Currently when an untrusted PGP key is used to encrypt the Certificate RSA key, the underlying system fully ignores the key and writes an empty file because the interaction with the gpg binary happens in a subshell.
We should either:
1) Warn the user and exit
2) Add the always trust flag to the encryption of files.
Concerns around 2:
There's a TOFU problem on initial RSA signing key encryption. Where in between the user setting their fingerprint and running mtls for the first time, a bad actor could potentially swap out the fingerprint uses for later encrypting the key one first generation.
There's also issues around using -o which would then encrypt the password for the PFX to a bad actor based off what's in the config.
Currently when an untrusted PGP key is used to encrypt the Certificate RSA key, the underlying system fully ignores the key and writes an empty file because the interaction with the gpg binary happens in a subshell.
We should either: 1) Warn the user and exit 2) Add the always trust flag to the encryption of files.
Concerns around 2:
There's a TOFU problem on initial RSA signing key encryption. Where in between the user setting their fingerprint and running
mtlsfor the first time, a bad actor could potentially swap out the fingerprint uses for later encrypting the key one first generation.There's also issues around using
-owhich would then encrypt the password for the PFX to a bad actor based off what's in the config.