From 822c29b37deca82f0c37b1a61876e79d3d23b2ba Mon Sep 17 00:00:00 2001 From: ncaq Date: Fri, 3 Nov 2023 18:15:46 +0900 Subject: [PATCH] feat: add: --password-file option for step crypto jwe decrypt The `encryptedKey` generated by `--type=jwk` in `step ca provisioner add` is in PBES2 format. This is hard-coded and difficult to change. Therefore, in the implementation before this commit, after the key to decrypt is entered in the standard input, the executor must interactively enter the password specified when generated in the standard input. The `--key` option and others cannot be used at this time because of formatting problems. However, trying to do this programmatically is difficult, as the format of `ui.PromptPassword` is too specific for manual execution, or reading stderr output, etc., and trying to add additional standard input passwords in a programmatic and automatic way is very It was very difficult. Therefore, I added the `--password-file` command line argument to provide an alternative that does not require an interactive operation. Since there was no problem reading the password file when generating it, I decided that there was no harm in reading the password file when decrypting it, and it was a natural implementation. --- command/crypto/jwe/decrypt.go | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/command/crypto/jwe/decrypt.go b/command/crypto/jwe/decrypt.go index cce44e2f8..c9ce1e27b 100644 --- a/command/crypto/jwe/decrypt.go +++ b/command/crypto/jwe/decrypt.go @@ -47,6 +47,10 @@ used with **--key** the value must match the **"kid"** member of the JWK. used with **--jwks** (a JWK Set) the KID value must match the **"kid"** member of one of the JWKs in the JWK Set.`, }, + cli.StringFlag{ + Name: "password-file", + Usage: `The path to the containing the password to encrypt the keys.`, + }, }, } } @@ -64,6 +68,7 @@ func decryptAction(ctx *cli.Context) error { key := ctx.String("key") jwks := ctx.String("jwks") kid := ctx.String("kid") + passwordFile := ctx.String("password-file") obj, err := jose.ParseEncrypted(string(data)) if err != nil { @@ -107,7 +112,17 @@ func decryptAction(ctx *cli.Context) error { case jwks != "": jwk, err = jose.ReadKeySet(jwks, options...) case isPBES2: - pbes2Key, err = ui.PromptPassword("Please enter the password to decrypt the content encryption key") + var password string + if len(passwordFile) > 0 { + password, err = utils.ReadStringPasswordFromFile(passwordFile) + if err != nil { + return err + } + } + pbes2Key, err = + ui.PromptPassword( + "Please enter the password to decrypt the content encryption key", + ui.WithValue(password)) default: return errs.RequiredOrFlag(ctx, "key", "jwk") }