search

smallstep / cli

🧰 A zero trust swiss army knife for working with X509, OAuth, JWT, OATH OTP, etc.
https://smallstep.com/cli
Apache License 2.0
3.56k stars 248 forks source link

JWT signing with ed25519 key fails when using ssh-agent #1207

Closed andsens closed 2 weeks ago

andsens commented 3 weeks ago

When running step ca token system:admin --offline --provisioner admin-ssh --kms=sshagentkms:id_ed25519 --key=sshagentkms:id_ed25519 (where id_ed25519 is a ed25519 key loaded into the ssh-agent) step-kms-plugin fails with

error creating JWT signer: go-jose/go-jose: unknown/unsupported algorithm

However, RSA keys work, and so does going through step directly with raw ed25519 keyfiles.

I have created a containerized reproduce that demonstrates the problem:

Here's the full reproduce Run with `docker build --tag step-kms-repro . && docker run step-kms-repro` ``` FROM smallstep/step-kms-plugin:0.11.3 USER root RUN apk add --no-cache openssh-client RUN printf secret>pw RUN step ca init --name test --dns localhost --deployment-type=standalone --address localhost:9000 --provisioner admin-ssh --provisioner-password-file pw --password-file pw --no-db RUN ssh-keygen -t ed25519 -C id_ed25519 -f id_ed25519 -N "" RUN ssh-keygen -t rsa -C id_rsa -f id_rsa -N "" ENTRYPOINT ["/usr/bin/env", "bash", "-c"] CMD [" \ eval $(ssh-agent); \ ssh-add id_ed25519; \ ssh-add id_rsa; \ step crypto key format --out=id_ed25519.pem --pem --no-password --insecure id_ed25519; \ step crypto key format --out=id_rsa.pem --pem --no-password --insecure id_rsa; \ echo;\ echo 'Signing with id_ed25519.pem directly (succeeds):'; \ step ca token system:admin --offline --provisioner admin-ssh --key=id_ed25519.pem --provisioner-password-file pw --password-file pw; \ echo;\ echo 'Signing with id_rsa through ssh-agent (succeeds):'; \ step ca token system:admin --offline --provisioner admin-ssh --kms=sshagentkms:id_rsa --key=sshagentkms:id_rsa --provisioner-password-file pw --password-file pw; \ echo;\ echo 'Signing with id_ed25519 through ssh-agent (fails):'; \ step ca token system:admin --offline --provisioner admin-ssh --kms=sshagentkms:id_ed25519 --key=sshagentkms:id_ed25519 --provisioner-password-file pw --password-file pw \ "] ```
Output ``` Agent pid 8 Identity added: id_ed25519 (id_ed25519) Identity added: id_rsa (id_rsa) Your key has been saved in id_ed25519.pem. Your key has been saved in id_rsa.pem. Signing with id_ed25519.pem directly (succeeds): ✔ Provisioner: admin-ssh (JWK) [kid: Y0Dy0_tSTPAMmpwNFhUl4YfdlT6e_i7aY9RZQPWCk30] eyJhbGciOiJFZERTQSIsImtpZCI6IlkwRHkwX3RTVFBBTW1wd05GaFVsNFlmZGxUNmVfaTdhWTlSWlFQV0NrMzAiLCJ0eXAiOiJKV1QifQ.eyJhdWQiOiJodHRwczovL2xvY2FsaG9zdC9zaWduIiwiZXhwIjoxNzE4NTUxOTg4LCJpYXQiOjE3MTg1NTE2ODgsImlzcyI6ImFkbWluLXNzaCIsImp0aSI6ImJkNjZhODJlZjBlZTg0ZTljZjdjOTczNjRjNDAxOTYxYzRhNzVkMGIzNzRmN2ZhZDUzMGJhZjBiNDgyNzdhZjQiLCJuYmYiOjE3MTg1NTE2ODgsInNhbnMiOlsic3lzdGVtOmFkbWluIl0sInNoYSI6IjZlOTNhZWJhMjcwNTQ0MDE2M2EzMTA2MDY4ZDdiNThiMjdmNzM3MTYzMjY1N2VjNGJkNzNiYTY1MzAwMmFmNTMiLCJzdWIiOiJzeXN0ZW06YWRtaW4ifQ.XHOpg8nN9fzH5ObZ5nGddC7s06fbMeILyvdlYg4WOdb_QzgapDej8LIoZRWyxD0RcpmYneNZpJfQqxVoZbtxDw Signing with id_rsa through ssh-agent (succeeds): ✔ Provisioner: admin-ssh (JWK) [kid: Y0Dy0_tSTPAMmpwNFhUl4YfdlT6e_i7aY9RZQPWCk30] eyJhbGciOiJSUzI1NiIsImtpZCI6IlkwRHkwX3RTVFBBTW1wd05GaFVsNFlmZGxUNmVfaTdhWTlSWlFQV0NrMzAiLCJ0eXAiOiJKV1QifQ.eyJhdWQiOiJodHRwczovL2xvY2FsaG9zdC9zaWduIiwiZXhwIjoxNzE4NTUxOTg4LCJpYXQiOjE3MTg1NTE2ODgsImlzcyI6ImFkbWluLXNzaCIsImp0aSI6ImNlMTgxNjhlYWFlNGIxY2Y4MDkyZGU4ZWYzMTMxOGFmMTlmMGFkY2VkMTdiN2NmNzY3NDRjZGQyMjQwOTVlYTIiLCJuYmYiOjE3MTg1NTE2ODgsInNhbnMiOlsic3lzdGVtOmFkbWluIl0sInNoYSI6IjZlOTNhZWJhMjcwNTQ0MDE2M2EzMTA2MDY4ZDdiNThiMjdmNzM3MTYzMjY1N2VjNGJkNzNiYTY1MzAwMmFmNTMiLCJzdWIiOiJzeXN0ZW06YWRtaW4ifQ.my9ZvesURDCxH8U4aXareg00qcIbOmz4MZ2K3VKSQ-P0v_Eiz2N7am3J6ojnKyOVaSBa3l7nPA5V52EFAw3WNu256Nh7VODRqvihT9EfLtukEbVWntt4Tmhszx9IaNFgi3UjevYqOX1LcSXCod62HQ8OM363j2VgU2AoiehGE2wpHsRRO0k-OwPc7r2x3M4aJb9SlWs9aLa6_RnKh6mynd8jscjCPUkcf3QiSNuww1kHD-AWa1aQszaPCa-7-R7FfTVwXE68u7FVIf0MKrbCgIMpp9heZxz1eBhL8Ll7w6OHHHuG-NCgUJGet48c_bucOdV4PO7p0hck3jTybpg5NbQXkYNyD_ATqfwFq9vs_B67RPkhND2DIzMfQOw9G8yaIPsBoqC_8gu-HAAaVEGAjbcDzKn4VkbUm2p9CNrwkNT1_OPbqhVM3F-ea21VoW8E5zY65zvNrcimOiZmq1UutJZclJfUrq0andeSDKk9gyUI6_2Rfdeh0HTzJupjLbVX Signing with id_ed25519 through ssh-agent (fails): ✔ Provisioner: admin-ssh (JWK) [kid: Y0Dy0_tSTPAMmpwNFhUl4YfdlT6e_i7aY9RZQPWCk30] error creating JWT signer: go-jose/go-jose: unknown/unsupported algorithm ```

The use-case is for an automated setup of a PKI where trust is established by providing an SSH pubkey which is converted and added as a JWK provisioner.

maraino commented 2 weeks ago

Hi @andsens. The linked PR has the typo that caused this issue. Tt will be merged to master soon.