Add password-file flag to jwt sign and verify

Author: maraino

command/crypto/jwt/sign.go

@@ -185,6 +185,10 @@ string. When used with '--jwk' the <kid> value must match the **"kid"** member
 of the JWK. When used with **--jwks** (a JWK Set) the <kid> value must match
 the **"kid"** member of one of the JWKs in the JWK Set.`,
 			},
+			cli.StringFlag{
+				Name:  "password-file",
+				Usage: `The path to the <file> containing the password to decrypt the key.`,
+			},
 			cli.BoolFlag{
 				Name:   "subtle",
 				Hidden: true,
@@ -246,6 +250,9 @@ func signAction(ctx *cli.Context) error {
 	if isSubtle {
 		options = append(options, jose.WithSubtle(true))
 	}
+	if passwordFile := ctx.String("password-file"); len(passwordFile) > 0 {
+		options = append(options, jose.WithPasswordFile(passwordFile))
+	}
 
 	// Read key from --key or --jwks
 	var jwk *jose.JSONWebKey

command/crypto/jwt/verify.go

@@ -82,6 +82,10 @@ a "kid" member the '--kid' flag can be used.`,
 The KID argument is a case-sensitive string. If the input JWS has a "kid"
 member its value must match <kid> or verification will fail.`,
 			},
+			cli.StringFlag{
+				Name:  "password-file",
+				Usage: `The path to the <file> containing the password to decrypt the key.`,
+			},
 			cli.BoolFlag{
 				Name:   "subtle",
 				Hidden: true,
@@ -172,6 +176,9 @@ func verifyAction(ctx *cli.Context) error {
 	if !ctx.Bool("insecure") {
 		options = append(options, jose.WithNoDefaults(true))
 	}
+	if passwordFile := ctx.String("password-file"); len(passwordFile) > 0 {
+		options = append(options, jose.WithPasswordFile(passwordFile))
+	}
 
 	// Read key from --key or --jwks
 	var jwk *jose.JSONWebKey

jose/options.go

@@ -1,69 +1,95 @@
 package jose
 
+import (
+	"github.com/smallstep/cli/utils"
+)
+
 type context struct {
 	use, alg, kid    string
 	subtle, insecure bool
 	noDefaults       bool
 	password         []byte
 }
 
-// apply the options to the context and returns it.
-func (ctx *context) apply(opts ...Option) *context {
+// apply the options to the context and returns an error if one of the options
+// fails.
+func (ctx *context) apply(opts ...Option) (*context, error) {
 	for _, opt := range opts {
-		opt(ctx)
+		if err := opt(ctx); err != nil {
+			return nil, err
+		}
 	}
-	return ctx
+	return ctx, nil
 }
 
 // Option is the type used to add attributes to the context.
-type Option func(ctx *context)
+type Option func(ctx *context) error
 
 // WithUse adds the use claim to the context.
 func WithUse(use string) Option {
-	return func(ctx *context) {
+	return func(ctx *context) error {
 		ctx.use = use
+		return nil
 	}
 }
 
 // WithAlg adds the alg claim to the context.
 func WithAlg(alg string) Option {
-	return func(ctx *context) {
+	return func(ctx *context) error {
 		ctx.alg = alg
+		return nil
 	}
 }
 
 // WithKid adds the kid property to the context.
 func WithKid(kid string) Option {
-	return func(ctx *context) {
+	return func(ctx *context) error {
 		ctx.kid = kid
+		return nil
 	}
 }
 
 // WithSubtle marks the context as subtle.
 func WithSubtle(subtle bool) Option {
-	return func(ctx *context) {
+	return func(ctx *context) error {
 		ctx.subtle = subtle
+		return nil
 	}
 }
 
 // WithInsecure marks the context as insecure.
 func WithInsecure(insecure bool) Option {
-	return func(ctx *context) {
+	return func(ctx *context) error {
 		ctx.insecure = insecure
+		return nil
 	}
 }
 
 // WithNoDefaults avoids that the parser loads defaults values, specially the
 // default algorithms.
 func WithNoDefaults(val bool) Option {
-	return func(ctx *context) {
+	return func(ctx *context) error {
 		ctx.noDefaults = val
+		return nil
 	}
 }
 
 // WithPassword is a method that adds the given password to the context.
 func WithPassword(pass []byte) Option {
-	return func(ctx *context) {
+	return func(ctx *context) error {
 		ctx.password = pass
+		return nil
+	}
+}
+
+// WithPasswordFile is a method that adds the password in a file to the context.
+func WithPasswordFile(filename string) Option {
+	return func(ctx *context) error {
+		b, err := utils.ReadPasswordFromFile(filename)
+		if err != nil {
+			return err
+		}
+		ctx.password = b
+		return nil
 	}
 }

jose/parse.go

@@ -33,7 +33,10 @@ const MaxDecryptTries = 3
 // it will return the raw data if it's not encrypted or the format is not
 // valid.
 func Decrypt(prompt string, data []byte, opts ...Option) ([]byte, error) {
-	ctx := new(context).apply(opts...)
+	ctx, err := new(context).apply(opts...)
+	if err != nil {
+		return nil, err
+	}
 
 	enc, err := jose.ParseEncrypted(string(data))
 	if err != nil {
@@ -64,7 +67,10 @@ func Decrypt(prompt string, data []byte, opts ...Option) ([]byte, error) {
 // password protected keys, it will ask the user for a password.
 // func ParseKey(filename, use, alg, kid string, subtle bool) (*JSONWebKey, error) {
 func ParseKey(filename string, opts ...Option) (*JSONWebKey, error) {
-	ctx := new(context).apply(opts...)
+	ctx, err := new(context).apply(opts...)
+	if err != nil {
+		return nil, err
+	}
 
 	b, err := ioutil.ReadFile(filename)
 	if err != nil {
@@ -143,7 +149,10 @@ func ReadJWKSet(filename string) ([]byte, error) {
 // a given file.
 // func ParseKeySet(filename, alg, kid string, isSubtle bool) (*jose.JSONWebKey, error) {
 func ParseKeySet(filename string, opts ...Option) (*jose.JSONWebKey, error) {
-	ctx := new(context).apply(opts...)
+	ctx, err := new(context).apply(opts...)
+	if err != nil {
+		return nil, err
+	}
 
 	b, err := ReadJWKSet(filename)
 	if err != nil {

jose/parse_test.go

@@ -207,13 +207,15 @@ func TestGuessJWKAlgorithm(t *testing.T) {
 	}
 
 	// With context
-	ctx := new(context).apply(WithAlg(HS256))
+	ctx, err := new(context).apply(WithAlg(HS256))
+	assert.NoError(t, err)
 	jwk := &JSONWebKey{Key: []byte("password")}
 	guessJWKAlgorithm(ctx, jwk)
 	assert.Equals(t, HS256, jwk.Algorithm)
 
 	// With algorithm set
-	ctx = new(context).apply(WithAlg(HS256))
+	ctx, err = new(context).apply(WithAlg(HS256))
+	assert.NoError(t, err)
 	jwk = &JSONWebKey{Key: []byte("password"), Algorithm: HS384}
 	guessJWKAlgorithm(ctx, jwk)
 	assert.Equals(t, HS384, jwk.Algorithm)

utils/read.go

@@ -2,12 +2,14 @@ package utils
 
 import (
 	"bufio"
+	"bytes"
 	"fmt"
 	"io"
 	"io/ioutil"
 	"os"
 	"strings"
 	"syscall"
+	"unicode"
 
 	"github.com/pkg/errors"
 	"github.com/smallstep/cli/crypto/randutil"
@@ -83,6 +85,17 @@ func ReadPasswordGenerate(prompt string) ([]byte, error) {
 	return pass, errors.Wrap(err, "error reading password")
 }
 
+// ReadPasswordFromFile reads and returns the password from the given filename.
+// The contents of the file will be trimmed at the right.
+func ReadPasswordFromFile(filename string) ([]byte, error) {
+	password, err := ioutil.ReadFile(filename)
+	if err != nil {
+		return nil, errs.FileError(err, filename)
+	}
+	password = bytes.TrimRightFunc(password, unicode.IsSpace)
+	return password, nil
+}
+
 // ReadInput from stdin if something is detected or ask the user for an input
 // using the given prompt.
 func ReadInput(prompt string) ([]byte, error) {

utils/read_test.go

@@ -38,6 +38,16 @@ func TestReadFileStdin(t *testing.T) {
 	require.True(t, bytes.Equal(content, b), "expected %s to equal %s", b, content)
 }
 
+func TestReadPasswordFromFile(t *testing.T) {
+	content := []byte("my-password-on-file\n")
+	f, cleanup := newFile(t, content)
+	defer cleanup()
+
+	b, err := ReadPasswordFromFile(f.Name())
+	require.NoError(t, err)
+	require.True(t, bytes.Equal([]byte("my-password-on-file"), b), "expected %s to equal %s", b, content)
+}
+
 // Returns a temp file and a cleanup function to delete it.
 func newFile(t *testing.T, data []byte) (file *os.File, cleanup func()) {
 	f, err := ioutil.TempFile("" /* dir */, "utils-read-test")