feat: add: --password-file option for step crypto jwe decrypt

The `encryptedKey` generated by `--type=jwk` in `step ca provisioner add` is in PBES2 format. This is hard-coded and difficult to change. Therefore, in the implementation before this commit, after the key to decrypt is entered in the standard input, the executor must interactively enter the password specified when generated in the standard input. The `--key` option and others cannot be used at this time because of formatting problems. However, trying to do this programmatically is difficult, as the format of `ui.PromptPassword` is too specific for manual execution, or reading stderr output, etc., and trying to add additional standard input passwords in a programmatic and automatic way is very It was very difficult. Therefore, I added the `--password-file` command line argument to provide an alternative that does not require an interactive operation. Since there was no problem reading the password file when generating it, I decided that there was no harm in reading the password file when decrypting it, and it was a natural implementation.
smallstep · Nov 3, 2023 · 822c29b · 822c29b
1 parent 75d7a7b
commit 822c29b
Showing 1 changed file with 16 additions and 1 deletion.
diff --git a/command/crypto/jwe/decrypt.go b/command/crypto/jwe/decrypt.go
@@ -47,6 +47,10 @@ used with **--key** the <kid> value must match the **"kid"** member of the JWK.
 used with **--jwks** (a JWK Set) the KID value must match the **"kid"** member of
 one of the JWKs in the JWK Set.`,
 			},
+			cli.StringFlag{
+				Name: "password-file",
+				Usage: `The path to the <file> containing the password to encrypt the keys.`,
+			},
 		},
 	}
 }
@@ -64,6 +68,7 @@ func decryptAction(ctx *cli.Context) error {
 	key := ctx.String("key")
 	jwks := ctx.String("jwks")
 	kid := ctx.String("kid")
+	passwordFile := ctx.String("password-file")
 
 	obj, err := jose.ParseEncrypted(string(data))
 	if err != nil {
@@ -107,7 +112,17 @@ func decryptAction(ctx *cli.Context) error {
 	case jwks != "":
 		jwk, err = jose.ReadKeySet(jwks, options...)
 	case isPBES2:
-		pbes2Key, err = ui.PromptPassword("Please enter the password to decrypt the content encryption key")
+		var password string
+		if len(passwordFile) > 0 {
+			password, err = utils.ReadStringPasswordFromFile(passwordFile)
+			if err != nil {
+				return err
+			}
+		}
+		pbes2Key, err =
+			ui.PromptPassword(
+				"Please enter the password to decrypt the content encryption key",
+				ui.WithValue(password))
 	default:
 		return errs.RequiredOrFlag(ctx, "key", "jwk")
 	}