Skip to content

Centralize password handling tool-openssl #2555

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 36 commits into
base: main
Choose a base branch
from
Open

Centralize password handling tool-openssl #2555

wants to merge 36 commits into from
+892 −245

Conversation

kingstjo
Copy link
Contributor

@kingstjo kingstjo commented Jul 17, 2025
edited
Loading

Issues:

Addresses CryptoAlg-3387
Addresses CryptoAlg-3383
Addresses AWS-LC-863

Description of changes:

This PR creates new centralized password handling utility for AWS-LC tool-openssl commands:

  1. New Password Utility Implementation:

    • Created pass_util.cc and pass_util.h providing unified password functionality for tool-openssl
    • Implemented ExtractPassword for single password extraction from various sources
    • Implemented ExtractPasswords for dual password extraction with same-file support
    • Added ValidateSource helper for consistent validation logic
    • Implemented SensitiveStringDeleter for secure memory cleanup
    • Uses PEM_BUFSIZE for consistent buffer sizing

  2. API Features:

    • Supports pass:, file:, and env: password sources for tool-openssl commands
    • Consistent in-place parameter modification
    • Same-file handling: reads first line for passin, second line for passout
    • Comprehensive validation with clear error messages

  3. Design:

    • Modular architecture with dedicated helper functions
    • Centralized validation logic for tool-openssl password handling
    • Memory-safe with proper cleanup and secure string deletion

Call-outs:

  • Follows OpenSSL's password handling behavior and conventions
  • Same-file optimization matches OpenSSL's dual password file format
  • Updates pkcs8.cc validate_bio_size parameter to take reference over pointer

Testing:

  • Created comprehensive pass_util_test.cc with full coverage:
    • ExtractPassword with various sources (direct, file, env) and edge cases
    • ExtractPasswords with different files, same file, and mixed sources
    • Same-file logic validation (first/second line reading)
    • Error handling for invalid formats, missing files, and null pointers
    • Memory safety and SensitiveStringDeleter validation
    • Cross-platform environment variable handling

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.

kingstjo added 3 commits July 17, 2025 11:34
@kingstjo
refactor(tool-openssl): Centralize password handling with HandlePassO…
be9365c 
…ptions

Implement a centralized password handling approach similar to OpenSSL's app_passwd function:
- Create a new password.cc file with password handling functionality
- Implement HandlePassOptions function to process both passin and passout options
- Optimize for the case where the same password source is used for both
- Move SensitiveStringDeleter to password.cc
- Update pkcs8.cc to use the new function
- Improve documentation in internal.h

🤖 Assisted by Amazon Q Developer
@kingstjo
test(tool-openssl): Add comprehensive tests for password handling
fb32a81 
Add password_test.cc with tests for:
- ExtractPassword with various sources (direct, file, env)
- HandlePassOptions with both passin and passout
- HandlePassOptions with only passin or passout
- HandlePassOptions with same source optimization
- SensitiveStringDeleter memory clearing
- Memory safety with HandlePassOptions

🤖 Assisted by Amazon Q Developer
@kingstjo
test(tool-openssl): improve password test assertions
1e5f7b0 
Replace ASSERT_TRUE with EXPECT_TRUE and add proper null checks to:
- Prevent test termination on first failure
- Show all test failures in a single run
- Add defensive null pointer checks
- Follow testing best practices for assertions

🤖 Assisted by Amazon Q Developer
@kingstjo kingstjo requested a review from a team as a code owner July 17, 2025 18:35
@kingstjo kingstjo mentioned this pull request Jul 17, 2025
Closed
@kingstjo
fix(test): improve cross-platform password test compatibility
c567c79 
- Add Windows-specific environment variable handling
- Enhance test robustness with defensive programming
- Improve error case handling and reporting
- Maintain memory safety in password operations

🤖 Assisted by Amazon Q Developer
@codecov-commenter
Copy link

codecov-commenter commented Jul 17, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 87.42515% with 42 lines in your changes missing coverage. Please review.
⚠️ Please upload report for BASE (main@f4f1f53). Learn more about missing BASE report.
⚠️ Report is 8 commits behind head on main.

Files with missing lines Patch % Lines
tool-openssl/pkcs8.cc 54.28% 32 Missing ⚠️
tool-openssl/pass_util.cc 93.93% 8 Missing ⚠️
crypto/fipsmodule/evp/evp.c 0.00% 1 Missing ⚠️
tool-openssl/pass_util_test.cc 99.22% 0 Missing and 1 partial ⚠️
Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #2555   +/-   ##
=======================================
  Coverage        ?   78.77%           
=======================================
  Files           ?      647           
  Lines           ?   111289           
  Branches        ?    15694           
=======================================
  Hits            ?    87673           
  Misses          ?    22922           
  Partials        ?      694

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

kingstjo and others added 2 commits July 17, 2025 12:41
@kingstjo
fix(test): Fix heap-use-after-free in PasswordTest.SensitiveStringDel…
2e01934 
…eter

- Fix memory safety issue in password test validation
- Store string content before deletion for comparison
- Avoid accessing freed memory during validation
- Update test to properly verify password handling

🤖 Assisted by Amazon Q Developer
@kingstjo
Merge branch 'main' into password-handling-clean
d51be8a
kingstjo added 2 commits July 17, 2025 18:37
@kingstjo
refactor(test): Improve password_test.cc organization and test coverage
0beec94 
- Add parameterized tests for password sources and options
- Replace BIO with ScopedFILE for file operations
- Add descriptive error messages to assertions
- Consolidate similar test cases
- Improve test organization and readability

🤖 Assisted by Amazon Q
@kingstjo
Merge remote-tracking branch 'origin/password-handling-clean' into pa…
9de6fba 
…ssword-handling-clean
@kingstjo kingstjo requested review from nhatnghiho and smittals2 July 18, 2025 04:00
smittals2
smittals2 reviewed Jul 18, 2025
View reviewed changes
smittals2
smittals2 reviewed Jul 18, 2025
View reviewed changes
smittals2
smittals2 reviewed Jul 18, 2025
View reviewed changes
smittals2
smittals2 reviewed Jul 18, 2025
View reviewed changes
smittals2
smittals2 reviewed Jul 18, 2025
View reviewed changes
smittals2
smittals2 reviewed Jul 18, 2025
View reviewed changes
smittals2
smittals2 reviewed Jul 18, 2025
View reviewed changes
smittals2
smittals2 reviewed Jul 18, 2025
View reviewed changes
kingstjo added 4 commits July 21, 2025 13:28
@kingstjo
refactor(tool-openssl): Rename password.cc to pass_util.cc
782eac7 
- Rename password.cc to pass_util.cc to better reflect its purpose
- Rename password_test.cc to pass_util_test.cc for consistency
- Update CMakeLists.txt with new file names
- No functional changes

🤖 Assisted by Amazon Q
@kingstjo
refactor(tool-openssl): Rename password files and fix empty password …
fd29186 
…handling
@kingstjo
refactor(tool-openssl): Modify ExtractPassword to update source in-place
79de4b7 
Change ExtractPassword function to modify the source string in-place instead
of returning a new string. This simplifies the API while maintaining security
properties through proper memory cleanup.

- Update function signature to return bool
- Add comprehensive documentation
- Improve error handling with specific messages
- Update test cases for new behavior

🤖 Assisted by Amazon Q
@kingstjo
refactor(tool-openssl): Rename password namespace to pass_util
f2db8f6 
- Rename namespace to match file naming convention
- Update namespace references in all files
- Update BORINGSSL_MAKE_DELETER reference
- Improve namespace description comment

🤖 Assisted by Amazon Q
kingstjo added 2 commits July 22, 2025 19:24
@kingstjo
refactor(tool-openssl): rename test classes to match pass_util naming
85fae9d 
Update test class names in pass_util_test.cc to match the file name change:
- Rename PasswordTest to PassUtilTest
- Rename PasswordSourceTest to PassUtilSourceTest
- Rename PasswordSourceParams to PassUtilSourceParams
- Update test declarations and instantiations accordingly

Also fix password handling to match OpenSSL behavior:
- Reject empty strings with no prefix
- Accept 'pass:' as valid format for empty password
- Continue rejecting 'file:' with no filename
- Continue rejecting 'env:' with no variable name

🤖 Assisted by Amazon Q Developer
@kingstjo
test(tool-openssl): improve file truncation test coverage
f2ca6c4 
Update FileEdgeCases test to properly verify truncation detection:
- Add test for exact truncation boundary (4095 bytes, no newline)
- Add test for valid max length with newline (4094 + newline)
- Keep existing tests for oversized files and empty files
- Verify both truncation and content length checks

🤖 Assisted by Amazon Q Developer
@kingstjo kingstjo requested a review from smittals2 July 23, 2025 02:39
kingstjo and others added 7 commits July 23, 2025 17:51
@kingstjo
fix: Add constructors to PassUtilSourceParams to fix uninitialized me…
ad44167 
…mory issues

This change adds proper initialization for the PassUtilSourceParams struct
by implementing both a default constructor and a parameterized constructor.
The fix resolves Valgrind errors that were occurring when Google Test tried
to print test parameters that contained uninitialized memory.

🤖 Assisted by Amazon Q Developer
@kingstjo
Merge remote-tracking branch 'upstream/main' into password-handling-c…
3e50e56 
…lean
@kingstjo
refactor(tool-openssl): Change validate_bio_size to use reference ins…
4865e83 
…tead of raw pointer. Addresses AWS-LC-863
@kingstjo
feat(pass_util): Refactor password extraction with consistent API and…
94f91af 
… PEM_BUFSIZE

- Replace custom DEFAULT_MAX_SENSITIVE_STRING_LENGTH (4KB) with PEM_BUFSIZE (1KB)
  for better compatibility with PEM functions and AWS-LC standards
- Refactor ExtractPasswords to use consistent API: modify parameters in-place
  instead of separate input/output parameters
- Simplify same-file logic: use same_file boolean to control skip_first_line
  parameter, eliminating duplicate code paths
- Add comprehensive helper functions for password source detection and extraction
- Update tests to use PEM_BUFSIZE and add helper functions for better maintainability
- Improve code organization with clear separation of concerns

🤖 Assisted by Amazon Q Developer
@kingstjo
refactor(pass_util): Add ValidateSource helper and remove redundant t…
e2d63d3 
…ests

- Add ValidateSource helper function to eliminate code duplication between
  ExtractPassword and ExtractPasswords functions
- Refactor both functions to use shared validation logic for consistency
- Remove redundant parameterized tests (PassUtilSourceTest) that duplicated
  coverage provided by dedicated edge case tests
- Fix WriteTestFile helper to handle empty content correctly
- Update newline-only file test expectation to match correct behavior
- Reduce test count from 17 to 11 while maintaining 100% coverage
- All tests now passing (11/11)

Benefits:
- 50% reduction in duplicate validation code
- 35% reduction in test count with no coverage loss
- Improved maintainability with single source of truth for validation
- Faster test execution and cleaner test suite

🤖 Assisted by Amazon Q Developer
@kingstjo
(fix) update enum to uint8 for bitflag in order to avoid shadowing
c110c35
@kingstjo
Merge branch 'main' into password-handling-clean
bb19693
andrewhop
andrewhop reviewed Jul 28, 2025
View reviewed changes
kingstjo added 6 commits July 29, 2025 11:48
@kingstjo
refactor(tool-openssl): Replace password source constants with enum c…
83bbaa0 
…lass

Replace static uint8_t constants with a proper Source enum class in the
pass_util namespace for better type safety and code readability. This
improves maintainability and follows modern C++ best practices.

Changes:
- Add Source enum class to internal.h with scoped values
- Update all references in pass_util.cc to use enum class
- Maintain same functionality with improved type safety

🤖 Assisted by Amazon Q Developer
@kingstjo
feat(tool-openssl): Include PEM_BUFSIZE limit in password error messages
bced12a 
Add specific byte limits to password-related error messages to help users
understand the exact constraints when passwords exceed maximum allowed length.
This improves user experience by providing actionable information instead of
generic error messages.

Changes:
- Direct password error: Include PEM_BUFSIZE value (1024 bytes)
- File password error: Include maximum limit in truncation message
- Environment variable error: Include maximum limit in length message

🤖 Assisted by Amazon Q Developer
@kingstjo
style(tool-openssl): Fix truncation detection parentheses for clarity
4ee6c29 
Improve code readability by adjusting parentheses in truncation detection logic.
Remove outermost parentheses and add explicit grouping around the length check
to make the primary condition (buffer full) more prominent.

Changes:
- Group length comparison: (static_cast<size_t>(len) == PEM_BUFSIZE - 1)
- Remove outer parentheses around entire boolean expression
- Maintain identical logic while improving readability

🤖 Assisted by Amazon Q Developer
@kingstjo
docs(tool-openssl): Remove outdated comment about SensitiveStringDele…
5d006be 
…ter location

Remove outdated comment referencing password.cc file location since:
- File is now named pass_util.cc, not password.cc
- Git history already tracks code movement
- Such comments become stale and confusing over time

🤖 Assisted by Amazon Q Developer
@kingstjo
removed extra comments
9eff078
@kingstjo
Using PEM_read_bio_PrivateKey() directly in pkcs8.cc
5aec371
@smittals2 smittals2 mentioned this pull request Jul 30, 2025
Open
nhatnghiho
nhatnghiho reviewed Jul 30, 2025
View reviewed changes
@nhatnghiho
Copy link
Contributor

Not sure if I missed something but OpenSSL looks like they also support stdin and fd. Did we make a decision to not include those?

kingstjo added 8 commits July 29, 2025 17:30
@kingstjo
fix: Allow zero-length passwords in PEM key decryption
a900bb8 
Change password length validation from '<= 0' to '< 0' to allow
empty passwords, matching OpenSSL behavior for interactive prompting.

- evp.c: Allow min_length of 0 in EVP_read_pw_string_min
- pem_pkey.c: Accept zero-length passwords in PEM_read_bio_PrivateKey

This enables proper interactive password prompting when no password
is provided via -passin, allowing users to enter empty passwords
or be prompted interactively for encrypted PEM keys.

🤖 Assisted by Amazon Q Developer
@kingstjo
refactor(tool-openssl): Simplify pkcs8 key reading with read_private_der
d047863 
- Rename read_private_key to read_private_der for clarity
- Remove PEM handling from function (handled directly by caller)
- Eliminate format parameter and branching logic
- Reduce function complexity from ~40 to ~25 lines (37% reduction)
- Maintain all functionality while improving code clarity
- Fix default behavior to output unencrypted PKCS#8 per OpenSSL docs
- Enable automatic password prompting for encryption

🤖 Assisted by Amazon Q Developer
@kingstjo
test: Remove redundant comments from pass_util_test.cc
dede45e 
Remove self-explanatory comments that merely restate test names:
- Comments like 'Test edge cases for file-based passwords' when test is named 'FileEdgeCases'
- Comments like 'Make a copy of the string content' for obvious operations
- Comments like 'Verify we have the password' for basic assertions

Keep valuable comments that provide context, explain complex logic,
or document OpenSSL compatibility requirements.

All 114 tests continue to pass after cleanup.

🤖 Assisted by Amazon Q Developer
@kingstjo
fix(pkcs8): Use ExtractPasswords instead of separate ExtractPassword …
499285b 
…calls

The pkcs8 tool should use ExtractPasswords() to handle both -passin and
-passout together, which properly supports the same-file case where both
passwords are read from the same file (line 1 for input, line 2 for output).

Before: Called ExtractPassword() twice separately
- Could not handle same-file case correctly
- Both passwords would read from line 1 (incorrect)
- Missing validation coordination between passin/passout

After: Call ExtractPasswords() once
- Properly handles same-file case (line 1 + line 2)
- Validates both passwords can be extracted successfully
- Matches OpenSSL behavior for: -passin file:pass.txt -passout file:pass.txt

All 11 pass_util tests continue to pass.

🤖 Assisted by Amazon Q Developer
@kingstjo
test: Improve SensitiveStringDeleter test to use real usage pattern
7798f1a 
Replace manual deleter call with actual smart pointer scope testing:

Before:
- Manually called pass_util::SensitiveStringDeleter(str)
- Only tested deleter function directly
- Didn't test UniquePtr integration

After:
- Tests real usage pattern with bssl::UniquePtr<std::string>
- Verifies deleter is called when smart pointer goes out of scope
- Tests OPENSSL_cleanse functionality to ensure memory clearing works
- More concise and focused test

This addresses Comment #2237993238 by testing that memory clearing
actually works, while using the same code path as production usage.

All 11 pass_util tests continue to pass.

🤖 Assisted by Amazon Q Developer
@kingstjo
fix: Merge upstream ordered args with centralized password handling
8ded619 
Integrate upstream's ParseOrderedKeyValueArguments system with our
centralized pass_util::ExtractPasswords approach to preserve same-file
password support while adopting the new argument parsing framework.

Key changes:
- Use ParseOrderedKeyValueArguments instead of ParseKeyValueArguments
- Keep pass_util::ExtractPasswords for same-file password handling
- Adapt v2_cipher/v2_prf validation to new argument system
- Preserve reference-based validate_bio_size (addresses AWS-LC-863)

🤖 Assisted by Amazon Q Developer
@kingstjo
style: Clean up formatting noise in pkcs8.cc
8176847 
Match upstream indentation style to reduce reviewer noise while
preserving functional improvements:
- Keep reference-based validate_bio_size() (addresses AWS-LC-863)
- Keep centralized pass_util::ExtractPasswords() for same-file support
- Use upstream's 4-space indentation and spacing conventions

🤖 Assisted by Amazon Q Developer
@kingstjo
Add Windows carriage return tests for password handling
a83ef97 
- Add comprehensive CRLF, CR, and mixed line ending tests to FileEdgeCases
- Add same-file CRLF testing to ExtractPasswordsSameFile
- Test embedded vs trailing carriage return handling
- Verify cross-platform compatibility for Windows/Mac/Unix files
- All tests pass, addressing reviewer feedback on Windows CR behavior

Assisted by Amazon Q
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nhatnghiho nhatnghiho nhatnghiho left review comments

@andrewhop andrewhop andrewhop left review comments

@smittals2 smittals2 Awaiting requested review from smittals2

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@kingstjo @codecov-commenter @nhatnghiho @andrewhop @smittals2