Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow base64 encoded bytes as argument to --secret #144

Merged
merged 6 commits into from
Sep 28, 2021
Merged

Allow base64 encoded bytes as argument to --secret #144

Show file tree
Hide file tree
Changes from 5 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
8993ce9
add support for base64-encoded secret string
ceharris Sep 16, 2021
5cacc1a
add test for base64 secret
ceharris Sep 16, 2021
1365df3
format test case
ceharris Sep 16, 2021
a1a34d1
rework to use b64: prefix to distinguish base-64 encoded bytes
ceharris Sep 17, 2021
fe006e5
remove extraneous borrow op
ceharris Sep 17, 2021
dadde35
use format macro to construct base64 args in test
ceharris Sep 21, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions Cargo.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,3 +21,4 @@ serde_json = "1"
chrono = "0.4"
parse_duration = "2.1.1"
atty = "0.2"
base64 = "0.13.0"
14 changes: 12 additions & 2 deletions src/main.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
use atty::Stream;
use base64::decode as base64_decode;
use chrono::{TimeZone, Utc};
use clap::{arg_enum, crate_authors, crate_version, App, Arg, ArgMatches, SubCommand};
use jsonwebtoken::errors::{ErrorKind, Result as JWTResult};
Expand Down Expand Up @@ -237,7 +238,7 @@ fn config_options<'a, 'b>() -> App<'a, 'b> {
.long("no-iat")
).arg(
Arg::with_name("secret")
.help("the secret to sign the JWT with. Can be prefixed with @ to read from a binary file")
.help("the secret to sign the JWT with. Prefix with @ to read from a file or b64: to use base-64 encoded bytes")
.takes_value(true)
.long("secret")
.short("S")
Expand Down Expand Up @@ -266,7 +267,7 @@ fn config_options<'a, 'b>() -> App<'a, 'b> {
.long("iso8601")
).arg(
Arg::with_name("secret")
.help("the secret to validate the JWT with. Can be prefixed with @ to read from a binary file")
.help("the secret to validate the JWT with. Prefix with @ to read from a file or b64: to use base-64 encoded bytes")
.takes_value(true)
.long("secret")
.short("S")
Expand Down Expand Up @@ -345,6 +346,10 @@ fn encoding_key_from_secret(alg: &Algorithm, secret_string: &str) -> JWTResult<E
if secret_string.starts_with('@') {
let secret = slurp_file(&secret_string.chars().skip(1).collect::<String>());
Ok(EncodingKey::from_secret(&secret))
} else if secret_string.starts_with("b64:") {
Ok(EncodingKey::from_secret(
&base64_decode(&secret_string.chars().skip(4).collect::<String>()).unwrap(),
))
} else {
Ok(EncodingKey::from_secret(secret_string.as_bytes()))
}
Expand Down Expand Up @@ -382,6 +387,11 @@ fn decoding_key_from_secret(
if secret_string.starts_with('@') {
let secret = slurp_file(&secret_string.chars().skip(1).collect::<String>());
Ok(DecodingKey::from_secret(&secret).into_static())
} else if secret_string.starts_with("b64:") {
Ok(DecodingKey::from_secret(
&base64_decode(&secret_string.chars().skip(4).collect::<String>()).unwrap(),
)
.into_static())
} else {
Ok(DecodingKey::from_secret(secret_string.as_bytes()).into_static())
}
Expand Down
21 changes: 21 additions & 0 deletions tests/jwt-cli.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ mod tests {
encoding_key_from_secret, is_payload_item, is_timestamp_or_duration, translate_algorithm,
OutputFormat, Payload, PayloadItem, SupportedAlgorithms,
};
use base64::decode as base64_decode;
use chrono::{Duration, TimeZone, Utc};
use jsonwebtoken::{Algorithm, DecodingKey, EncodingKey, Header, TokenData};
use serde_json::{from_value, json};
Expand Down Expand Up @@ -662,13 +663,33 @@ mod tests {
assert_eq!(expected, key);
}

#[test]
fn encoding_key_from_secret_handles_base64() {
let b64 = "+t0vs/PPB0dvyYKIk1DYvz5WyCUds5DLy07ycOK5oHA=";
let mut arg: String = "b64:".to_owned();
arg.push_str(b64);
ceharris marked this conversation as resolved.
Show resolved Hide resolved
let expected = EncodingKey::from_secret(&base64_decode(b64).unwrap());
let key = encoding_key_from_secret(&Algorithm::HS256, &arg).unwrap();
assert_eq!(expected, key);
}

#[test]
fn decoding_key_from_secret_handles_at() {
let expected = DecodingKey::from_secret(include_bytes!("hmac-key.bin"));
let key = decoding_key_from_secret(&Algorithm::HS256, "@./tests/hmac-key.bin").unwrap();
assert_eq!(expected, key);
}

#[test]
fn decoding_key_from_secret_handles_base64() {
let b64 = "+t0vs/PPB0dvyYKIk1DYvz5WyCUds5DLy07ycOK5oHA=";
let mut arg: String = "b64:".to_owned();
ceharris marked this conversation as resolved.
Show resolved Hide resolved
arg.push_str(b64);
let expected = DecodingKey::from_secret(&base64_decode(b64).unwrap()).into_static();
let key = decoding_key_from_secret(&Algorithm::HS256, &arg).unwrap();
assert_eq!(expected, key);
}

#[test]
fn encodes_and_decodes_an_rsa_ssa_pss_token_using_key_from_file() {
let body: String = "{\"field\":\"value\"}".to_string();
Expand Down