From fed5ebef6d2f4ee1bb2bedf8cf8e0a92f4490662 Mon Sep 17 00:00:00 2001
From: Oleksandr Mazur <oleksandr.mazur@plvision.eu>
Date: Fri, 20 Sep 2024 12:59:47 +0300
Subject: [PATCH] Cgw Tls: try to base64 decode cert/key

It's possible that underlying cert/key is also a base64
encoded PEM file. Try to decode, if decoding succeeds,
it means we should proceed with base64 decoded buffer.
If not - plain text, nothing changes.

Signed-off-by: Oleksandr Mazur <oleksandr.mazur@plvision.eu>
---
 src/cgw_tls.rs | 41 ++++++++++++++++++++++++++++++++++++-----
 1 file changed, 36 insertions(+), 5 deletions(-)

diff --git a/src/cgw_tls.rs b/src/cgw_tls.rs
index 7e011c3..7aa3457 100644
--- a/src/cgw_tls.rs
+++ b/src/cgw_tls.rs
@@ -1,10 +1,11 @@
 use crate::cgw_app_args::CGWWSSArgs;
 use crate::cgw_errors::{collect_results, Error, Result};
+use base64::prelude::*;
 
 use eui48::MacAddress;
 use rustls_pki_types::{CertificateDer, PrivateKeyDer};
 use std::fs;
-use std::io::BufRead;
+use std::io::{BufRead, Read};
 use std::path::Path;
 use std::{fs::File, io::BufReader, str::FromStr, sync::Arc};
 use tokio::net::TcpStream;
@@ -21,7 +22,7 @@ const CGW_TLS_CERTIFICATES_PATH: &str = "/etc/cgw/certs";
 const CGW_TLS_NB_INFRA_CERTS_PATH: &str = "/etc/cgw/nb_infra/certs";
 
 pub async fn cgw_tls_read_certs(cert_file: &str) -> Result<Vec<CertificateDer<'static>>> {
-    let file = match File::open(cert_file) {
+    let mut file = match File::open(cert_file) {
         Ok(f) => f,
         Err(e) => {
             return Err(Error::Tls(format!(
@@ -31,13 +32,26 @@ pub async fn cgw_tls_read_certs(cert_file: &str) -> Result<Vec<CertificateDer<'s
         }
     };
 
-    let mut reader = BufReader::new(file);
+    let metadata = fs::metadata(cert_file).expect("unable to read metadata");
+    let mut buffer = vec![0; metadata.len() as usize];
+    file.read(&mut buffer).expect("buffer overflow");
+    let decoded_buffer = {
+        if let Ok(d) = BASE64_STANDARD.decode(buffer.clone()) {
+            info!("Cert file {} is base64 encoded, trying to use decoded.",
+                  cert_file);
+            d
+        } else {
+            buffer
+        }
+    };
+
+    let mut reader = BufReader::new(decoded_buffer.as_slice());
 
     collect_results(rustls_pemfile::certs(&mut reader))
 }
 
 pub async fn cgw_tls_read_private_key(private_key_file: &str) -> Result<PrivateKeyDer<'static>> {
-    let file = match File::open(private_key_file) {
+    let mut file = match File::open(private_key_file) {
         Ok(f) => f,
         Err(e) => {
             return Err(Error::Tls(format!(
@@ -47,7 +61,24 @@ pub async fn cgw_tls_read_private_key(private_key_file: &str) -> Result<PrivateK
         }
     };
 
-    let mut reader = BufReader::new(file);
+    let metadata = fs::metadata(private_key_file).expect("unable to read metadata");
+    let mut buffer = vec![0; metadata.len() as usize];
+    file.read(&mut buffer).expect("buffer overflow");
+    let decoded_buffer = {
+        match BASE64_STANDARD.decode(buffer.clone()) {
+            Err(e) => info!("err {e}"),
+            Ok(_) => ()
+        }
+        if let Ok(d) = BASE64_STANDARD.decode(buffer.clone()) {
+            info!("Private key file {} is base64 encoded, trying to use decoded.",
+                  private_key_file);
+            d
+        } else {
+            buffer
+        }
+    };
+
+    let mut reader = BufReader::new(decoded_buffer.as_slice());
 
     match rustls_pemfile::private_key(&mut reader) {
         Ok(ret_pk) => match ret_pk {