cdh: use b64url encoding in sealed-secrets JWS

The payload of the JWS should be encoded/decoded with b64url and no padding. Signed-off-by: Magnus Kulke <[email protected]>
confidential-containers · Nov 8, 2024 · 727d1c5 · 727d1c5
1 parent 0841ff3
commit 727d1c5
Show file tree

Hide file tree

Showing 2 changed files with 39 additions and 3 deletions.
diff --git a/confidential-data-hub/secret/src/secret/mod.rs b/confidential-data-hub/secret/src/secret/mod.rs
@@ -5,7 +5,7 @@
 
 pub mod layout;
 
-use base64::{engine::general_purpose::STANDARD, Engine};
+use base64::{engine::general_purpose::URL_SAFE_NO_PAD as b64, Engine};
 use serde::{Deserialize, Serialize};
 
 use self::layout::{envelope::EnvelopeSecret, vault::VaultSecret};
@@ -49,7 +49,7 @@ impl Secret {
             return Err(SecretError::ParseFailed("malformed input sealed secret"));
         }
 
-        let secret_json = STANDARD
+        let secret_json = b64
             .decode(sections[2])
             .map_err(|_| SecretError::ParseFailed("base64 decode Secret body"))?;
 
@@ -67,7 +67,7 @@ impl Secret {
         let secret_json = serde_json::to_string(&self)
             .map_err(|_| SecretError::ParseFailed("JSON serialization failed"))?;
 
-        let secret_base64 = STANDARD.encode(secret_json);
+        let secret_base64 = b64.encode(secret_json);
 
         let secret_string = format!("sealed.fakejwsheader.{}.fakesignature", secret_base64);
 
@@ -111,6 +111,15 @@ mod tests {
             name: "xxx".into(),
         }),
     })]
+    #[case(include_str!("../../tests/vault-2.json"), Secret {
+        version: "0.1.0".into(),
+        r#type: SecretContent::Vault(VaultSecret {
+            provider: "kbs".into(),
+            provider_settings: ProviderSettings::default(),
+            annotations: Annotations::default(),
+            name: "kbs:///one/2/trois".into(),
+        }),
+    })]
     fn serialize_deserialize(#[case] secret_json: &str, #[case] secret_object: Secret) {
         let serialized = serde_json::to_string_pretty(&secret_object).expect("serialize failed");
         assert_json_eq!(secret_json, serialized);
@@ -127,4 +136,23 @@ mod tests {
 
         assert_eq!(secret_from_string, secret_object);
     }
+
+    #[rstest]
+    fn test_no_padding(#[values(0, 1, 2, 3)] name_size: usize) {
+        let name = "0".repeat(name_size);
+
+        let secret = Secret {
+            version: "0.1.0".into(),
+            r#type: SecretContent::Vault(VaultSecret {
+                provider: "kbs".into(),
+                provider_settings: ProviderSettings::default(),
+                annotations: Annotations::default(),
+                name,
+            }),
+        };
+
+        let serialized = serde_json::to_string_pretty(&secret).unwrap();
+
+        assert!(!serialized.contains("="));
+    }
 }
diff --git a/confidential-data-hub/secret/tests/vault-2.json b/confidential-data-hub/secret/tests/vault-2.json
@@ -0,0 +1,8 @@
+{
+  "version": "0.1.0",
+  "type": "vault",
+  "name": "kbs:///one/2/trois",
+  "provider": "kbs",
+  "provider_settings": {},
+  "annotations": {}
+}