Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add: --password-file option for step crypto jwe decrypt #1060

Merged
merged 1 commit into from
Nov 28, 2023
Merged

feat: add: --password-file option for step crypto jwe decrypt #1060

merged 1 commit into from
Nov 28, 2023

Conversation

ncaq
Copy link
Contributor

@ncaq ncaq commented Nov 3, 2023

Name of feature:

add: --password-file option for step crypto jwe decrypt.

Pain or issue this feature alleviates:

The encryptedKey generated by --type=jwk in step ca provisioner add is in PBES2 format. This is hard-coded and difficult to change.
Therefore, in the implementation before this commit, after the key to decrypt is entered in the standard input, the executor must interactively enter the password specified when generated in the standard input. The --key option and others cannot be used at this time because of formatting problems. However, trying to do this programmatically is difficult, as the format of ui.PromptPassword is too specific for manual execution, or reading stderr output, etc., and trying to add additional standard input passwords in a programmatic and automatic way is very It was very difficult. Therefore, I added the --password-file command line argument to provide an alternative that does not require an interactive operation. Since there was no problem reading the password file when generating it, I decided that there was no harm in reading the password file when decrypting it, and it was a natural implementation.

Why is this important to the project (if not answered above):

For example, once this is merged, anyone can easily and automatically run the gh_token.sh script for GitHub Enterprise that is on the official site.

Configuring step-ca Templates

Is there documentation on how to use this feature? If so, where?

The documentation is not specifically written because it is quite simple and a function that is already in other commands.

For now,

step crypto jwe decrypt --help

You can check it with step crypto jwe decrypt --help.

In what environments or workflows is this feature supported?

It would be useful to automatically decrypt JWK's encryptedKey.
The reason why --key is not allowed is that, as I said before, it is rejected due to formatting problems.

I needed this feature for my own use in the first place.
As I said before, it was difficult to operate via standard input.
I didn't want to put too much load on the maintainer, so I refrained from doing so, but it was too difficult and I thought it would be a comfortable flag to add, so I added it.

In what environments or workflows is this feature explicitly NOT supported (if any)?

Supporting links/other PRs/issues:

@ncaq
feat: add: --password-file option for step crypto jwe decrypt
822c29b 
The `encryptedKey` generated by `--type=jwk` in `step ca provisioner add` is in PBES2 format.
This is hard-coded and difficult to change.
Therefore, in the implementation before this commit, after the key to decrypt is entered in the standard input, the executor must interactively enter the password specified when generated in the standard input.
The `--key` option and others cannot be used at this time because of formatting problems.
However, trying to do this programmatically is difficult, as the format of `ui.PromptPassword` is too specific for manual execution, or reading stderr output, etc., and trying to add additional standard input passwords in a programmatic and automatic way is very It was very difficult.
Therefore, I added the `--password-file` command line argument to provide an alternative that does not require an interactive operation.
Since there was no problem reading the password file when generating it, I decided that there was no harm in reading the password file when decrypting it, and it was a natural implementation.
@CLAassistant
Copy link

CLAassistant commented Nov 3, 2023
edited
Loading

CLA assistant check
All committers have signed the CLA.

@github-actions github-actions bot added the needs triage Waiting for discussion / prioritization by team label Nov 3, 2023
@ncaq
Copy link
Contributor Author

ncaq commented Nov 3, 2023

I just realized that maybe it is not necessary because it can be specified with step crypto jwt sign.

@dopey dopey requested a review from maraino November 7, 2023 18:15
@hslatman hslatman added this to the v0.25.1 milestone Nov 21, 2023
maraino
maraino approved these changes Nov 28, 2023
View reviewed changes
Copy link
Collaborator

@maraino maraino left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @ncaq, lgtm

@maraino maraino merged commit 8865323 into smallstep:master Nov 28, 2023
6 of 7 checks passed
@ncaq ncaq deleted the add-password-file-for-step-crypto-jwe-decrypt branch December 1, 2023 14:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@maraino maraino maraino approved these changes

Assignees

@maraino maraino

Labels
needs triage Waiting for discussion / prioritization by team
Projects
None yet
Milestone
v0.25.1
Development

Successfully merging this pull request may close these issues.
4 participants
@ncaq @CLAassistant @maraino @hslatman