Ensure no prompt is fired for loading provisioner decrypter

10 months ago · 645b6ffc18
parent 0d09f3e202
commit 645b6ffc18
3 changed files with 16 additions and 10 deletions
--- a/authority/provisioner/scep.go
+++ b/authority/provisioner/scep.go
@ -222,14 +222,16 @@ func (s *SCEP) Init(config Config) (err error) {
 			decryptionKey = u.Opaque
 		}
 		if s.decrypter, err = kmsDecrypter.CreateDecrypter(&kmsapi.CreateDecrypterRequest{
-			DecryptionKey: decryptionKey,
-			Password:      []byte(s.DecrypterKeyPassword),
+			DecryptionKey:    decryptionKey,
+			Password:         []byte(s.DecrypterKeyPassword),
+			PasswordPrompter: kmsapi.NonInteractivePasswordPrompter,
 		}); err != nil {
 			return fmt.Errorf("failed creating decrypter: %w", err)
 		}
 		if s.signer, err = s.keyManager.CreateSigner(&kmsapi.CreateSignerRequest{
-			SigningKey: decryptionKey, // TODO(hs): support distinct signer key in the future?
-			Password:   []byte(s.DecrypterKeyPassword),
+			SigningKey:       decryptionKey, // TODO(hs): support distinct signer key in the future?
+			Password:         []byte(s.DecrypterKeyPassword),
+			PasswordPrompter: kmsapi.NonInteractivePasswordPrompter,
 		}); err != nil {
 			return fmt.Errorf("failed creating signer: %w", err)
 		}
@ -254,16 +256,17 @@ func (s *SCEP) Init(config Config) (err error) {
 	// TODO(hs): alternatively, check if the KMS keyManager is a CertificateManager
 	// and load the certificate corresponding to the decryption key?

-	// Final validation for the decrypter. If both the decrypter and the certificate
-	// are available, the public keys must match. We currently allow the decrypter to
-	// be set without a certificate without warning the user, but
-	if s.decrypter != nil && s.decrypterCertificate != nil {
+	// Final validation for the decrypter.
+	if s.decrypter != nil {
 		decrypterPublicKey, ok := s.decrypter.Public().(*rsa.PublicKey)
 		if !ok {
 			return fmt.Errorf("only RSA keys are supported")
 		}
+		if s.decrypterCertificate == nil {
+			return fmt.Errorf("provisioner %q does not have a decrypter certificate set", s.Name)
+		}
 		if !decrypterPublicKey.Equal(s.decrypterCertificate.PublicKey) {
-			return errors.New("mismatch between decryption certificate and decrypter public keys")
+			return errors.New("mismatch between decrypter certificate and decrypter public keys")
 		}
 	}

--- a/go.mod
+++ b/go.mod
@ -31,7 +31,7 @@ require (
 	github.com/urfave/cli v1.22.14
 	go.mozilla.org/pkcs7 v0.0.0-20210826202110-33d05740a352
 	go.step.sm/cli-utils v0.8.0
-	go.step.sm/crypto v0.34.0
+	go.step.sm/crypto v0.34.1-0.20230804202808-557c2649a5bf
 	go.step.sm/linkedca v0.20.1-0.20230802134415-b577c7565f6d
 	golang.org/x/crypto v0.11.0
 	golang.org/x/exp v0.0.0-20230310171629-522b1b587ee0
--- a/go.sum
+++ b/go.sum
@ -352,6 +352,7 @@ github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zV
 github.com/gogo/protobuf v1.3.0/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
 github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
+github.com/golang-jwt/jwt v3.2.1+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
 github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg=
 github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
@ -1065,6 +1066,8 @@ go.step.sm/cli-utils v0.8.0 h1:b/Tc1/m3YuQq+u3ghTFP7Dz5zUekZj6GUmd5pCvkEXQ=
 go.step.sm/cli-utils v0.8.0/go.mod h1:S77aISrC0pKuflqiDfxxJlUbiXcAanyJ4POOnzFSxD4=
 go.step.sm/crypto v0.34.0 h1:ogSsqUu4G/yT0Jtx14q3ilAjKp3nMO4YJdwrFDmBtEY=
 go.step.sm/crypto v0.34.0/go.mod h1:60g76zZ4KJTK0BTHuO2G5W0aBt8scwNLkVHOBg6MBek=
+go.step.sm/crypto v0.34.1-0.20230804202808-557c2649a5bf h1:nypT34HWuPvw+eUW/VgO96KBnjpvDdBC99CyC41L4UA=
+go.step.sm/crypto v0.34.1-0.20230804202808-557c2649a5bf/go.mod h1:60g76zZ4KJTK0BTHuO2G5W0aBt8scwNLkVHOBg6MBek=
 go.step.sm/linkedca v0.20.1-0.20230802134415-b577c7565f6d h1:PbcfXsW0Jc8a5LvvzqT3pyxiLBkU9LgAO/JpYjIZbTE=
 go.step.sm/linkedca v0.20.1-0.20230802134415-b577c7565f6d/go.mod h1:QLWVNpZKKYukwVwQTfK22n5WmDs5c/xc4vakguT/THg=
 go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=