Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

JWT signing with ed25519 key fails when using ssh-agent #1207

Closed
andsens opened this issue Jun 16, 2024 · 1 comment · Fixed by #1208
Closed

JWT signing with ed25519 key fails when using ssh-agent #1207

andsens opened this issue Jun 16, 2024 · 1 comment · Fixed by #1208
Assignees
@maraino
Milestone
v0.27.0

Comments

@andsens
Copy link

andsens commented Jun 16, 2024

When running step ca token system:admin --offline --provisioner admin-ssh --kms=sshagentkms:id_ed25519 --key=sshagentkms:id_ed25519 (where id_ed25519 is a ed25519 key loaded into the ssh-agent) step-kms-plugin fails with

error creating JWT signer: go-jose/go-jose: unknown/unsupported algorithm

However, RSA keys work, and so does going through step directly with raw ed25519 keyfiles.

I have created a containerized reproduce that demonstrates the problem:

Here's the full reproduce

Run with docker build --tag step-kms-repro . && docker run step-kms-repro

FROM smallstep/step-kms-plugin:0.11.3
USER root
RUN apk add --no-cache openssh-client
RUN printf secret>pw
RUN step ca init --name test --dns localhost --deployment-type=standalone --address localhost:9000 --provisioner admin-ssh --provisioner-password-file pw --password-file pw --no-db
RUN ssh-keygen -t ed25519 -C id_ed25519 -f id_ed25519 -N ""
RUN ssh-keygen -t rsa -C id_rsa -f id_rsa -N ""

ENTRYPOINT ["/usr/bin/env", "bash", "-c"]
CMD [" \
  eval $(ssh-agent); \
  ssh-add id_ed25519; \
  ssh-add id_rsa; \
  step crypto key format --out=id_ed25519.pem --pem --no-password --insecure id_ed25519; \
  step crypto key format --out=id_rsa.pem --pem --no-password --insecure id_rsa; \
  echo;\
  echo 'Signing with id_ed25519.pem directly (succeeds):'; \
  step ca token system:admin --offline --provisioner admin-ssh --key=id_ed25519.pem --provisioner-password-file pw --password-file pw; \
  echo;\
  echo 'Signing with id_rsa through ssh-agent (succeeds):'; \
  step ca token system:admin --offline --provisioner admin-ssh --kms=sshagentkms:id_rsa --key=sshagentkms:id_rsa --provisioner-password-file pw --password-file pw; \
  echo;\
  echo 'Signing with id_ed25519 through ssh-agent (fails):'; \
  step ca token system:admin --offline --provisioner admin-ssh --kms=sshagentkms:id_ed25519 --key=sshagentkms:id_ed25519 --provisioner-password-file pw --password-file pw \
"]
Output 
Agent pid 8
Identity added: id_ed25519 (id_ed25519)
Identity added: id_rsa (id_rsa)
Your key has been saved in id_ed25519.pem.
Your key has been saved in id_rsa.pem.

Signing with id_ed25519.pem directly (succeeds):
✔ Provisioner: admin-ssh (JWK) [kid: Y0Dy0_tSTPAMmpwNFhUl4YfdlT6e_i7aY9RZQPWCk30]
eyJhbGciOiJFZERTQSIsImtpZCI6IlkwRHkwX3RTVFBBTW1wd05GaFVsNFlmZGxUNmVfaTdhWTlSWlFQV0NrMzAiLCJ0eXAiOiJKV1QifQ.eyJhdWQiOiJodHRwczovL2xvY2FsaG9zdC9zaWduIiwiZXhwIjoxNzE4NTUxOTg4LCJpYXQiOjE3MTg1NTE2ODgsImlzcyI6ImFkbWluLXNzaCIsImp0aSI6ImJkNjZhODJlZjBlZTg0ZTljZjdjOTczNjRjNDAxOTYxYzRhNzVkMGIzNzRmN2ZhZDUzMGJhZjBiNDgyNzdhZjQiLCJuYmYiOjE3MTg1NTE2ODgsInNhbnMiOlsic3lzdGVtOmFkbWluIl0sInNoYSI6IjZlOTNhZWJhMjcwNTQ0MDE2M2EzMTA2MDY4ZDdiNThiMjdmNzM3MTYzMjY1N2VjNGJkNzNiYTY1MzAwMmFmNTMiLCJzdWIiOiJzeXN0ZW06YWRtaW4ifQ.XHOpg8nN9fzH5ObZ5nGddC7s06fbMeILyvdlYg4WOdb_QzgapDej8LIoZRWyxD0RcpmYneNZpJfQqxVoZbtxDw

Signing with id_rsa through ssh-agent (succeeds):
✔ Provisioner: admin-ssh (JWK) [kid: Y0Dy0_tSTPAMmpwNFhUl4YfdlT6e_i7aY9RZQPWCk30]
eyJhbGciOiJSUzI1NiIsImtpZCI6IlkwRHkwX3RTVFBBTW1wd05GaFVsNFlmZGxUNmVfaTdhWTlSWlFQV0NrMzAiLCJ0eXAiOiJKV1QifQ.eyJhdWQiOiJodHRwczovL2xvY2FsaG9zdC9zaWduIiwiZXhwIjoxNzE4NTUxOTg4LCJpYXQiOjE3MTg1NTE2ODgsImlzcyI6ImFkbWluLXNzaCIsImp0aSI6ImNlMTgxNjhlYWFlNGIxY2Y4MDkyZGU4ZWYzMTMxOGFmMTlmMGFkY2VkMTdiN2NmNzY3NDRjZGQyMjQwOTVlYTIiLCJuYmYiOjE3MTg1NTE2ODgsInNhbnMiOlsic3lzdGVtOmFkbWluIl0sInNoYSI6IjZlOTNhZWJhMjcwNTQ0MDE2M2EzMTA2MDY4ZDdiNThiMjdmNzM3MTYzMjY1N2VjNGJkNzNiYTY1MzAwMmFmNTMiLCJzdWIiOiJzeXN0ZW06YWRtaW4ifQ.my9ZvesURDCxH8U4aXareg00qcIbOmz4MZ2K3VKSQ-P0v_Eiz2N7am3J6ojnKyOVaSBa3l7nPA5V52EFAw3WNu256Nh7VODRqvihT9EfLtukEbVWntt4Tmhszx9IaNFgi3UjevYqOX1LcSXCod62HQ8OM363j2VgU2AoiehGE2wpHsRRO0k-OwPc7r2x3M4aJb9SlWs9aLa6_RnKh6mynd8jscjCPUkcf3QiSNuww1kHD-AWa1aQszaPCa-7-R7FfTVwXE68u7FVIf0MKrbCgIMpp9heZxz1eBhL8Ll7w6OHHHuG-NCgUJGet48c_bucOdV4PO7p0hck3jTybpg5NbQXkYNyD_ATqfwFq9vs_B67RPkhND2DIzMfQOw9G8yaIPsBoqC_8gu-HAAaVEGAjbcDzKn4VkbUm2p9CNrwkNT1_OPbqhVM3F-ea21VoW8E5zY65zvNrcimOiZmq1UutJZclJfUrq0andeSDKk9gyUI6_2Rfdeh0HTzJupjLbVX

Signing with id_ed25519 through ssh-agent (fails):
✔ Provisioner: admin-ssh (JWK) [kid: Y0Dy0_tSTPAMmpwNFhUl4YfdlT6e_i7aY9RZQPWCk30]
error creating JWT signer: go-jose/go-jose: unknown/unsupported algorithm

The use-case is for an automated setup of a PKI where trust is established by providing an SSH pubkey which is converted and added as a JWK provisioner.
@maraino maraino transferred this issue from smallstep/step-kms-plugin Jun 18, 2024
@maraino maraino mentioned this issue Jun 18, 2024
Merged
@maraino
Copy link
Collaborator

maraino commented Jun 18, 2024

Hi @andsens. The linked PR has the typo that caused this issue. Tt will be merged to master soon.

@hslatman hslatman added this to the v0.26.3 milestone Jun 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@maraino maraino

Labels
None yet
Projects
None yet
Milestone
v0.27.0
Development

Successfully merging a pull request may close this issue.

Set proper JOSE algorithm for Ed25519 keys smallstep/cli
3 participants
@andsens @maraino @hslatman