certificates icon indicating copy to clipboard operation
certificates copied to clipboard

Published 20 hours ago verified publisher icon smallstep

[Bug]: JWK provisioner with Key ID that begins with `-` interpereted as flag

Open 4x0v7 opened this issue 1 year ago • 0 comments

Steps to Reproduce

Add a provisioner with a Key ID that has a - character at the start. I'm not sure how many generations of provisioner keys this may take, it just happened to be the first one generated on bringing up my compose stack.

Try to retrieve and print the provisioning key:

step ca provisioner jwe-key "-nAsFs068iXyne5_yY9Do_3nDINu-Qnu-9jP3vH7UtQ"
Incorrect Usage: flag provided but not defined: -nAsFs068iXyne5_yY9Do_3nDINu-Qnu-9jP3vH7UtQ

Generate a new JWK provisioner and verify the command works (provided that the generated kid does not start with a -

step ca provisioner add admin2 --create

# (reload config with SIGHUP, I do this with my compose stack `docker compose kill --signal SIGHUP step-ca`)

NEW_PROVISIONER=$(step ca provisioner list | jq -r '. | map(select(.name == "admin2") .key.kid) | .[]')

step ca provisioner jwe-key $NEW_PROVISIONER
eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJjdHkiOiJqd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjYwMDAwMCwicDJzIjoiX3hBYWNjMXB3Q05FbDgxdC1iSVJydyJ9.0I697MUERgBeRVwaMM-FOnaHLEyL-IHlUE5ZvXDZJ8tydcvbqlBn6A.QPMr0L_LI1wL2dKl.1PqvBGzuGfp-ZTeyC0zH8Yp5VTOLgSnabhaAZcGBXQlOLRGuwrvpsS5DJj5TML-3ga8xozvddAO7xJqhDJTil4GV8H7PF7vcvI8h77ojzQ1iIHlsXshYJjuRlD0oHV8yyiiKFaHPlHKJCg21sZyCd3ss-FIhlPBqkzG6C5k7Ul90r2NOMiA8_e_1HP6piaiWssgiBP1gY03TFuigx5HwKzHsllLBoIjPpXvCgncljDjHc5usDVKsZ-KNuO_4APbFLyMD4Eu4tSPLvBVsS0_1XrEyanH8M4Ul_qmCF0fBKSz91CGhXdlfDzQExzy0prTjC1PdDdPxl5bfxNXJ0xM.eOk9do9Y9I_xgLi0L6QgUA

Your Environment

  • OS - Linux / Docker (smallstep/step-ca:0.25.0@sha256:9cdef9c9daecf71d87d23d83a57712867e6c08d4f9ecad998d4bc6239f2218dd )
  • step-ca Version - 0.25.0

Expected Behavior

The key is printed

Actual Behavior

Incorrect Usage: flag provided but not defined: -nAsFs068iXyne5_yY9Do_3nDINu-Qnu-9jP3vH7UtQ

Additional Context

This happens with step-cli 0.25.0 talking to a step-ca server running in Docker, also running the same command with step directly in the CA container.

My provisioner looks like this:

{
  "type": "JWK",
  "name": "admin",
  "key": {
    "use": "sig",
    "kty": "EC",
    "kid": "-nAsFs068iXyne5_yY9Do_3nDINu-Qnu-9jP3vH7UtQ",
    "crv": "P-256",
    "alg": "ES256",
    "x": "OOXgCFfqJUTY3LkY0fSTFSI5UWkv-Jf1f5R8ZmXHz0g",
    "y": "xSa_cfDJeAnrtB2JUdKMbMYMlkllw5K9PwFgi-g0Kt4"
  },
  "encryptedKey": "<redacted>"
}

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

4x0v7 avatar Oct 24 '23 04:10 4x0v7