Treat content of encryption_file as hex-encoded

V02460 · V02460 · commit b3682a9233a3 · 2025-06-04T11:43:05.000+02:00
Signed-off-by: Kai A. Hiller &lt;git@kaialexhiller.de&gt;
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/crates/config/Cargo.toml b/crates/config/Cargo.toml
@@ -19,6 +19,7 @@ anyhow.workspace = true
 camino = { workspace = true, features = ["serde1"] }
 chrono.workspace = true
 figment.workspace = true
+hex.workspace = true
 ipnetwork = { version = "0.20.0", features = ["serde", "schemars"] }
 lettre.workspace = true
 schemars.workspace = true
diff --git a/crates/config/src/sections/secrets.rs b/crates/config/src/sections/secrets.rs
@@ -6,8 +6,9 @@
 
 use std::borrow::Cow;
 
-use anyhow::{Context, anyhow, bail};
+use anyhow::{Context, bail};
 use camino::Utf8PathBuf;
+use hex;
 use mas_jose::jwk::{JsonWebKey, JsonWebKeySet};
 use mas_keystore::{Encrypter, Keystore, PrivateKey};
 use rand::{
@@ -185,9 +186,15 @@ impl SecretsConfig {
         // Read the encryption secret either embedded in the config file or on disk
         match self.encryption {
             Encryption::Value(encryption) => Ok(encryption),
-            Encryption::File(ref path) => tokio::fs::read(path).await?.try_into().map_err(|_| {
-                anyhow!("Content of `encryption_file` must be exactly 32 bytes long.")
-            }),
+            Encryption::File(ref path) => {
+                let mut bytes = [0; 32];
+                let content = tokio::fs::read(path).await?;
+                hex::decode_to_slice(content, &mut bytes).context(
+                    "Content of `encryption_file` must contain hex characters \
+                    encoding exactly 32 bytes",
+                )?;
+                Ok(bytes)
+            }
         }
     }
 }
