From 844cfd3bad93cc2a5066145b440f2c3ef6bfd7d9 Mon Sep 17 00:00:00 2001
From: Carl Tashian <carl@smallstep.com>
Date: Mon, 9 Jan 2023 16:36:00 -0800
Subject: [PATCH] Generate and use independent provisioner and private key
 passwords

---
 docker/Dockerfile.step-ca |  4 ++--
 docker/entrypoint.sh      | 12 ++++++++++--
 2 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/docker/Dockerfile.step-ca b/docker/Dockerfile.step-ca
index ed6b5f56..32160e1d 100644
--- a/docker/Dockerfile.step-ca
+++ b/docker/Dockerfile.step-ca
@@ -7,7 +7,6 @@ RUN apk add --no-cache curl git make
 RUN make V=1 download
 RUN make V=1 bin/step-ca bin/step-awskms-init bin/step-cloudkms-init
 
-
 FROM smallstep/step-cli:latest
 
 COPY --from=builder /src/bin/step-ca /usr/local/bin/step-ca
@@ -20,6 +19,7 @@ USER step
 
 ENV CONFIGPATH="/home/step/config/ca.json"
 ENV PWDPATH="/home/step/secrets/password"
+ENV PROVISIONER_PWDPATH="/home/step/secrets/provisioner_password"
 
 VOLUME ["/home/step"]
 STOPSIGNAL SIGTERM
@@ -28,4 +28,4 @@ HEALTHCHECK CMD step ca health 2>/dev/null | grep "^ok" >/dev/null
 COPY docker/entrypoint.sh /entrypoint.sh
 
 ENTRYPOINT ["/bin/bash", "/entrypoint.sh"]
-CMD exec /usr/local/bin/step-ca --password-file $PWDPATH $CONFIGPATH
+CMD exec /usr/local/bin/step-ca --password-file $PWDPATH --provisioner-password-file $PROVISIONER_PWDPATH $CONFIGPATH
diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh
index 74093b62..2c3321df 100644
--- a/docker/entrypoint.sh
+++ b/docker/entrypoint.sh
@@ -39,12 +39,12 @@ function step_ca_init () {
 		--dns "${DOCKER_STEPCA_INIT_DNS_NAMES}"
 		--provisioner "${DOCKER_STEPCA_INIT_PROVISIONER_NAME:-admin}"
 		--password-file "${STEPPATH}/password"
+		--provisioner-password-file "${STEPPATH}/provisioner_password"
         --address ":9000"
     )
     if [ -n "${DOCKER_STEPCA_INIT_PASSWORD}" ]; then
         echo "${DOCKER_STEPCA_INIT_PASSWORD}" > "${STEPPATH}/password"
-    else
-        generate_password > "${STEPPATH}/password"
+        echo "${DOCKER_STEPCA_INIT_PASSWORD}" > "${STEPPATH}/provisioner_password"
     fi
     if [ -n "${DOCKER_STEPCA_INIT_SSH}" ]; then
         setup_args=("${setup_args[@]}" --ssh)
@@ -67,4 +67,12 @@ if [ ! -f "${STEPPATH}/config/ca.json" ]; then
 	init_if_possible
 fi
 
+if [ ! -f "${STEPPATH}/password" ]; then
+    generate_password > "${STEPPATH}/password"
+fi
+
+if [ ! -f "${STEPPATH}/provisioner_password" ]; then
+	generate_password > "${STEPPATH}/provisioner_password"
+fi
+
 exec "${@}"