-
|
Is there a way to change an existing provisioners (key) password? To my knowledge the But I'm missing some info on how to use the encrypt option of Can anybody help me out here? I would like to use this opportunity to learn more about JWT/JWE. Many thanks in advance! |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 5 replies
-
|
Hi @realk1ko, I'm gonna go step by step, and finally provide you a one-liner combining everything Let's start creating a key and the compact version of the jwk.priv (password is password) $ step crypto jwk create jwk.pub jwk.priv
$ cat jwk.priv | step crypto jose format
eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjEwMDAwMCwicDJzIjoiMFFOQ1FqRjhYWld1VTQ5NzF5UV9uQSJ9.2wKtwondscO3mg9v5klopbZu4zlaqt3sIpNOL5bWRL4sCKOMBRvO4g.fa7xNy2yHkT7KP0A.Zykb8mu7vnU1M8QdZJ2YgTCmP-k-wqjAa2zk0U18NapFA6Oqd__JdkTX3XCMRkCbH259AMes2Bm7tQHaXin6DD-Mw03pbrKraTpYO6Jz61wui1p2VdxF9IA9mwB2Fm61tuOKZ2rEP9Fr6QCD1SeczU26KQNT8yvPEPckRVsOsep5J2EycF5fkEKMiE32zLQSgbbhvlGiFJ-VH3FOq4WmJp9LlSDmkswUPZQqfAVpUruwtGfNKDv3cpgRBqvVlx3TmmXm6wEB8IVqeCr1fUs27tNM9UWPwFChDQ6LVeSX1LS3ntJUeVH_pb273Gq0E8o9ydJPxZX_x0rKW1XAfGk.GstSOCDgiYFhi8qHwUOrJwLet's decrypt now that: $ echo eyJhbGci... | step crypto jwe decrypt
{"use":"sig","kty":"EC","kid":"4Y4_pv4LC-Rg0aW7Gbo_Nk8lnuzegpfpQYt3NO4IEN0","crv":"P-256","alg":"ES256","x":"LIHm8OtNcZ2Y2xIOy6cftxw-xWUYe1wA7_pOf9ummgM","y":"FOlKgs8Y4243u_NV6ar_ITqYc3yiBjN9WWBnsN27fco","d":"WGHmDLLiwhEeKQt-5p7PvXiu7JPM3G-QH4I7gKDVLI4"}And finally encrypt that again with a new password and use the compact format (new password is pass) $ echo '{"use":"sig","kty":"EC","kid":"4Y4_pv4LC-Rg0aW7Gbo_Nk8lnuzegpfpQYt3NO4IEN0","crv":"P-256","alg":"ES256","x":"LIHm8OtNcZ2Y2xIOy6cftxw-xWUYe1wA7_pOf9ummgM","y":"FOlKgs8Y4243u_NV6ar_ITqYc3yiBjN9WWBnsN27fco","d":"WGHmDLLiwhEeKQt-5p7PvXiu7JPM3G-QH4I7gKDVLI4"}' | step crypto jwe encrypt --alg PBES2-HS256+A128KW | step crypto jose format
eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJlbmMiOiJBMjU2R0NNIiwicDJjIjoxMDAwMDAsInAycyI6IkR5Z1dqYlhKaGNRSFEwNnhCZTlhNVEifQ.tGamBiz_1kuyY-4BaJknPH_MiUt9unznkt_azwNVHyaOI00Mck8SJQ.eZLAgtaU6BXxYLwZ.7_DSTl7l7PXD-V9BJbWAdoxjkRIWdPjQs6eMLPQRqhl1WGB-n35OD7KHq-mhYu_LZLPMb8eoQSa7BC6G_kA4IOnkHnhjOesB6GoHS25WgQCCupz3db1F2tEAOxblKvUGNQ2fIPSnyGAtex7A7vU9nXBmcQUmaEtFIEkkoxcU2t_Zm5ejcDDm_maXTOoCqf1SALV5mFMowyl0azwPBMkUSZnjLWCzV7VCJwfCGxpquckOfkh5rFvwjgjM8EJaHtkw4kOkElNWAtsirXGNDgE9rThG0bv3eUk2iYyyIJ1l_6jHxO8UWIMdQxyVoj9BgGARm-eE28UT6UEPpbDwyT8n.ifNdzx_mz0jbfRcjsIGbQAAll in one from an encrypted key: $ echo eyJhbGci... | step crypto jwe decrypt | step crypto jwe encrypt --alg PBES2-HS256+A128KW | step crypto jose format
Please enter the password to decrypt the content encryption key: password
Please enter the password to encrypt the content encryption key: pass
eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJlbmMiOiJBMjU2R0NNIiwicDJjIjoxMDAwMDAsInAycyI6ImpUN09FQTdJWmJ5WVdxb1lCdDNyNXcifQ.Y4XColO6eD7X8Qd1b7_i8UXdCm3odmRUtYJ0pokazgjvxXASJI1NHQ.XY1P056h9Bygc_D2.b0hvJkKQpU_Kmi6Kk1MsUN456b3fdGIBP_QDht9HySaKIJd3nWbkO4EGIZ3rrpLtCZx2IeTOebb3U5ZRajF7XlwzllvA17yWF9LgmFumTiPhYqf0SQOY4lXbtIPHxwSU9V1gBa7OarvtBUrIwFeOULDOaYT-0zi6PMbn-00Vvdi8v3oScCwlotNEpHjRtV6DLVxQ-88EL7KzYZPAK7uGL6NTLT3N2XOM_GShZBGSdtL6qWJapvXGUn7A_5wIhZp1GrkcB3q2ev8v3n1VQt0nLr_yxtYMYtVk05Q6y9ad6f-tC_xpzj__phKV_xWEy81FUNVIEwbCKR2up_PAdIM.FFPjKyRAUdYgEwAO-hP6cw |
Beta Was this translation helpful? Give feedback.
-
|
The detail here is the use of {
"protected": "eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjEwMDAwMCwicDJzIjoiMFFOQ1FqRjhYWld1VTQ5NzF5UV9uQSJ9",
"encrypted_key": "2wKtwondscO3mg9v5klopbZu4zlaqt3sIpNOL5bWRL4sCKOMBRvO4g",
"iv": "fa7xNy2yHkT7KP0A",
"ciphertext": "Zykb8mu7vnU1M8QdZJ2YgTCmP-k-wqjAa2zk0U18NapFA6Oqd__JdkTX3XCMRkCbH259AMes2Bm7tQHaXin6DD-Mw03pbrKraTpYO6Jz61wui1p2VdxF9IA9mwB2Fm61tuOKZ2rEP9Fr6QCD1SeczU26KQNT8yvPEPckRVsOsep5J2EycF5fkEKMiE32zLQSgbbhvlGiFJ-VH3FOq4WmJp9LlSDmkswUPZQqfAVpUruwtGfNKDv3cpgRBqvVlx3TmmXm6wEB8IVqeCr1fUs27tNM9UWPwFChDQ6LVeSX1LS3ntJUeVH_pb273Gq0E8o9ydJPxZX_x0rKW1XAfGk",
"tag": "GstSOCDgiYFhi8qHwUOrJw"
}The protected part defines the algorithm to use to decrypt the key: $ echo eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjEwMDAwMCwicDJzIjoiMFFOQ1FqRjhYWld1VTQ5NzF5UV9uQSJ9 | step base64 -d | jq
{
"alg": "PBES2-HS256+A128KW",
"cty": "jwk+json",
"enc": "A256GCM",
"p2c": 100000,
"p2s": "0QNCQjF8XZWuU4971yQ_nA"
}This is a password based encryption for a JWE, and is defined at https://datatracker.ietf.org/doc/html/rfc7518#section-4.8 |
Beta Was this translation helpful? Give feedback.
-
|
And another one-liner using $ echo eyJhbGci... | step crypto key format -jwk | step crypto jose format
Please enter the password to decrypt the key: password
Please enter the password to encrypt the private JWK: pass
eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjEwMDAwMCwicDJzIjoid1JrRzN1SHFVdzZHdEhUa2tUbFB0USJ9.piEhHzl7Ue3eJaC923wRnEO_9GwbZ8cYfeRJIKkUTdkK3Hh4i63AlA.IgPR-sgBi5x1X7Yw.JywAni_5qMXZ72dchIVgNLQQI10K-Lz_aAWizS-R6LoFV_cOiiVogsu0bVNS0A1r6c59W7AoQ5PCuzwg28PYWZm7Me7lEq-4IBDI1m8tYZJV9fRGS-8vphS2TIgVS0t6M-elGOpuV8ZQYfGi76O9LQjEFHASiL3LufijoweHNu-fnqenUwvI-sAeUbZhLP2Fd-Er4xmmGz9ItcB2dPOpJBQqREApPZiEi9vZZusSllo.SHDXATrRcAvxm4OtoyvKeQ |
Beta Was this translation helpful? Give feedback.
-
|
Thank you so much for your help! I have a few things to note though, since I tried this locally with the encrypted key of the first provisioner, not a newly created one. Using the following command works perfectly fine when replacing the cat old_key.txt | step crypto jose format | step crypto jwe decrypt | step crypto jwe encrypt --alg PBES2-HS256+A128KW | step crypto jose format > new_key.txt
cat new_key.json # I replaced encryptedKey with thisThe other one-liner does not work, but I'm not sure why. I've been playing around with it a little to understand it more. cat old_key.txt | step crypto key format -jwk | step crypto jose format > broken_new_key.txt
wc -m *_key.txt # shows about 100 characters of difference between old and broken, 20 between old and new
cat old_key.txt | step crypto jose format | step crypto jwe decrypt | jq
cat new_key.txt | step crypto jose format | step crypto jwe decrypt | jq
cat broken_new_key.txt | step crypto jose format | step crypto jwe decrypt | jqWhere it gets interesting is after the last command. The decrypted broken key using {
"kty": "EC",
"crv": "P-256"
"x": "...",
"y": "...",
"d": "..."
}The decrypted old and new key look almost identical: {
"use": "sig",
"kty": "EC",
"kid": "...",
"crv": "P-256",
"alg": "ES256",
"x": "...",
"y": "...",
"d": "..."
}It seems that using the latter method removes some of the info from the original key? Additionally, comparing the Old: {
"alg": "PBES2-HS256+A128KW",
"cty": "jwk+json",
"enc": "A256GCM",
"p2c": 100000,
"p2s": "..."
}New: {
"alg": "PBES2-HS256+A128KW",
"enc": "A256GCM",
"p2c": 100000,
"p2s": "..."
} |
Beta Was this translation helpful? Give feedback.
-
|
Seems that the manual is quite comprehensive: https://smallstep.com/docs/step-cli/reference/crypto/jwe/encrypt Adding So the last question I have answered myself. :-) |
Beta Was this translation helpful? Give feedback.
-
|
I see what is going on, Encoded data using {
"kty": "EC",
"crv": "P-256",
"x": "LIHm8OtNcZ2Y2xIOy6cftxw-xWUYe1wA7_pOf9ummgM",
"y": "FOlKgs8Y4243u_NV6ar_ITqYc3yiBjN9WWBnsN27fco",
"d": "WGHmDLLiwhEeKQt-5p7PvXiu7JPM3G-QH4I7gKDVLI4"
}Encoded data using {
"use": "sig",
"kty": "EC",
"kid": "4Y4_pv4LC-Rg0aW7Gbo_Nk8lnuzegpfpQYt3NO4IEN0",
"crv": "P-256",
"alg": "ES256",
"x": "LIHm8OtNcZ2Y2xIOy6cftxw-xWUYe1wA7_pOf9ummgM",
"y": "FOlKgs8Y4243u_NV6ar_ITqYc3yiBjN9WWBnsN27fco",
"d": "WGHmDLLiwhEeKQt-5p7PvXiu7JPM3G-QH4I7gKDVLI4"
} |
Beta Was this translation helpful? Give feedback.
-
|
I've just added docs for this, as part of the JWK provisioner documentation. |
Beta Was this translation helpful? Give feedback.
Hi @realk1ko, I'm gonna go step by step, and finally provide you a one-liner combining everything
Let's start creating a key and the compact version of the jwk.priv (password is password)