless resource[:encrypted]
 
-    openssl options
+    openssl options, environment: env
   end
 
   def destroy

diff --git a/manifests/export/pem_cert.pp b/manifests/export/pem_cert.pp
@@ -44,9 +44,12 @@
     $in_cert    = $pfx_cert
   }
 
-  $passin_opt = $in_pass ? {
-    undef   => [],
-    default => ['-nokeys', '-passin', "pass:${in_pass}"],
+  if $in_pass {
+    $passin_opt = ['-nokeys', '-passin', 'env:CERTIFICATE_PASSIN']
+    $passin_env = ["CERTIFICATE_PASSIN=${in_pass}"]
+  } else {
+    $passin_opt = []
+    $passin_env = []
   }
 
   if $ensure == 'present' {
@@ -62,9 +65,10 @@
     }
 
     exec { "Export ${in_cert} to ${pem_cert}":
-      command => $cmd,
-      path    => $facts['path'],
-      *       => $exec_params,
+      command     => $cmd,
+      environment => $passin_env
+      path        => $facts['path'],
+      *           => $exec_params,
     }
   } else {
     file { $pem_cert:

diff --git a/manifests/export/pem_key.pp b/manifests/export/pem_key.pp
@@ -25,14 +25,20 @@
   Optional[String]           $out_pass  = undef,
 ) {
   if $ensure == 'present' {
-    $passin_opt = $in_pass ? {
-      undef   => [],
-      default => ['-passin', "pass:${in_pass}"],
+    if $in_pass {
+      $passin_opt = ['-nokeys', '-passin', 'env:CERTIFICATE_PASSIN']
+      $passin_env = ["CERTIFICATE_PASSIN=${in_pass}"]
+    } else {
+      $passin_opt = []
+      $passin_env = []
     }
 
-    $passout_opt = $out_pass ? {
-      undef   => ['-nodes'],
-      default => ['-passout', "pass:${out_pass}"],
+    if $out_pass {
+      $passout_opt = ['-nokeys', '-passout', 'env:CERTIFICATE_PASSOUT']
+      $passout_env = ["CERTIFICATE_PASSOUT=${out_pass}"]
+    } else {
+      $passout_opt = []
+      $passout_env = []
     }
 
     $cmd = [
@@ -52,9 +58,10 @@
     }
 
     exec { "Export ${pfx_cert} to ${pem_key}":
-      command => $cmd,
-      path    => $facts['path'],
-      *       => $exec_params,
+      command     => $cmd,
+      environment => $passin_env + $passout_env,
+      path        => $facts['path'],
+      *           => $exec_params,
     }
   } else {
     file { $pem_key:

diff --git a/manifests/export/pkcs12.pp b/manifests/export/pkcs12.pp
@@ -33,14 +33,20 @@
   $full_path = "${basedir}/${name}.p12"
 
   if $ensure == 'present' {
-    $pass_opt = $in_pass ? {
-      undef   => [],
-      default => ['-passin', "pass:${in_pass}"],
+    if $in_pass {
+      $passin_opt = ['-nokeys', '-passin', 'env:CERTIFICATE_PASSIN']
+      $passin_env = ["CERTIFICATE_PASSIN=${in_pass}"]
+    } else {
+      $passin_opt = []
+      $passin_env = []
     }
 
-    $passout_opt = $out_pass ? {
-      undef   => [],
-      default => ['-passout', "pass:${out_pass}"],
+    if $out_pass {
+      $passout_opt = ['-nokeys', '-passout', 'env:CERTIFICATE_PASSOUT']
+      $passout_env = ["CERTIFICATE_PASSOUT=${out_pass}"]
+    } else {
+      $passout_opt = []
+      $passout_env = []
     }
 
     $chain_opt = $chaincert ? {
@@ -55,7 +61,7 @@
       '-out', $full_path,
       '-name', $name,
       '-nodes', '-noiter',
-    ] + $chain_opt + $pass_opt + $passout_opt
+    ] + $chain_opt + $passin_opt + $passout_opt
 
     if $dynamic {
       $exec_params = {
@@ -67,9 +73,10 @@
     }
 
     exec { "Export ${name} to ${full_path}":
-      command => $cmd,
-      path    => $facts['path'],
-      *       => $exec_params,
+      command     => $cmd,
+      environment => $passin_env + $passout_env,
+      path        => $facts['path'],
+      *           => $exec_params,
     }
   } else {
     file { $full_path:

diff --git a/spec/defines/openssl_export_pem_cert_spec.rb b/spec/defines/openssl_export_pem_cert_spec.rb
@@ -79,7 +79,8 @@
 
     it {
       is_expected.to contain_exec('Export /etc/ssl/certs/foo.pfx to /etc/ssl/certs/foo.pem').with(
-        command: ['openssl', 'pkcs12', '-in', '/etc/ssl/certs/foo.pfx', '-out', '/etc/ssl/certs/foo.pem', '-nokeys', '-passin', 'pass:5r$}^'],
+        command: ['openssl', 'pkcs12', '-in', '/etc/ssl/certs/foo.pfx', '-out', '/etc/ssl/certs/foo.pem', '-nokeys', '-passin', 'env:CERTIFICATE_PASSIN'],
+        environment: ['CERTIFICATE_PASSIN=5r$}^'],
         creates: '/etc/ssl/certs/foo.pem',
         path: '/usr/bin:/bin:/usr/sbin:/sbin'
       )