Merge pull request #1555 from smallstep/scep-password

Change scep password type to string
2026-01-27 10:18:34 +00:00 · 2023-09-26 13:25:47 -07:00
parent 86c029df36 52baf52f84
commit f9db22d311
5 changed files with 12 additions and 17 deletions
--- a/api/api.go
+++ b/api/api.go
@@ -248,7 +248,7 @@ func scepFromProvisioner(p *provisioner.SCEP) *models.SCEP {
 		DecrypterCertificate:          []byte(redacted),
 		DecrypterKeyPEM:               []byte(redacted),
 		DecrypterKeyURI:               redacted,
-		DecrypterKeyPassword:          []byte(redacted),
+		DecrypterKeyPassword:          redacted,
 		EncryptionAlgorithmIdentifier: p.EncryptionAlgorithmIdentifier,
 		Options:                       p.Options,
 		Claims:                        p.Claims,
--- a/api/api_test.go
+++ b/api/api_test.go
@@ -1584,11 +1584,6 @@ func TestProvisionersResponse_MarshalJSON(t *testing.T) {
 	err = json.Unmarshal(b, &key)
 	require.NoError(t, err)

-	var encodedPassword bytes.Buffer
-	enc := base64.NewEncoder(base64.StdEncoding, &encodedPassword)
-	_, err = enc.Write([]byte("super-secret-password"))
-	require.NoError(t, err)
-
 	r := ProvisionersResponse{
 		Provisioners: provisioner.List{
 			&provisioner.SCEP{
@@ -1602,7 +1597,7 @@ func TestProvisionersResponse_MarshalJSON(t *testing.T) {
 				DecrypterCertificate:          []byte{1, 2, 3, 4},
 				DecrypterKeyPEM:               []byte{5, 6, 7, 8},
 				DecrypterKeyURI:               "softkms:path=/path/to/private.key",
-				DecrypterKeyPassword:          encodedPassword.Bytes(),
+				DecrypterKeyPassword:          "super-secret-password",
 			},
 			&provisioner.JWK{
 				EncryptedKey: "eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJlbmMiOiJBMTI4R0NNIiwicDJjIjoxMDAwMDAsInAycyI6IlhOdmYxQjgxSUlLMFA2NUkwcmtGTGcifQ.XaN9zcPQeWt49zchUDm34FECUTHfQTn_.tmNHPQDqR3ebsWfd.9WZr3YVdeOyJh36vvx0VlRtluhvYp4K7jJ1KGDr1qypwZ3ziBVSNbYYQ71du7fTtrnfG1wgGTVR39tWSzBU-zwQ5hdV3rpMAaEbod5zeW6SHd95H3Bvcb43YiiqJFNL5sGZzFb7FqzVmpsZ1efiv6sZaGDHtnCAL6r12UG5EZuqGfM0jGCZitUz2m9TUKXJL5DJ7MOYbFfkCEsUBPDm_TInliSVn2kMJhFa0VOe5wZk5YOuYM3lNYW64HGtbf-llN2Xk-4O9TfeSPizBx9ZqGpeu8pz13efUDT2WL9tWo6-0UE-CrG0bScm8lFTncTkHcu49_a5NaUBkYlBjEiw.thPcx3t1AUcWuEygXIY3Fg",
@@ -1626,7 +1621,7 @@ func TestProvisionersResponse_MarshalJSON(t *testing.T) {
 				"decrypterCertificate":          []byte("*** REDACTED ***"),
 				"decrypterKey":                  "*** REDACTED ***",
 				"decrypterKeyPEM":               []byte("*** REDACTED ***"),
-				"decrypterKeyPassword":          []byte("*** REDACTED ***"),
+				"decrypterKeyPassword":          "*** REDACTED ***",
 				"minimumPublicKeyLength":        2048,
 				"encryptionAlgorithmIdentifier": 2,
 			},
@@ -1668,7 +1663,7 @@ func TestProvisionersResponse_MarshalJSON(t *testing.T) {
 			DecrypterCertificate:          []byte{1, 2, 3, 4},
 			DecrypterKeyPEM:               []byte{5, 6, 7, 8},
 			DecrypterKeyURI:               "softkms:path=/path/to/private.key",
-			DecrypterKeyPassword:          encodedPassword.Bytes(),
+			DecrypterKeyPassword:          "super-secret-password",
 		},
 		&provisioner.JWK{
 			EncryptedKey: "eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJlbmMiOiJBMTI4R0NNIiwicDJjIjoxMDAwMDAsInAycyI6IlhOdmYxQjgxSUlLMFA2NUkwcmtGTGcifQ.XaN9zcPQeWt49zchUDm34FECUTHfQTn_.tmNHPQDqR3ebsWfd.9WZr3YVdeOyJh36vvx0VlRtluhvYp4K7jJ1KGDr1qypwZ3ziBVSNbYYQ71du7fTtrnfG1wgGTVR39tWSzBU-zwQ5hdV3rpMAaEbod5zeW6SHd95H3Bvcb43YiiqJFNL5sGZzFb7FqzVmpsZ1efiv6sZaGDHtnCAL6r12UG5EZuqGfM0jGCZitUz2m9TUKXJL5DJ7MOYbFfkCEsUBPDm_TInliSVn2kMJhFa0VOe5wZk5YOuYM3lNYW64HGtbf-llN2Xk-4O9TfeSPizBx9ZqGpeu8pz13efUDT2WL9tWo6-0UE-CrG0bScm8lFTncTkHcu49_a5NaUBkYlBjEiw.thPcx3t1AUcWuEygXIY3Fg",
--- a/api/models/scep.go
+++ b/api/models/scep.go
@@ -28,7 +28,7 @@ type SCEP struct {
 	DecrypterCertificate          []byte               `json:"decrypterCertificate"`
 	DecrypterKeyPEM               []byte               `json:"decrypterKeyPEM"`
 	DecrypterKeyURI               string               `json:"decrypterKey"`
-	DecrypterKeyPassword          []byte               `json:"decrypterKeyPassword"`
+	DecrypterKeyPassword          string               `json:"decrypterKeyPassword"`
 	EncryptionAlgorithmIdentifier int                  `json:"encryptionAlgorithmIdentifier"`
 	Options                       *provisioner.Options `json:"options,omitempty"`
 	Claims                        *provisioner.Claims  `json:"claims,omitempty"`
--- a/authority/provisioner/scep.go
+++ b/authority/provisioner/scep.go
@@ -47,7 +47,7 @@ type SCEP struct {
 	DecrypterCertificate []byte `json:"decrypterCertificate,omitempty"`
 	DecrypterKeyPEM      []byte `json:"decrypterKeyPEM,omitempty"`
 	DecrypterKeyURI      string `json:"decrypterKey,omitempty"`
-	DecrypterKeyPassword []byte `json:"decrypterKeyPassword,omitempty"`
+	DecrypterKeyPassword string `json:"decrypterKeyPassword,omitempty"`

 	// Numerical identifier for the ContentEncryptionAlgorithm as defined in github.com/mozilla-services/pkcs7
 	// at https://github.com/mozilla-services/pkcs7/blob/33d05740a3526e382af6395d3513e73d4e66d1cb/encrypt.go#L63
@@ -289,14 +289,14 @@ func (s *SCEP) Init(config Config) (err error) {
 		}
 		if s.decrypter, err = kmsDecrypter.CreateDecrypter(&kmsapi.CreateDecrypterRequest{
 			DecryptionKeyPEM: decryptionKeyPEM,
-			Password:         s.DecrypterKeyPassword,
+			Password:         []byte(s.DecrypterKeyPassword),
 			PasswordPrompter: kmsapi.NonInteractivePasswordPrompter,
 		}); err != nil {
 			return fmt.Errorf("failed creating decrypter: %w", err)
 		}
 		if s.signer, err = s.keyManager.CreateSigner(&kmsapi.CreateSignerRequest{
 			SigningKeyPEM:    decryptionKeyPEM, // TODO(hs): support distinct signer key in the future?
-			Password:         s.DecrypterKeyPassword,
+			Password:         []byte(s.DecrypterKeyPassword),
 			PasswordPrompter: kmsapi.NonInteractivePasswordPrompter,
 		}); err != nil {
 			return fmt.Errorf("failed creating signer: %w", err)
@@ -331,14 +331,14 @@ func (s *SCEP) Init(config Config) (err error) {
 		}
 		if s.decrypter, err = kmsDecrypter.CreateDecrypter(&kmsapi.CreateDecrypterRequest{
 			DecryptionKey:    decryptionKeyURI,
-			Password:         s.DecrypterKeyPassword,
+			Password:         []byte(s.DecrypterKeyPassword),
 			PasswordPrompter: kmsapi.NonInteractivePasswordPrompter,
 		}); err != nil {
 			return fmt.Errorf("failed creating decrypter: %w", err)
 		}
 		if s.signer, err = s.keyManager.CreateSigner(&kmsapi.CreateSignerRequest{
 			SigningKey:       decryptionKeyURI, // TODO(hs): support distinct signer key in the future?
-			Password:         s.DecrypterKeyPassword,
+			Password:         []byte(s.DecrypterKeyPassword),
 			PasswordPrompter: kmsapi.NonInteractivePasswordPrompter,
 		}); err != nil {
 			return fmt.Errorf("failed creating signer: %w", err)
--- a/authority/provisioners.go
+++ b/authority/provisioners.go
@@ -992,7 +992,7 @@ func ProvisionerToCertificates(p *linkedca.Provisioner) (provisioner.Interface,
 			s.DecrypterCertificate = decrypter.Certificate
 			s.DecrypterKeyPEM = decrypter.Key
 			s.DecrypterKeyURI = decrypter.KeyUri
-			s.DecrypterKeyPassword = decrypter.KeyPassword
+			s.DecrypterKeyPassword = string(decrypter.KeyPassword)
 		}
 		return s, nil
 	case *linkedca.ProvisionerDetails_Nebula:
@@ -1255,7 +1255,7 @@ func ProvisionerToLinkedca(p provisioner.Interface) (*linkedca.Provisioner, erro
 							Certificate: p.DecrypterCertificate,
 							Key:         p.DecrypterKeyPEM,
 							KeyUri:      p.DecrypterKeyURI,
-							KeyPassword: p.DecrypterKeyPassword,
+							KeyPassword: []byte(p.DecrypterKeyPassword),
 						},
 					},
 				},