From 3aeb42c352f2fdc3a69be065d48b32008f3a652b Mon Sep 17 00:00:00 2001 From: Carl Tashian Date: Mon, 22 Jun 2026 11:16:15 -0500 Subject: [PATCH] jwe encrypt: add --password-file flag for PBES2 step crypto jwe decrypt already accepts --password-file, but the matching encrypt command did not, so encrypting with a PBES2 (password-based) algorithm could only read the password interactively from the TTY. This made automation impossible. Mirror decrypt: add the --password-file flag and seed the password prompt from the file via ui.WithValue when it is set, falling back to the interactive prompt otherwise. Co-Authored-By: Claude Opus 4.8 (1M context) --- command/crypto/jwe/encrypt.go | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/command/crypto/jwe/encrypt.go b/command/crypto/jwe/encrypt.go index a5e73beb2..5f05fcd2f 100644 --- a/command/crypto/jwe/encrypt.go +++ b/command/crypto/jwe/encrypt.go @@ -22,7 +22,8 @@ func encryptCommand() cli.Command { Usage: "encrypt a payload using JSON Web Encryption (JWE)", UsageText: `**step crypto jwe encrypt** [**--alg**=] [**--enc**=] -[**--key**=] [**--jwks**=] [**--kid**=]`, +[**--key**=] [**--jwks**=] [**--kid**=] +[**--password-file**=]`, Description: `**step crypto jwe encrypt** encrypts a payload using JSON Web Encryption (JWE). By default, the payload to encrypt is read from STDIN and the JWE data structure will be written to STDOUT. @@ -150,6 +151,10 @@ applications where more than one JWE payload type may be present. This parameter is ignored by JWE implementations, but may be processed by applications that use JWE.`, }, + cli.StringFlag{ + Name: "password-file", + Usage: `The path to the containing the password to encrypt the keys.`, + }, flags.SubtleHidden, }, } @@ -187,6 +192,7 @@ func encryptAction(ctx *cli.Context) error { kid := ctx.String("kid") typ := ctx.String("typ") cty := ctx.String("cty") + passwordFile := ctx.String("password-file") isSubtle := ctx.Bool("subtle") switch { @@ -224,7 +230,17 @@ func encryptAction(ctx *cli.Context) error { case jwks != "": jwk, err = jose.ReadKeySet(jwks, options...) case isPBES2: - pbes2Key, err = ui.PromptPassword("Please enter the password to encrypt the content encryption key") + var password string + if passwordFile != "" { + password, err = utils.ReadStringPasswordFromFile(passwordFile) + if err != nil { + return err + } + } + pbes2Key, err = + ui.PromptPassword( + "Please enter the password to encrypt the content encryption key", + ui.WithValue(password)) default: return errs.RequiredOrFlag(ctx, "key", "jwks") }