Decode the JWK encrypted key before passing it to the jose.ParseEncryted function #2383
Conversation
github-actions
bot
added
the
needs triage
|
|
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| var encryptedKey string | ||
| encryptedKey_bytes, err := base64.StdEncoding.DecodeString(encryptedKeyEnc) | ||
| if err != nil { | ||
| encryptedKey = encryptedKeyEnc |
Check warning
Code scanning / CodeQL
Useless assignment to local variable Warning
|
Hi @njunot, the response is not base64 encoded, it's a JWE $ curl https://localhost:8443/provisioners/P1zJB3C7CQiUmU7zxpF-knn3PwipbKAKgGILDgDtT84/encrypted-key
{"key":"eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjYwMDAwMCwicDJzIjoiUV9nZkJfckdBZFFTNHlaVzNKUlRLQSJ9.O1V9h-AlL7I-38-8_ceEUPWH8cPNh83MrujO6Os_KhSGlUREAWD-CQ.ttb1n-CNAssaugcR.5pBdDgfuIMM0Og1v_afwhKdlj5OOJdo_wmLK0yzvk9aT78ftS1dopcL74rrncGOuG9i5TVnC4aLLibcSbO3HvG-rPZsTzvmzz9zBPTkga0fOicPPChiEUo5F2jd7wHs42UuJmxKjZdXsbLd7WgBRl6Jo6ll835NSN8_kNiqRPi79BmbwIsPn4wJ_PLybB-eeNweDh08AAuVuofXvk7dQzvWy37fsDQNpFChnzrUQlhjn5InjWsd6MpeA1hoA27DSi85Yd6JzJm7w8MMAggoNh_WlmPLscTOAhcsFnx_73PtKVRfPKyK2fZlC0dcsMbNWAVW-YKVrEAH_QTAiFwY.29BybdokVLvPTS_-ZC7J2w"}It has 5 parts that are base64url encoded as explained in RFC7516 section-3.1 You can decrypt it like this: $ curl -s https://localhost:8443/provisioners/P1zJB3C7CQiUmU7zxpF-knn3PwipbKAKgGILDgDtT84/encrypted-key | jq -r .key | step crypto jwe decrypt --password-file <(echo asdf)
{"use":"sig","kty":"EC","kid":"P1zJB3C7CQiUmU7zxpF-knn3PwipbKAKgGILDgDtT84","crv":"P-256","alg":"ES256","x":"G-g5Qs9rTVLCPxgIj5ywwfkSyMYbdr2-fTNgcZChRA4","y":"4oBKBibmwFik83IHfM44uT64hmWTXC68n0xlJhhPvgg","d":"RT5hyC61UDp2tcqNuZ7KmFdPY1vSfJkRQ_q0pKvDrnA"} |
3 participants
When using JWK, Step CA sends out the Base64-encoded encrypted key. Currently that key is directly fed to jose.ParseEncrypted which expects compact JWE format and not the raw Base64 string. This fix attempts to decode the Base64 encoded key before passing it to the ParseEncoded function. If that doesn't work, it is assumed the string was already decoded so the encrypted key is passed as is.
Pain or issue this feature alleviates:
This issue resolves the error
"error":"error parsing provisioner encrypted key: square/go-jose: compact JWE format must have five parts"that is encountered with step-issuer. It allows a step-issuer instance to issue certificates using the JWK from the corresponding Step CA instance.Supporting links/other PRs/issues:
smallstep/step-issuer#107
💔Thank you!