Archives/smallstep-certificates
2
0
Fork 0
mirror of https://github.com/smallstep/certificates.git synced 2024-10-31 03:20:16 +00:00
Code Issues Packages Projects Releases Wiki Activity

Ensure no prompt is fired for loading provisioner decrypter

Browse Source
This commit is contained in:
Herman Slatman 2023-08-04 22:47:02 +02:00
parent 0d09f3e202
commit 645b6ffc18
No known key found for this signature in database
GPG Key ID: F4D8A44EA0A75A4F
3 changed files with 16 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
authority/provisioner/scep.go
View File

@ -222,14 +222,16 @@ func (s *SCEP) Init(config Config) (err error) {
decryptionKey = u.Opaque
}
if s.decrypter, err = kmsDecrypter.CreateDecrypter(&kmsapi.CreateDecrypterRequest{
DecryptionKey: decryptionKey,
Password: []byte(s.DecrypterKeyPassword),
DecryptionKey: decryptionKey,
Password: []byte(s.DecrypterKeyPassword),
PasswordPrompter: kmsapi.NonInteractivePasswordPrompter,
}); err != nil {
return fmt.Errorf("failed creating decrypter: %w", err)
}
if s.signer, err = s.keyManager.CreateSigner(&kmsapi.CreateSignerRequest{
SigningKey: decryptionKey, // TODO(hs): support distinct signer key in the future?
Password: []byte(s.DecrypterKeyPassword),
SigningKey: decryptionKey, // TODO(hs): support distinct signer key in the future?
Password: []byte(s.DecrypterKeyPassword),
PasswordPrompter: kmsapi.NonInteractivePasswordPrompter,
}); err != nil {
return fmt.Errorf("failed creating signer: %w", err)
}
@ -254,16 +256,17 @@ func (s *SCEP) Init(config Config) (err error) {
// TODO(hs): alternatively, check if the KMS keyManager is a CertificateManager
// and load the certificate corresponding to the decryption key?
// Final validation for the decrypter. If both the decrypter and the certificate
// are available, the public keys must match. We currently allow the decrypter to
// be set without a certificate without warning the user, but
if s.decrypter != nil && s.decrypterCertificate != nil {
// Final validation for the decrypter.
if s.decrypter != nil {
decrypterPublicKey, ok := s.decrypter.Public().(*rsa.PublicKey)
if !ok {
return fmt.Errorf("only RSA keys are supported")
}
if s.decrypterCertificate == nil {
return fmt.Errorf("provisioner %q does not have a decrypter certificate set", s.Name)
}
if !decrypterPublicKey.Equal(s.decrypterCertificate.PublicKey) {
return errors.New("mismatch between decryption certificate and decrypter public keys")
return errors.New("mismatch between decrypter certificate and decrypter public keys")
}
}

2
go.mod
View File

@ -31,7 +31,7 @@ require (
github.com/urfave/cli v1.22.14
go.mozilla.org/pkcs7 v0.0.0-20210826202110-33d05740a352
go.step.sm/cli-utils v0.8.0
go.step.sm/crypto v0.34.0
go.step.sm/crypto v0.34.1-0.20230804202808-557c2649a5bf
go.step.sm/linkedca v0.20.1-0.20230802134415-b577c7565f6d
golang.org/x/crypto v0.11.0
golang.org/x/exp v0.0.0-20230310171629-522b1b587ee0

3
go.sum
View File

@ -352,6 +352,7 @@ github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zV
github.com/gogo/protobuf v1.3.0/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
github.com/golang-jwt/jwt v3.2.1+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg=
github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
@ -1065,6 +1066,8 @@ go.step.sm/cli-utils v0.8.0 h1:b/Tc1/m3YuQq+u3ghTFP7Dz5zUekZj6GUmd5pCvkEXQ=
go.step.sm/cli-utils v0.8.0/go.mod h1:S77aISrC0pKuflqiDfxxJlUbiXcAanyJ4POOnzFSxD4=
go.step.sm/crypto v0.34.0 h1:ogSsqUu4G/yT0Jtx14q3ilAjKp3nMO4YJdwrFDmBtEY=
go.step.sm/crypto v0.34.0/go.mod h1:60g76zZ4KJTK0BTHuO2G5W0aBt8scwNLkVHOBg6MBek=
go.step.sm/crypto v0.34.1-0.20230804202808-557c2649a5bf h1:nypT34HWuPvw+eUW/VgO96KBnjpvDdBC99CyC41L4UA=
go.step.sm/crypto v0.34.1-0.20230804202808-557c2649a5bf/go.mod h1:60g76zZ4KJTK0BTHuO2G5W0aBt8scwNLkVHOBg6MBek=
go.step.sm/linkedca v0.20.1-0.20230802134415-b577c7565f6d h1:PbcfXsW0Jc8a5LvvzqT3pyxiLBkU9LgAO/JpYjIZbTE=
go.step.sm/linkedca v0.20.1-0.20230802134415-b577c7565f6d/go.mod h1:QLWVNpZKKYukwVwQTfK22n5WmDs5c/xc4vakguT/THg=
go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=