From 52baf52f845f5c4371a57bb3b6f2530472e13c6c Mon Sep 17 00:00:00 2001 From: Mariano Cano Date: Tue, 26 Sep 2023 10:36:58 -0700 Subject: [PATCH] Change scep password type to string This commit changes the type of the decrypter key password to string to be consistent with other passwords in the ca.json --- api/api.go | 2 +- api/api_test.go | 11 +++-------- api/models/scep.go | 2 +- authority/provisioner/scep.go | 10 +++++----- authority/provisioners.go | 4 ++-- 5 files changed, 12 insertions(+), 17 deletions(-) diff --git a/api/api.go b/api/api.go index c586a43a..7cf44a11 100644 --- a/api/api.go +++ b/api/api.go @@ -248,7 +248,7 @@ func scepFromProvisioner(p *provisioner.SCEP) *models.SCEP { DecrypterCertificate: []byte(redacted), DecrypterKeyPEM: []byte(redacted), DecrypterKeyURI: redacted, - DecrypterKeyPassword: []byte(redacted), + DecrypterKeyPassword: redacted, EncryptionAlgorithmIdentifier: p.EncryptionAlgorithmIdentifier, Options: p.Options, Claims: p.Claims, diff --git a/api/api_test.go b/api/api_test.go index efca024a..c57eef31 100644 --- a/api/api_test.go +++ b/api/api_test.go @@ -1584,11 +1584,6 @@ func TestProvisionersResponse_MarshalJSON(t *testing.T) { err = json.Unmarshal(b, &key) require.NoError(t, err) - var encodedPassword bytes.Buffer - enc := base64.NewEncoder(base64.StdEncoding, &encodedPassword) - _, err = enc.Write([]byte("super-secret-password")) - require.NoError(t, err) - r := ProvisionersResponse{ Provisioners: provisioner.List{ &provisioner.SCEP{ @@ -1602,7 +1597,7 @@ func TestProvisionersResponse_MarshalJSON(t *testing.T) { DecrypterCertificate: []byte{1, 2, 3, 4}, DecrypterKeyPEM: []byte{5, 6, 7, 8}, DecrypterKeyURI: "softkms:path=/path/to/private.key", - DecrypterKeyPassword: encodedPassword.Bytes(), + DecrypterKeyPassword: "super-secret-password", }, &provisioner.JWK{ EncryptedKey: "eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJlbmMiOiJBMTI4R0NNIiwicDJjIjoxMDAwMDAsInAycyI6IlhOdmYxQjgxSUlLMFA2NUkwcmtGTGcifQ.XaN9zcPQeWt49zchUDm34FECUTHfQTn_.tmNHPQDqR3ebsWfd.9WZr3YVdeOyJh36vvx0VlRtluhvYp4K7jJ1KGDr1qypwZ3ziBVSNbYYQ71du7fTtrnfG1wgGTVR39tWSzBU-zwQ5hdV3rpMAaEbod5zeW6SHd95H3Bvcb43YiiqJFNL5sGZzFb7FqzVmpsZ1efiv6sZaGDHtnCAL6r12UG5EZuqGfM0jGCZitUz2m9TUKXJL5DJ7MOYbFfkCEsUBPDm_TInliSVn2kMJhFa0VOe5wZk5YOuYM3lNYW64HGtbf-llN2Xk-4O9TfeSPizBx9ZqGpeu8pz13efUDT2WL9tWo6-0UE-CrG0bScm8lFTncTkHcu49_a5NaUBkYlBjEiw.thPcx3t1AUcWuEygXIY3Fg", @@ -1626,7 +1621,7 @@ func TestProvisionersResponse_MarshalJSON(t *testing.T) { "decrypterCertificate": []byte("*** REDACTED ***"), "decrypterKey": "*** REDACTED ***", "decrypterKeyPEM": []byte("*** REDACTED ***"), - "decrypterKeyPassword": []byte("*** REDACTED ***"), + "decrypterKeyPassword": "*** REDACTED ***", "minimumPublicKeyLength": 2048, "encryptionAlgorithmIdentifier": 2, }, @@ -1668,7 +1663,7 @@ func TestProvisionersResponse_MarshalJSON(t *testing.T) { DecrypterCertificate: []byte{1, 2, 3, 4}, DecrypterKeyPEM: []byte{5, 6, 7, 8}, DecrypterKeyURI: "softkms:path=/path/to/private.key", - DecrypterKeyPassword: encodedPassword.Bytes(), + DecrypterKeyPassword: "super-secret-password", }, &provisioner.JWK{ EncryptedKey: "eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJlbmMiOiJBMTI4R0NNIiwicDJjIjoxMDAwMDAsInAycyI6IlhOdmYxQjgxSUlLMFA2NUkwcmtGTGcifQ.XaN9zcPQeWt49zchUDm34FECUTHfQTn_.tmNHPQDqR3ebsWfd.9WZr3YVdeOyJh36vvx0VlRtluhvYp4K7jJ1KGDr1qypwZ3ziBVSNbYYQ71du7fTtrnfG1wgGTVR39tWSzBU-zwQ5hdV3rpMAaEbod5zeW6SHd95H3Bvcb43YiiqJFNL5sGZzFb7FqzVmpsZ1efiv6sZaGDHtnCAL6r12UG5EZuqGfM0jGCZitUz2m9TUKXJL5DJ7MOYbFfkCEsUBPDm_TInliSVn2kMJhFa0VOe5wZk5YOuYM3lNYW64HGtbf-llN2Xk-4O9TfeSPizBx9ZqGpeu8pz13efUDT2WL9tWo6-0UE-CrG0bScm8lFTncTkHcu49_a5NaUBkYlBjEiw.thPcx3t1AUcWuEygXIY3Fg", diff --git a/api/models/scep.go b/api/models/scep.go index c4fea502..f4aa1502 100644 --- a/api/models/scep.go +++ b/api/models/scep.go @@ -28,7 +28,7 @@ type SCEP struct { DecrypterCertificate []byte `json:"decrypterCertificate"` DecrypterKeyPEM []byte `json:"decrypterKeyPEM"` DecrypterKeyURI string `json:"decrypterKey"` - DecrypterKeyPassword []byte `json:"decrypterKeyPassword"` + DecrypterKeyPassword string `json:"decrypterKeyPassword"` EncryptionAlgorithmIdentifier int `json:"encryptionAlgorithmIdentifier"` Options *provisioner.Options `json:"options,omitempty"` Claims *provisioner.Claims `json:"claims,omitempty"` diff --git a/authority/provisioner/scep.go b/authority/provisioner/scep.go index 7648d3b0..7862a311 100644 --- a/authority/provisioner/scep.go +++ b/authority/provisioner/scep.go @@ -47,7 +47,7 @@ type SCEP struct { DecrypterCertificate []byte `json:"decrypterCertificate,omitempty"` DecrypterKeyPEM []byte `json:"decrypterKeyPEM,omitempty"` DecrypterKeyURI string `json:"decrypterKey,omitempty"` - DecrypterKeyPassword []byte `json:"decrypterKeyPassword,omitempty"` + DecrypterKeyPassword string `json:"decrypterKeyPassword,omitempty"` // Numerical identifier for the ContentEncryptionAlgorithm as defined in github.com/mozilla-services/pkcs7 // at https://github.com/mozilla-services/pkcs7/blob/33d05740a3526e382af6395d3513e73d4e66d1cb/encrypt.go#L63 @@ -289,14 +289,14 @@ func (s *SCEP) Init(config Config) (err error) { } if s.decrypter, err = kmsDecrypter.CreateDecrypter(&kmsapi.CreateDecrypterRequest{ DecryptionKeyPEM: decryptionKeyPEM, - Password: s.DecrypterKeyPassword, + Password: []byte(s.DecrypterKeyPassword), PasswordPrompter: kmsapi.NonInteractivePasswordPrompter, }); err != nil { return fmt.Errorf("failed creating decrypter: %w", err) } if s.signer, err = s.keyManager.CreateSigner(&kmsapi.CreateSignerRequest{ SigningKeyPEM: decryptionKeyPEM, // TODO(hs): support distinct signer key in the future? - Password: s.DecrypterKeyPassword, + Password: []byte(s.DecrypterKeyPassword), PasswordPrompter: kmsapi.NonInteractivePasswordPrompter, }); err != nil { return fmt.Errorf("failed creating signer: %w", err) @@ -331,14 +331,14 @@ func (s *SCEP) Init(config Config) (err error) { } if s.decrypter, err = kmsDecrypter.CreateDecrypter(&kmsapi.CreateDecrypterRequest{ DecryptionKey: decryptionKeyURI, - Password: s.DecrypterKeyPassword, + Password: []byte(s.DecrypterKeyPassword), PasswordPrompter: kmsapi.NonInteractivePasswordPrompter, }); err != nil { return fmt.Errorf("failed creating decrypter: %w", err) } if s.signer, err = s.keyManager.CreateSigner(&kmsapi.CreateSignerRequest{ SigningKey: decryptionKeyURI, // TODO(hs): support distinct signer key in the future? - Password: s.DecrypterKeyPassword, + Password: []byte(s.DecrypterKeyPassword), PasswordPrompter: kmsapi.NonInteractivePasswordPrompter, }); err != nil { return fmt.Errorf("failed creating signer: %w", err) diff --git a/authority/provisioners.go b/authority/provisioners.go index 747517c9..c5105bb6 100644 --- a/authority/provisioners.go +++ b/authority/provisioners.go @@ -992,7 +992,7 @@ func ProvisionerToCertificates(p *linkedca.Provisioner) (provisioner.Interface, s.DecrypterCertificate = decrypter.Certificate s.DecrypterKeyPEM = decrypter.Key s.DecrypterKeyURI = decrypter.KeyUri - s.DecrypterKeyPassword = decrypter.KeyPassword + s.DecrypterKeyPassword = string(decrypter.KeyPassword) } return s, nil case *linkedca.ProvisionerDetails_Nebula: @@ -1255,7 +1255,7 @@ func ProvisionerToLinkedca(p provisioner.Interface) (*linkedca.Provisioner, erro Certificate: p.DecrypterCertificate, Key: p.DecrypterKeyPEM, KeyUri: p.DecrypterKeyURI, - KeyPassword: p.DecrypterKeyPassword, + KeyPassword: []byte(p.DecrypterKeyPassword), }, }, },