x-pack/filebeat/input/{cel,httpjson}: fix PEM key validation

Previously the validation was attempting to parse the PEM text as a key and was also attempting to parse the data as the wrong kind of key.
elastic · Mar 19, 2024 · 97b2444 · 97b2444
1 parent 51974d9
commit 97b2444
Show file tree

Hide file tree

Showing 4 changed files with 23 additions and 4 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -102,6 +102,7 @@ fields added to events containing the Beats version. {pull}37553[37553]
 - Fix duplicated addition of regexp extension in CEL input. {pull}38181[38181]
 - Fix the incorrect values generated by the uri_parts processor. {pull}38216[38216]
 - Fix HTTPJSON handling of empty object bodies in POST requests. {issue}33961[33961] {pull}38290[38290]
+- Fix PEM key validation for CEL and HTTPJSON inputs. {pull}[]
 
 *Heartbeat*
 

diff --git a/x-pack/filebeat/input/cel/config_auth.go b/x-pack/filebeat/input/cel/config_auth.go
@@ -5,9 +5,11 @@
 package cel
 
 import (
+	"bytes"
 	"context"
 	"crypto/x509"
 	"encoding/json"
+	"encoding/pem"
 	"errors"
 	"fmt"
 	"io/fs"
@@ -341,7 +343,14 @@ func (o *oAuth2Config) validateOktaProvider() error {
 	}
 	// jwk_pem
 	if o.OktaJWKPEM != "" {
-		_, err := x509.ParsePKCS1PrivateKey([]byte(o.OktaJWKPEM))
+		blk, rest := pem.Decode([]byte(o.OktaJWKPEM))
+		if rest := bytes.TrimSpace(rest); len(rest) != 0 {
+			return fmt.Errorf("PEM text has trailing data: %s", rest)
+		}
+		_, err := x509.ParsePKCS8PrivateKey(blk.Bytes)
+		if err != nil {
+			return fmt.Errorf("okta validation error: %w", err)
+		}
 		return err
 	}
 	// jwk_file

diff --git a/x-pack/filebeat/input/httpjson/config_auth.go b/x-pack/filebeat/input/httpjson/config_auth.go
@@ -5,9 +5,11 @@
 package httpjson
 
 import (
+	"bytes"
 	"context"
 	"crypto/x509"
 	"encoding/json"
+	"encoding/pem"
 	"errors"
 	"fmt"
 	"io/fs"
@@ -309,8 +311,15 @@ func (o *oAuth2Config) validateOktaProvider() error {
 	}
 	// jwk_pem
 	if o.OktaJWKPEM != "" {
-		_, err := x509.ParsePKCS1PrivateKey([]byte(o.OktaJWKPEM))
-		return err
+		blk, rest := pem.Decode([]byte(o.OktaJWKPEM))
+		if rest := bytes.TrimSpace(rest); len(rest) != 0 {
+			return fmt.Errorf("PEM text has trailing data: %s", rest)
+		}
+		_, err := x509.ParsePKCS8PrivateKey(blk.Bytes)
+		if err != nil {
+			return fmt.Errorf("okta validation error: %w", err)
+		}
+		return nil
 	}
 	// jwk_file
 	if o.OktaJWKFile != "" {

diff --git a/x-pack/filebeat/input/httpjson/config_okta_auth.go b/x-pack/filebeat/input/httpjson/config_okta_auth.go
@@ -179,7 +179,7 @@ func signJWT(cnf *oauth2.Config, key any) (string, error) {
 		Expiration(now.Add(time.Hour)).
 		Build()
 	if err != nil {
-		return "", err
+		return "", fmt.Errorf("failed to create token: %w", err)
 	}
 	signedToken, err := jwt.Sign(tok, jwt.WithKey(jwa.RS256, key))
 	if err != nil {