mirror of
https://github.com/smallstep/certificates.git
synced 2024-10-31 03:20:16 +00:00
Change scep password type to string
This commit changes the type of the decrypter key password to string to be consistent with other passwords in the ca.json
This commit is contained in:
parent
b66a92ca41
commit
52baf52f84
@ -248,7 +248,7 @@ func scepFromProvisioner(p *provisioner.SCEP) *models.SCEP {
|
|||||||
DecrypterCertificate: []byte(redacted),
|
DecrypterCertificate: []byte(redacted),
|
||||||
DecrypterKeyPEM: []byte(redacted),
|
DecrypterKeyPEM: []byte(redacted),
|
||||||
DecrypterKeyURI: redacted,
|
DecrypterKeyURI: redacted,
|
||||||
DecrypterKeyPassword: []byte(redacted),
|
DecrypterKeyPassword: redacted,
|
||||||
EncryptionAlgorithmIdentifier: p.EncryptionAlgorithmIdentifier,
|
EncryptionAlgorithmIdentifier: p.EncryptionAlgorithmIdentifier,
|
||||||
Options: p.Options,
|
Options: p.Options,
|
||||||
Claims: p.Claims,
|
Claims: p.Claims,
|
||||||
|
@ -1584,11 +1584,6 @@ func TestProvisionersResponse_MarshalJSON(t *testing.T) {
|
|||||||
err = json.Unmarshal(b, &key)
|
err = json.Unmarshal(b, &key)
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
|
||||||
var encodedPassword bytes.Buffer
|
|
||||||
enc := base64.NewEncoder(base64.StdEncoding, &encodedPassword)
|
|
||||||
_, err = enc.Write([]byte("super-secret-password"))
|
|
||||||
require.NoError(t, err)
|
|
||||||
|
|
||||||
r := ProvisionersResponse{
|
r := ProvisionersResponse{
|
||||||
Provisioners: provisioner.List{
|
Provisioners: provisioner.List{
|
||||||
&provisioner.SCEP{
|
&provisioner.SCEP{
|
||||||
@ -1602,7 +1597,7 @@ func TestProvisionersResponse_MarshalJSON(t *testing.T) {
|
|||||||
DecrypterCertificate: []byte{1, 2, 3, 4},
|
DecrypterCertificate: []byte{1, 2, 3, 4},
|
||||||
DecrypterKeyPEM: []byte{5, 6, 7, 8},
|
DecrypterKeyPEM: []byte{5, 6, 7, 8},
|
||||||
DecrypterKeyURI: "softkms:path=/path/to/private.key",
|
DecrypterKeyURI: "softkms:path=/path/to/private.key",
|
||||||
DecrypterKeyPassword: encodedPassword.Bytes(),
|
DecrypterKeyPassword: "super-secret-password",
|
||||||
},
|
},
|
||||||
&provisioner.JWK{
|
&provisioner.JWK{
|
||||||
EncryptedKey: "eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJlbmMiOiJBMTI4R0NNIiwicDJjIjoxMDAwMDAsInAycyI6IlhOdmYxQjgxSUlLMFA2NUkwcmtGTGcifQ.XaN9zcPQeWt49zchUDm34FECUTHfQTn_.tmNHPQDqR3ebsWfd.9WZr3YVdeOyJh36vvx0VlRtluhvYp4K7jJ1KGDr1qypwZ3ziBVSNbYYQ71du7fTtrnfG1wgGTVR39tWSzBU-zwQ5hdV3rpMAaEbod5zeW6SHd95H3Bvcb43YiiqJFNL5sGZzFb7FqzVmpsZ1efiv6sZaGDHtnCAL6r12UG5EZuqGfM0jGCZitUz2m9TUKXJL5DJ7MOYbFfkCEsUBPDm_TInliSVn2kMJhFa0VOe5wZk5YOuYM3lNYW64HGtbf-llN2Xk-4O9TfeSPizBx9ZqGpeu8pz13efUDT2WL9tWo6-0UE-CrG0bScm8lFTncTkHcu49_a5NaUBkYlBjEiw.thPcx3t1AUcWuEygXIY3Fg",
|
EncryptedKey: "eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJlbmMiOiJBMTI4R0NNIiwicDJjIjoxMDAwMDAsInAycyI6IlhOdmYxQjgxSUlLMFA2NUkwcmtGTGcifQ.XaN9zcPQeWt49zchUDm34FECUTHfQTn_.tmNHPQDqR3ebsWfd.9WZr3YVdeOyJh36vvx0VlRtluhvYp4K7jJ1KGDr1qypwZ3ziBVSNbYYQ71du7fTtrnfG1wgGTVR39tWSzBU-zwQ5hdV3rpMAaEbod5zeW6SHd95H3Bvcb43YiiqJFNL5sGZzFb7FqzVmpsZ1efiv6sZaGDHtnCAL6r12UG5EZuqGfM0jGCZitUz2m9TUKXJL5DJ7MOYbFfkCEsUBPDm_TInliSVn2kMJhFa0VOe5wZk5YOuYM3lNYW64HGtbf-llN2Xk-4O9TfeSPizBx9ZqGpeu8pz13efUDT2WL9tWo6-0UE-CrG0bScm8lFTncTkHcu49_a5NaUBkYlBjEiw.thPcx3t1AUcWuEygXIY3Fg",
|
||||||
@ -1626,7 +1621,7 @@ func TestProvisionersResponse_MarshalJSON(t *testing.T) {
|
|||||||
"decrypterCertificate": []byte("*** REDACTED ***"),
|
"decrypterCertificate": []byte("*** REDACTED ***"),
|
||||||
"decrypterKey": "*** REDACTED ***",
|
"decrypterKey": "*** REDACTED ***",
|
||||||
"decrypterKeyPEM": []byte("*** REDACTED ***"),
|
"decrypterKeyPEM": []byte("*** REDACTED ***"),
|
||||||
"decrypterKeyPassword": []byte("*** REDACTED ***"),
|
"decrypterKeyPassword": "*** REDACTED ***",
|
||||||
"minimumPublicKeyLength": 2048,
|
"minimumPublicKeyLength": 2048,
|
||||||
"encryptionAlgorithmIdentifier": 2,
|
"encryptionAlgorithmIdentifier": 2,
|
||||||
},
|
},
|
||||||
@ -1668,7 +1663,7 @@ func TestProvisionersResponse_MarshalJSON(t *testing.T) {
|
|||||||
DecrypterCertificate: []byte{1, 2, 3, 4},
|
DecrypterCertificate: []byte{1, 2, 3, 4},
|
||||||
DecrypterKeyPEM: []byte{5, 6, 7, 8},
|
DecrypterKeyPEM: []byte{5, 6, 7, 8},
|
||||||
DecrypterKeyURI: "softkms:path=/path/to/private.key",
|
DecrypterKeyURI: "softkms:path=/path/to/private.key",
|
||||||
DecrypterKeyPassword: encodedPassword.Bytes(),
|
DecrypterKeyPassword: "super-secret-password",
|
||||||
},
|
},
|
||||||
&provisioner.JWK{
|
&provisioner.JWK{
|
||||||
EncryptedKey: "eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJlbmMiOiJBMTI4R0NNIiwicDJjIjoxMDAwMDAsInAycyI6IlhOdmYxQjgxSUlLMFA2NUkwcmtGTGcifQ.XaN9zcPQeWt49zchUDm34FECUTHfQTn_.tmNHPQDqR3ebsWfd.9WZr3YVdeOyJh36vvx0VlRtluhvYp4K7jJ1KGDr1qypwZ3ziBVSNbYYQ71du7fTtrnfG1wgGTVR39tWSzBU-zwQ5hdV3rpMAaEbod5zeW6SHd95H3Bvcb43YiiqJFNL5sGZzFb7FqzVmpsZ1efiv6sZaGDHtnCAL6r12UG5EZuqGfM0jGCZitUz2m9TUKXJL5DJ7MOYbFfkCEsUBPDm_TInliSVn2kMJhFa0VOe5wZk5YOuYM3lNYW64HGtbf-llN2Xk-4O9TfeSPizBx9ZqGpeu8pz13efUDT2WL9tWo6-0UE-CrG0bScm8lFTncTkHcu49_a5NaUBkYlBjEiw.thPcx3t1AUcWuEygXIY3Fg",
|
EncryptedKey: "eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJlbmMiOiJBMTI4R0NNIiwicDJjIjoxMDAwMDAsInAycyI6IlhOdmYxQjgxSUlLMFA2NUkwcmtGTGcifQ.XaN9zcPQeWt49zchUDm34FECUTHfQTn_.tmNHPQDqR3ebsWfd.9WZr3YVdeOyJh36vvx0VlRtluhvYp4K7jJ1KGDr1qypwZ3ziBVSNbYYQ71du7fTtrnfG1wgGTVR39tWSzBU-zwQ5hdV3rpMAaEbod5zeW6SHd95H3Bvcb43YiiqJFNL5sGZzFb7FqzVmpsZ1efiv6sZaGDHtnCAL6r12UG5EZuqGfM0jGCZitUz2m9TUKXJL5DJ7MOYbFfkCEsUBPDm_TInliSVn2kMJhFa0VOe5wZk5YOuYM3lNYW64HGtbf-llN2Xk-4O9TfeSPizBx9ZqGpeu8pz13efUDT2WL9tWo6-0UE-CrG0bScm8lFTncTkHcu49_a5NaUBkYlBjEiw.thPcx3t1AUcWuEygXIY3Fg",
|
||||||
|
@ -28,7 +28,7 @@ type SCEP struct {
|
|||||||
DecrypterCertificate []byte `json:"decrypterCertificate"`
|
DecrypterCertificate []byte `json:"decrypterCertificate"`
|
||||||
DecrypterKeyPEM []byte `json:"decrypterKeyPEM"`
|
DecrypterKeyPEM []byte `json:"decrypterKeyPEM"`
|
||||||
DecrypterKeyURI string `json:"decrypterKey"`
|
DecrypterKeyURI string `json:"decrypterKey"`
|
||||||
DecrypterKeyPassword []byte `json:"decrypterKeyPassword"`
|
DecrypterKeyPassword string `json:"decrypterKeyPassword"`
|
||||||
EncryptionAlgorithmIdentifier int `json:"encryptionAlgorithmIdentifier"`
|
EncryptionAlgorithmIdentifier int `json:"encryptionAlgorithmIdentifier"`
|
||||||
Options *provisioner.Options `json:"options,omitempty"`
|
Options *provisioner.Options `json:"options,omitempty"`
|
||||||
Claims *provisioner.Claims `json:"claims,omitempty"`
|
Claims *provisioner.Claims `json:"claims,omitempty"`
|
||||||
|
@ -47,7 +47,7 @@ type SCEP struct {
|
|||||||
DecrypterCertificate []byte `json:"decrypterCertificate,omitempty"`
|
DecrypterCertificate []byte `json:"decrypterCertificate,omitempty"`
|
||||||
DecrypterKeyPEM []byte `json:"decrypterKeyPEM,omitempty"`
|
DecrypterKeyPEM []byte `json:"decrypterKeyPEM,omitempty"`
|
||||||
DecrypterKeyURI string `json:"decrypterKey,omitempty"`
|
DecrypterKeyURI string `json:"decrypterKey,omitempty"`
|
||||||
DecrypterKeyPassword []byte `json:"decrypterKeyPassword,omitempty"`
|
DecrypterKeyPassword string `json:"decrypterKeyPassword,omitempty"`
|
||||||
|
|
||||||
// Numerical identifier for the ContentEncryptionAlgorithm as defined in github.com/mozilla-services/pkcs7
|
// Numerical identifier for the ContentEncryptionAlgorithm as defined in github.com/mozilla-services/pkcs7
|
||||||
// at https://github.com/mozilla-services/pkcs7/blob/33d05740a3526e382af6395d3513e73d4e66d1cb/encrypt.go#L63
|
// at https://github.com/mozilla-services/pkcs7/blob/33d05740a3526e382af6395d3513e73d4e66d1cb/encrypt.go#L63
|
||||||
@ -289,14 +289,14 @@ func (s *SCEP) Init(config Config) (err error) {
|
|||||||
}
|
}
|
||||||
if s.decrypter, err = kmsDecrypter.CreateDecrypter(&kmsapi.CreateDecrypterRequest{
|
if s.decrypter, err = kmsDecrypter.CreateDecrypter(&kmsapi.CreateDecrypterRequest{
|
||||||
DecryptionKeyPEM: decryptionKeyPEM,
|
DecryptionKeyPEM: decryptionKeyPEM,
|
||||||
Password: s.DecrypterKeyPassword,
|
Password: []byte(s.DecrypterKeyPassword),
|
||||||
PasswordPrompter: kmsapi.NonInteractivePasswordPrompter,
|
PasswordPrompter: kmsapi.NonInteractivePasswordPrompter,
|
||||||
}); err != nil {
|
}); err != nil {
|
||||||
return fmt.Errorf("failed creating decrypter: %w", err)
|
return fmt.Errorf("failed creating decrypter: %w", err)
|
||||||
}
|
}
|
||||||
if s.signer, err = s.keyManager.CreateSigner(&kmsapi.CreateSignerRequest{
|
if s.signer, err = s.keyManager.CreateSigner(&kmsapi.CreateSignerRequest{
|
||||||
SigningKeyPEM: decryptionKeyPEM, // TODO(hs): support distinct signer key in the future?
|
SigningKeyPEM: decryptionKeyPEM, // TODO(hs): support distinct signer key in the future?
|
||||||
Password: s.DecrypterKeyPassword,
|
Password: []byte(s.DecrypterKeyPassword),
|
||||||
PasswordPrompter: kmsapi.NonInteractivePasswordPrompter,
|
PasswordPrompter: kmsapi.NonInteractivePasswordPrompter,
|
||||||
}); err != nil {
|
}); err != nil {
|
||||||
return fmt.Errorf("failed creating signer: %w", err)
|
return fmt.Errorf("failed creating signer: %w", err)
|
||||||
@ -331,14 +331,14 @@ func (s *SCEP) Init(config Config) (err error) {
|
|||||||
}
|
}
|
||||||
if s.decrypter, err = kmsDecrypter.CreateDecrypter(&kmsapi.CreateDecrypterRequest{
|
if s.decrypter, err = kmsDecrypter.CreateDecrypter(&kmsapi.CreateDecrypterRequest{
|
||||||
DecryptionKey: decryptionKeyURI,
|
DecryptionKey: decryptionKeyURI,
|
||||||
Password: s.DecrypterKeyPassword,
|
Password: []byte(s.DecrypterKeyPassword),
|
||||||
PasswordPrompter: kmsapi.NonInteractivePasswordPrompter,
|
PasswordPrompter: kmsapi.NonInteractivePasswordPrompter,
|
||||||
}); err != nil {
|
}); err != nil {
|
||||||
return fmt.Errorf("failed creating decrypter: %w", err)
|
return fmt.Errorf("failed creating decrypter: %w", err)
|
||||||
}
|
}
|
||||||
if s.signer, err = s.keyManager.CreateSigner(&kmsapi.CreateSignerRequest{
|
if s.signer, err = s.keyManager.CreateSigner(&kmsapi.CreateSignerRequest{
|
||||||
SigningKey: decryptionKeyURI, // TODO(hs): support distinct signer key in the future?
|
SigningKey: decryptionKeyURI, // TODO(hs): support distinct signer key in the future?
|
||||||
Password: s.DecrypterKeyPassword,
|
Password: []byte(s.DecrypterKeyPassword),
|
||||||
PasswordPrompter: kmsapi.NonInteractivePasswordPrompter,
|
PasswordPrompter: kmsapi.NonInteractivePasswordPrompter,
|
||||||
}); err != nil {
|
}); err != nil {
|
||||||
return fmt.Errorf("failed creating signer: %w", err)
|
return fmt.Errorf("failed creating signer: %w", err)
|
||||||
|
@ -992,7 +992,7 @@ func ProvisionerToCertificates(p *linkedca.Provisioner) (provisioner.Interface,
|
|||||||
s.DecrypterCertificate = decrypter.Certificate
|
s.DecrypterCertificate = decrypter.Certificate
|
||||||
s.DecrypterKeyPEM = decrypter.Key
|
s.DecrypterKeyPEM = decrypter.Key
|
||||||
s.DecrypterKeyURI = decrypter.KeyUri
|
s.DecrypterKeyURI = decrypter.KeyUri
|
||||||
s.DecrypterKeyPassword = decrypter.KeyPassword
|
s.DecrypterKeyPassword = string(decrypter.KeyPassword)
|
||||||
}
|
}
|
||||||
return s, nil
|
return s, nil
|
||||||
case *linkedca.ProvisionerDetails_Nebula:
|
case *linkedca.ProvisionerDetails_Nebula:
|
||||||
@ -1255,7 +1255,7 @@ func ProvisionerToLinkedca(p provisioner.Interface) (*linkedca.Provisioner, erro
|
|||||||
Certificate: p.DecrypterCertificate,
|
Certificate: p.DecrypterCertificate,
|
||||||
Key: p.DecrypterKeyPEM,
|
Key: p.DecrypterKeyPEM,
|
||||||
KeyUri: p.DecrypterKeyURI,
|
KeyUri: p.DecrypterKeyURI,
|
||||||
KeyPassword: p.DecrypterKeyPassword,
|
KeyPassword: []byte(p.DecrypterKeyPassword),
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
Loading…
Reference in New Issue
Block a user