0

I have copied the content of the .crt and .key files to the Kubernetes secrets. Then i'm trying to read the same from the bash script when I deploy the application and I can able to read it. It shows the data something as below(sample example)

CLIENT_KEY=absncb asdasdas asdasdasd asdasdasd== asdasddf

when I use the above displayed CLIENT_KEY to generate the .pkc12 file using the below shell script, I'm getting an error such as pkcs12: Use -help for summary.

#!/bin/bash

hdlKey=absncb asdasdas asdasdasd asdasdasd== asdasddf
hdlCert=absncb asdasdas asdasdasd asdasdasd== asdasddf asadasdii

function checkHDLKey(){
  if [ -z "$hdlKey" ] && [ -z "$hdlCert"]; then
    echo "ERROR - HDL values were not properly read"
  else
    echo $hdlKey
    echo $hdlCert
  fi
}

checkHDLKey

PCK12_PATH="/app/pk12/client-keystore.p12"

function generate_password {
  KEY=$(openssl rand -base64 16)
  echo $KEY
}

result=$(generate_password)
echo $result

function generate_pkc12_cert {
    # Convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12)
    echo "Inside generate_pkc12_cert"
    (openssl pkcs12 -export -inkey $hdlKey -in $hdlCert -out "/app/pk12/client-keystore.p12" -password pass:$result)
    echo "Done generate_pkc12_cert "
}

generate_pkc12_cert

any help would be appreciated. Also is this the write way to read it?

coders
  • 719
  • 1
  • 11
  • 35
  • 2
    To get some useful hints paste your script at http://www.shellcheck.net/. – Cyrus Apr 25 '23 at 21:10
  • `-in` and `-inkey` expect filenames, not literal key data. Write your variables to files, pass the names of those files. And as Cyrus says, paste your script to shellcheck and fix all the quoting bugs it gives you. – Charles Duffy Apr 25 '23 at 21:14
  • BTW, you can get a file reference that when read will return a variable's contents with something like `-in <(printf '%s\n' "$hdlCert")`. Same works for `-inkey <(printf '%s\n' "$hdlKey")`. – Charles Duffy Apr 25 '23 at 21:16
  • Hi @CharlesDuffy, I'm getting the values from the sealed secrets. When I read it, its showing data as below...MIIC+TCCAeECCQDpEYmrobxxxzANBgkqhkiG9w0BAQsFADBkMQswCQYDVQQGEwJV UzETMBEGA1UECAwKQ2FsaWZvcm5pYTEMMAoGA1UEBwwDTlBCMQwwCgYDVQQKDANT QVAxCzAJBgNVBAsMAkNYMRcwFQYDVQQDDA5EUC1ERVYtSERMLVVTMjAeFw0yMzAz MjkyMzUyMzZaFw0yMzA3MDcyMzUyMzZaMBkxFzAVBgNVBAMMDkRQLURFVi1IREwt VVMyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtFKTPsKh7vCSwrOX 0EqUUh3ygO0N3nQcAwopcjoF+xjGgZO54ZJdJV71e2yUdAMMdLPKdq09MiNtK/D4 SSP5YWoF7X0S+pJQI3K3SybhcNVWEFs0XngzA747dDVekTjnaQpsmV8OUyjYQGRG – coders Apr 25 '23 at 21:18
  • @CharlesDuffy we don't have a file in the sealed secret. The contents are stored like I have pasted above. – coders Apr 25 '23 at 21:32
  • Try `echo <(echo hello)` -- you'll see it provides a filename (like `/dev/fd/10` or such, typically, but a filename nonetheless). – Charles Duffy Apr 26 '23 at 17:15
  • Anyhow -- at a glance, what you posted looks like base64-encoded data, which is typically right for handling binary content like private keys. Not every key format is PEM, and you need to figure out what you have and adjust your openssl commands to match. – Charles Duffy Apr 26 '23 at 17:15
  • If what you need is a binary decode of the base64 content, then that may be as simple as `<(base64 -d <<<"$hdlKey")`, but I can't say without seeing the real data, and of course you shouldn't show real key data here (if you _did_ post a real key, it would be obligatory to tell your ops team so they could rotate it out and generate a new one). – Charles Duffy Apr 26 '23 at 17:19

0 Answers0