Merge pull request #86 from smallstep/cli/jose

maraino · web-flow · commit 7093998e90ff · 2022-10-05T12:01:50.000-07:00
Add Encrypt helper
diff --git a/jose/encrypt.go b/jose/encrypt.go
@@ -19,12 +19,28 @@ type PasswordPrompter func(s string) ([]byte, error)
 // the parse of the key will fail.
 var PromptPassword PasswordPrompter
 
-// EncryptJWK returns the given JWK encrypted with the default encryption
+// Encrypt returns the given data encrypted with the default encryption
 // algorithm (PBES2-HS256+A128KW).
-func EncryptJWK(jwk *JSONWebKey, passphrase []byte) (*JSONWebEncryption, error) {
-	b, err := json.Marshal(jwk)
+func Encrypt(data []byte, opts ...Option) (*JSONWebEncryption, error) {
+	ctx, err := new(context).apply(opts...)
 	if err != nil {
-		return nil, errors.Wrap(err, "error marshaling JWK")
+		return nil, err
+	}
+
+	var passphrase []byte
+	switch {
+	case len(ctx.password) > 0:
+		passphrase = ctx.password
+	case ctx.passwordPrompter != nil:
+		if passphrase, err = ctx.passwordPrompter(ctx.passwordPrompt); err != nil {
+			return nil, err
+		}
+	case PromptPassword != nil:
+		if passphrase, err = PromptPassword("Please enter the password to encrypt the data"); err != nil {
+			return nil, err
+		}
+	default:
+		return nil, errors.New("failed to encrypt the data: missing password")
 	}
 
 	salt, err := randutil.Salt(PBKDF2SaltSize)
@@ -40,22 +56,35 @@ func EncryptJWK(jwk *JSONWebKey, passphrase []byte) (*JSONWebEncryption, error)
 		PBES2Salt:  salt,
 	}
 
-	opts := new(EncrypterOptions)
-	opts.WithContentType(ContentType("jwk+json"))
+	encrypterOptions := new(EncrypterOptions)
+	if ctx.contentType != "" {
+		encrypterOptions.WithContentType(ContentType(ctx.contentType))
+	}
 
-	encrypter, err := NewEncrypter(DefaultEncAlgorithm, recipient, opts)
+	encrypter, err := NewEncrypter(DefaultEncAlgorithm, recipient, encrypterOptions)
 	if err != nil {
 		return nil, errors.Wrap(err, "error creating cipher")
 	}
 
-	jwe, err := encrypter.Encrypt(b)
+	jwe, err := encrypter.Encrypt(data)
 	if err != nil {
 		return nil, errors.Wrap(err, "error encrypting data")
 	}
 
 	return jwe, nil
 }
 
+// EncryptJWK returns the given JWK encrypted with the default encryption
+// algorithm (PBES2-HS256+A128KW).
+func EncryptJWK(jwk *JSONWebKey, passphrase []byte) (*JSONWebEncryption, error) {
+	b, err := json.Marshal(jwk)
+	if err != nil {
+		return nil, errors.Wrap(err, "error marshaling JWK")
+	}
+
+	return Encrypt(b, WithPassword(passphrase), WithContentType("jwk+json"))
+}
+
 // Decrypt returns the decrypted version of the given data if it's encrypted,
 // it will return the raw data if it's not encrypted or the format is not
 // valid.
@@ -82,11 +111,16 @@ func Decrypt(data []byte, opts ...Option) ([]byte, error) {
 	if ctx.passwordPrompter != nil || PromptPassword != nil {
 		var pass []byte
 		for i := 0; i < MaxDecryptTries; i++ {
-			if ctx.passwordPrompter != nil {
+			switch {
+			case ctx.passwordPrompter != nil:
 				if pass, err = ctx.passwordPrompter(ctx.passwordPrompt); err != nil {
 					return nil, err
 				}
-			} else {
+			case ctx.filename != "":
+				if pass, err = PromptPassword("Please enter the password to decrypt " + ctx.filename); err != nil {
+					return nil, err
+				}
+			default:
 				if pass, err = PromptPassword("Please enter the password to decrypt the JWE"); err != nil {
 					return nil, err
 				}
diff --git a/jose/encrypt_test.go b/jose/encrypt_test.go
@@ -114,6 +114,112 @@ func rsaEqual(priv *rsa.PrivateKey, x crypto.PrivateKey) bool {
 	return true
 }
 
+func TestEncrypt(t *testing.T) {
+	jwk := fixJWK(mustGenerateJWK(t, "EC", "P-256", "ES256", "", "", 0))
+	data, err := json.Marshal(jwk)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	type args struct {
+		data []byte
+		opts []Option
+	}
+	tests := []struct {
+		name    string
+		args    args
+		wantFn  func(t *testing.T) *JSONWebEncryption
+		wantErr bool
+	}{
+		{"ok", args{data, []Option{WithPassword([]byte("password")), WithContentType("jwk+json")}},
+			func(t *testing.T) *JSONWebEncryption {
+				reader := mustTeeReader(t)
+				jwe := mustEncryptJWK(t, jwk, []byte("password"))
+				rand.Reader = reader
+				jose.RandReader = reader
+				return jwe
+			}, false},
+		{"ok WithPasswordPrompter", args{data, []Option{
+			WithContentType("jwk+json"),
+			WithPasswordPrompter("Enter the password", func(s string) ([]byte, error) {
+				return []byte("password"), nil
+			})}},
+			func(t *testing.T) *JSONWebEncryption {
+				reader := mustTeeReader(t)
+				jwe := mustEncryptJWK(t, jwk, []byte("password"))
+				rand.Reader = reader
+				jose.RandReader = reader
+				return jwe
+			}, false},
+		{"ok with PromptPassword", args{data, []Option{WithContentType("jwk+json")}},
+			func(t *testing.T) *JSONWebEncryption {
+				tmp := PromptPassword
+				t.Cleanup(func() { PromptPassword = tmp })
+				PromptPassword = func(s string) ([]byte, error) {
+					return []byte("password"), nil
+				}
+				reader := mustTeeReader(t)
+				jwe := mustEncryptJWK(t, jwk, []byte("password"))
+				rand.Reader = reader
+				jose.RandReader = reader
+				return jwe
+			}, false},
+		{"fail apply", args{data, []Option{WithPasswordFile("testdata/missing.txt")}},
+			func(t *testing.T) *JSONWebEncryption {
+				return nil
+			}, true},
+		{"fail WithPasswordPrompter", args{data, []Option{
+			WithContentType("jwk+json"),
+			WithPasswordPrompter("Enter the password", func(s string) ([]byte, error) {
+				return nil, errors.New("test error")
+			})}},
+			func(t *testing.T) *JSONWebEncryption {
+				return nil
+			}, true},
+		{"fail with PromptPassword", args{data, []Option{WithContentType("jwk+json")}},
+			func(t *testing.T) *JSONWebEncryption {
+				tmp := PromptPassword
+				t.Cleanup(func() { PromptPassword = tmp })
+				PromptPassword = func(s string) ([]byte, error) {
+					return nil, errors.New("test error")
+				}
+				return nil
+			}, true},
+		{"fail no passowrd", args{data, nil},
+			func(t *testing.T) *JSONWebEncryption {
+				return nil
+			}, true},
+		{"fail encrypt", args{data, []Option{WithPassword([]byte("password"))}},
+			func(t *testing.T) *JSONWebEncryption {
+				reader := mustTeeReader(t)
+				_, _ = randutil.Salt(PBKDF2SaltSize)
+				rand.Reader = reader
+				jose.RandReader = reader
+				return nil
+			}, true},
+		{"fail salt", args{data, []Option{WithPassword([]byte("password"))}},
+			func(t *testing.T) *JSONWebEncryption {
+				reader := mustTeeReader(t)
+				rand.Reader = reader
+				jose.RandReader = reader
+				return nil
+			}, true},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			want := tt.wantFn(t)
+			got, err := Encrypt(tt.args.data, tt.args.opts...)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("Encrypt() error = %v, wantErr %v", err, tt.wantErr)
+				return
+			}
+			if !reflect.DeepEqual(got, want) {
+				t.Errorf("Encrypt() = %v, want %v", got, want)
+			}
+		})
+	}
+}
+
 func TestEncryptJWK(t *testing.T) {
 	jwk := fixJWK(mustGenerateJWK(t, "EC", "P-256", "ES256", "", "", 0))
 
@@ -266,35 +372,47 @@ func TestDecrypt(t *testing.T) {
 		want    []byte
 		wantErr bool
 	}{
-		{"okNotEncrypted", args{[]byte("foobar"), nil, nil}, []byte("foobar"), false},
-		{"okWithPassword", args{encryptedData, []Option{WithPassword(testPassword)}, nil}, data, false},
-		{"okWithPasswordFile", args{encryptedData, []Option{WithPasswordFile("testdata/passphrase.txt")}, nil}, data, false},
-		{"okWithPasswordPrompter", args{encryptedData, []Option{WithPasswordPrompter("What's the password?", func(s string) ([]byte, error) {
+		{"ok not encrypted", args{[]byte("foobar"), nil, nil}, []byte("foobar"), false},
+		{"ok WithPassword", args{encryptedData, []Option{WithPassword(testPassword)}, nil}, data, false},
+		{"ok WithPasswordFile", args{encryptedData, []Option{WithPasswordFile("testdata/passphrase.txt")}, nil}, data, false},
+		{"ok WithPasswordPrompter", args{encryptedData, []Option{WithPasswordPrompter("What's the password?", func(s string) ([]byte, error) {
 			return testPassword, nil
 		})}, nil}, data, false},
-		{"okGlobalPasswordPrompter", args{encryptedData, []Option{}, func(s string) ([]byte, error) {
+		{"ok PasswordPrompter", args{encryptedData, []Option{}, func(s string) ([]byte, error) {
+			return testPassword, nil
+		}}, data, false},
+		{"ok WithFilename and PasswordPrompter", args{encryptedData, []Option{WithFilename("test.jwk")}, func(s string) ([]byte, error) {
 			return testPassword, nil
 		}}, data, false},
-		{"failBadData", args{badEncryptedData, []Option{WithPassword(testPassword)}, nil}, nil, true},
-		{"failWithPassword", args{encryptedData, []Option{WithPassword([]byte("bad-password"))}, nil}, nil, true},
-		{"failWithPasswordFile", args{encryptedData, []Option{WithPasswordFile("testdata/oct.txt")}, nil}, nil, true},
-		{"failWithPasswordPrompter", args{encryptedData, []Option{WithPasswordPrompter("What's the password?", func(s string) ([]byte, error) {
+		{"fail bad data", args{badEncryptedData, []Option{WithPassword(testPassword)}, nil}, nil, true},
+		{"fail WithPassword", args{encryptedData, []Option{WithPassword([]byte("bad-password"))}, nil}, nil, true},
+		{"fail WithPasswordFile", args{encryptedData, []Option{WithPasswordFile("testdata/oct.txt")}, nil}, nil, true},
+		{"fail WithPasswordPrompter", args{encryptedData, []Option{WithPasswordPrompter("What's the password?", func(s string) ([]byte, error) {
 			return []byte("bad-password"), nil
 		})}, nil}, nil, true},
-		{"failGlobalPasswordPrompter", args{encryptedData, []Option{}, func(s string) ([]byte, error) {
+		{"fail PasswordPrompter", args{encryptedData, []Option{}, func(s string) ([]byte, error) {
 			return []byte("bad-password"), nil
 		}}, nil, true},
-		{"failApplyWithPassword", args{encryptedData, []Option{WithPasswordFile("testdata/missing.txt")}, nil}, nil, true},
-		{"failApplyWithPasswordPrompter", args{encryptedData, []Option{WithPasswordPrompter("What's the password?", func(s string) ([]byte, error) {
+		{"fail apply WithPassword", args{encryptedData, []Option{WithPasswordFile("testdata/missing.txt")}, nil}, nil, true},
+		{"fail apply WithPasswordPrompter", args{encryptedData, []Option{WithPasswordPrompter("What's the password?", func(s string) ([]byte, error) {
 			return nil, errors.New("unexpected error")
 		})}, nil}, nil, true},
-		{"failGlobalPasswordPrompterError", args{encryptedData, []Option{}, func(s string) ([]byte, error) {
+		{"fail PasswordPrompter", args{encryptedData, []Option{}, func(s string) ([]byte, error) {
+			return nil, errors.New("unexpected error")
+		}}, nil, true},
+		{"fail WithFilename and PasswordPrompter", args{encryptedData, []Option{WithFilename("test.jwk")}, func(s string) ([]byte, error) {
 			return nil, errors.New("unexpected error")
 		}}, nil, true},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
+			if tt.name == "okGlobalPasswordPrompter" {
+				t.Log("foo")
+			}
+			tmp := PromptPassword
+			t.Cleanup(func() { PromptPassword = tmp })
 			PromptPassword = tt.args.passwordPrompter
+
 			got, err := Decrypt(tt.args.data, tt.args.opts...)
 			if (err != nil) != tt.wantErr {
 				t.Errorf("Decrypt() error = %v, wantErr %v", err, tt.wantErr)
diff --git a/jose/options.go b/jose/options.go
@@ -12,6 +12,7 @@ type context struct {
 	password         []byte
 	passwordPrompt   string
 	passwordPrompter PasswordPrompter
+	contentType      string
 }
 
 // apply the options to the context and returns an error if one of the options
@@ -22,9 +23,6 @@ func (ctx *context) apply(opts ...Option) (*context, error) {
 			return nil, err
 		}
 	}
-	if ctx.filename == "" {
-		ctx.filename = "key"
-	}
 	return ctx, nil
 }
 
@@ -117,3 +115,11 @@ func WithPasswordPrompter(prompt string, fn PasswordPrompter) Option {
 		return nil
 	}
 }
+
+// WithContentType adds the content type when encrypting data.
+func WithContentType(cty string) Option {
+	return func(ctx *context) error {
+		ctx.contentType = cty
+		return nil
+	}
+}
diff --git a/jose/parse.go b/jose/parse.go
@@ -73,6 +73,9 @@ func ParseKey(b []byte, opts ...Option) (*JSONWebKey, error) {
 	if err != nil {
 		return nil, err
 	}
+	if ctx.filename == "" {
+		ctx.filename = "key"
+	}
 
 	jwk := new(JSONWebKey)
 	switch guessKeyType(ctx, b) {
diff --git a/jose/parse_test.go b/jose/parse_test.go
@@ -371,6 +371,54 @@ func TestParseKey(t *testing.T) {
 	}
 }
 
+func TestParseKeyPemutilPromptPassword(t *testing.T) {
+	pemKey, err := pemutil.Read("../pemutil/testdata/pkcs8/openssl.ed25519.pem")
+	assert.FatalError(t, err)
+
+	pemBytes, err := os.ReadFile("../pemutil/testdata/pkcs8/openssl.ed25519.enc.pem")
+	assert.FatalError(t, err)
+
+	tmp0 := pemutil.PromptPassword
+	tmp1 := PromptPassword
+	t.Cleanup(func() {
+		pemutil.PromptPassword = tmp0
+		PromptPassword = tmp1
+	})
+
+	tests := []struct {
+		name           string
+		promptPassword PasswordPrompter
+		want           *JSONWebKey
+		wantErr        bool
+	}{
+		{"ok", func(s string) ([]byte, error) {
+			return []byte("mypassword"), nil
+		}, &JSONWebKey{
+			Key:       pemKey,
+			KeyID:     "vEk4UARa85PrW0eea2zeVLqGBF-n5Jzd9GVmKAc0AHQ",
+			Algorithm: "EdDSA",
+		}, false},
+		{"fail", func(s string) ([]byte, error) {
+			return []byte("not-mypassword"), nil
+		}, nil, true},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			PromptPassword = tt.promptPassword
+			pemutil.PromptPassword = nil
+			got, err := ParseKey(pemBytes)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("ParseKey() error = %v, wantErr %v", err, tt.wantErr)
+				return
+			}
+			if !reflect.DeepEqual(got, tt.want) {
+				t.Errorf("ParseKey() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
+
 func TestReadKeySet(t *testing.T) {
 	jwk, err := ReadKeySet("testdata/jwks.json", WithKid("qiCJG7r2L80rmWRrZMPfpanQHmZRcncOG7A7MBWn9qM"))
 	assert.NoError(t, err)

Original file line number	Diff line number	Diff line change
`@@ -12,6 +12,7 @@ type context struct {`
`12`	`12`	`password []byte`
`13`	`13`	`passwordPrompt string`
`14`	`14`	`passwordPrompter PasswordPrompter`
	`15`	`+ contentType string`
`15`	`16`	`}`
`16`	`17`
`17`	`18`	`// apply the options to the context and returns an error if one of the options`
`@@ -22,9 +23,6 @@ func (ctx context) apply(opts ...Option) (context, error) {`
`22`	`23`	`return nil, err`
`23`	`24`	`}`
`24`	`25`	`}`
`25`		`- if ctx.filename == "" {`
`26`		`- ctx.filename = "key"`
`27`		`- }`
`28`	`26`	`return ctx, nil`
`29`	`27`	`}`
`30`	`28`
`@@ -117,3 +115,11 @@ func WithPasswordPrompter(prompt string, fn PasswordPrompter) Option {`
`117`	`115`	`return nil`
`118`	`116`	`}`
`119`	`117`	`}`
	`118`	`+`
	`119`	`+// WithContentType adds the content type when encrypting data.`
	`120`	`+func WithContentType(cty string) Option {`
	`121`	`+ return func(ctx *context) error {`
	`122`	`+ ctx.contentType = cty`
	`123`	`+ return nil`
	`124`	`+ }`
	`125`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -73,6 +73,9 @@ func ParseKey(b []byte, opts ...Option) (*JSONWebKey, error) {`
`73`	`73`	`if err != nil {`
`74`	`74`	`return nil, err`
`75`	`75`	`}`
	`76`	`+ if ctx.filename == "" {`
	`77`	`+ ctx.filename = "key"`
	`78`	`+ }`
`76`	`79`
`77`	`80`	`jwk := new(JSONWebKey)`
`78`	`81`	`switch guessKeyType(ctx, b) {`