Merge pull request #25 from sergio-correia/trim-input

nullr0ute · web-flow · commit ed953966e368 · 2024-05-02T11:02:07.000+01:00
fix: trim base64 input before attempting decryption
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -56,6 +56,8 @@ jobs:
       - name: Run integration tests
         run: |
             TCTI=swtpm: SKIP_CLEVIS=true cargo test -- --nocapture
+            echo "### Shell integration tests" >&2
+            TCTI=swtpm: SKIP_CLEVIS=true ./tests/integration-test.sh
       - name: Run policy tests
         run: |
             TCTI=swtpm: ./tests/test_policy
diff --git a/src/main.rs b/src/main.rs
@@ -177,7 +177,10 @@ struct ClevisInner {
 }
 
 fn perform_decrypt(input: Vec<u8>) -> Result<()> {
-    let input = String::from_utf8(input).context("Error reading input")?;
+    let input = String::from_utf8(input)
+        .context("Error reading input")?
+        .trim()
+        .to_string();
     let hdr = josekit::jwt::decode_header(&input).context("Error decoding header")?;
     let hdr_clevis = hdr.claim("clevis").context("Error getting clevis claim")?;
     let hdr_clevis: ClevisInner =
diff --git a/tests/integration-test.sh b/tests/integration-test.sh
@@ -0,0 +1,15 @@
+#!/bin/sh
+
+die() {
+    echo "ERROR: ${1}" >&2
+    exit 1
+}
+
+PLAINTEXT=foobar
+jwe="$(echo "${PLAINTEXT}" | ./target/debug/clevis-pin-tpm2 encrypt {})"
+
+dec="$(echo "$jwe" | ./target/debug/clevis-pin-tpm2 decrypt)" \
+    || die "Unable to decrypt JWE passed with newline added"
+
+[ "${dec}" = "${PLAINTEXT}" ] \
+    || die "Decrypted JWE (${dec}) does not match PLAINTEXT (${PLAINTEXT})"
