From 645b6ffc18a8aaca93f55027ebb2d5c7082f0188 Mon Sep 17 00:00:00 2001 From: Herman Slatman Date: Fri, 4 Aug 2023 22:47:02 +0200 Subject: [PATCH] Ensure no prompt is fired for loading provisioner decrypter --- authority/provisioner/scep.go | 21 ++++++++++++--------- go.mod | 2 +- go.sum | 3 +++ 3 files changed, 16 insertions(+), 10 deletions(-) diff --git a/authority/provisioner/scep.go b/authority/provisioner/scep.go index 396df8e4..c70c0d66 100644 --- a/authority/provisioner/scep.go +++ b/authority/provisioner/scep.go @@ -222,14 +222,16 @@ func (s *SCEP) Init(config Config) (err error) { decryptionKey = u.Opaque } if s.decrypter, err = kmsDecrypter.CreateDecrypter(&kmsapi.CreateDecrypterRequest{ - DecryptionKey: decryptionKey, - Password: []byte(s.DecrypterKeyPassword), + DecryptionKey: decryptionKey, + Password: []byte(s.DecrypterKeyPassword), + PasswordPrompter: kmsapi.NonInteractivePasswordPrompter, }); err != nil { return fmt.Errorf("failed creating decrypter: %w", err) } if s.signer, err = s.keyManager.CreateSigner(&kmsapi.CreateSignerRequest{ - SigningKey: decryptionKey, // TODO(hs): support distinct signer key in the future? - Password: []byte(s.DecrypterKeyPassword), + SigningKey: decryptionKey, // TODO(hs): support distinct signer key in the future? + Password: []byte(s.DecrypterKeyPassword), + PasswordPrompter: kmsapi.NonInteractivePasswordPrompter, }); err != nil { return fmt.Errorf("failed creating signer: %w", err) } @@ -254,16 +256,17 @@ func (s *SCEP) Init(config Config) (err error) { // TODO(hs): alternatively, check if the KMS keyManager is a CertificateManager // and load the certificate corresponding to the decryption key? - // Final validation for the decrypter. If both the decrypter and the certificate - // are available, the public keys must match. We currently allow the decrypter to - // be set without a certificate without warning the user, but - if s.decrypter != nil && s.decrypterCertificate != nil { + // Final validation for the decrypter. + if s.decrypter != nil { decrypterPublicKey, ok := s.decrypter.Public().(*rsa.PublicKey) if !ok { return fmt.Errorf("only RSA keys are supported") } + if s.decrypterCertificate == nil { + return fmt.Errorf("provisioner %q does not have a decrypter certificate set", s.Name) + } if !decrypterPublicKey.Equal(s.decrypterCertificate.PublicKey) { - return errors.New("mismatch between decryption certificate and decrypter public keys") + return errors.New("mismatch between decrypter certificate and decrypter public keys") } } diff --git a/go.mod b/go.mod index 811fe86f..f2feae91 100644 --- a/go.mod +++ b/go.mod @@ -31,7 +31,7 @@ require ( github.com/urfave/cli v1.22.14 go.mozilla.org/pkcs7 v0.0.0-20210826202110-33d05740a352 go.step.sm/cli-utils v0.8.0 - go.step.sm/crypto v0.34.0 + go.step.sm/crypto v0.34.1-0.20230804202808-557c2649a5bf go.step.sm/linkedca v0.20.1-0.20230802134415-b577c7565f6d golang.org/x/crypto v0.11.0 golang.org/x/exp v0.0.0-20230310171629-522b1b587ee0 diff --git a/go.sum b/go.sum index 44450981..3a5c550f 100644 --- a/go.sum +++ b/go.sum @@ -352,6 +352,7 @@ github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zV github.com/gogo/protobuf v1.3.0/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o= github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= +github.com/golang-jwt/jwt v3.2.1+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I= github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg= github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= @@ -1065,6 +1066,8 @@ go.step.sm/cli-utils v0.8.0 h1:b/Tc1/m3YuQq+u3ghTFP7Dz5zUekZj6GUmd5pCvkEXQ= go.step.sm/cli-utils v0.8.0/go.mod h1:S77aISrC0pKuflqiDfxxJlUbiXcAanyJ4POOnzFSxD4= go.step.sm/crypto v0.34.0 h1:ogSsqUu4G/yT0Jtx14q3ilAjKp3nMO4YJdwrFDmBtEY= go.step.sm/crypto v0.34.0/go.mod h1:60g76zZ4KJTK0BTHuO2G5W0aBt8scwNLkVHOBg6MBek= +go.step.sm/crypto v0.34.1-0.20230804202808-557c2649a5bf h1:nypT34HWuPvw+eUW/VgO96KBnjpvDdBC99CyC41L4UA= +go.step.sm/crypto v0.34.1-0.20230804202808-557c2649a5bf/go.mod h1:60g76zZ4KJTK0BTHuO2G5W0aBt8scwNLkVHOBg6MBek= go.step.sm/linkedca v0.20.1-0.20230802134415-b577c7565f6d h1:PbcfXsW0Jc8a5LvvzqT3pyxiLBkU9LgAO/JpYjIZbTE= go.step.sm/linkedca v0.20.1-0.20230802134415-b577c7565f6d/go.mod h1:QLWVNpZKKYukwVwQTfK22n5WmDs5c/xc4vakguT/THg= go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=