crypto: use actual bytes of shared secret, not the base64 encoded representation (#2075)

* crypto: use actual bytes of shared secret, not the base64 encoded representation * return errors * return errors
2025-08-02 16:30:17 +02:00 · 2021-04-08 20:04:01 -06:00 · 2021-04-08 20:04:01 -06:00 · 6d1d2bec54
commit 6d1d2bec54
parent 7a04b16163
7 changed files with 71 additions and 26 deletions
--- a/proxy/state.go
+++ b/proxy/state.go
@ -44,12 +44,23 @@ func newProxyStateFromConfig(cfg *config.Config) (*proxyState, error) {
 	}

 	state := new(proxyState)
-	state.sharedKey = []byte(cfg.Options.SharedKey)
-	state.sharedCipher, _ = cryptutil.NewAEADCipherFromBase64(cfg.Options.SharedKey)
-	state.cookieSecret, _ = base64.StdEncoding.DecodeString(cfg.Options.CookieSecret)
+	state.sharedKey, err = base64.StdEncoding.DecodeString(cfg.Options.SharedKey)
+	if err != nil {
+		return nil, err
+	}
+
+	state.sharedCipher, err = cryptutil.NewAEADCipherFromBase64(cfg.Options.SharedKey)
+	if err != nil {
+		return nil, err
+	}
+
+	state.cookieSecret, err = base64.StdEncoding.DecodeString(cfg.Options.CookieSecret)
+	if err != nil {
+		return nil, err
+	}

 	// used to load and verify JWT tokens signed by the authenticate service
-	state.encoder, err = jws.NewHS256Signer([]byte(cfg.Options.SharedKey))
+	state.encoder, err = jws.NewHS256Signer(state.sharedKey)
 	if err != nil {
 		return nil, err
 	}
@ -62,6 +73,7 @@ func newProxyStateFromConfig(cfg *config.Config) (*proxyState, error) {
 	if err != nil {
 		return nil, err
 	}
+
 	state.authenticateDashboardURL = state.authenticateURL.ResolveReference(&url.URL{Path: "/.pomerium/"})
 	state.authenticateSigninURL = state.authenticateURL.ResolveReference(&url.URL{Path: signinURL})
 	state.authenticateRefreshURL = state.authenticateURL.ResolveReference(&url.URL{Path: refreshURL})