Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Request: example of generating token & json for authsign api #460

Open
hinman opened this issue Dec 11, 2015 · 7 comments
Open

Request: example of generating token & json for authsign api #460

hinman opened this issue Dec 11, 2015 · 7 comments
Labels
documentation
Milestone
Release 1.2

Comments

@hinman
Copy link

hinman commented Dec 11, 2015

Would it be possible to add an example of generating json for an authsign request? Specifically an example of a key, the json for certificate_request, the json containing the token and request.

That would make it a lot easier for people to write perl/ruby/python scripts to generate a CSR on a host and then get it authsigned by cfssl.
@grittygrease
Copy link
Contributor

ping @kisom @anniephan

@anniephan
Copy link
Contributor

Ah, yes, updating the docs would be a good idea. I'll put in a proposal for that.

This is a test for the Authsign API endpoint.

Basically, using authsign involves combining an auth key (randomly generated -- I used open('/dev/random').read(32).encode('hex')) with a cert signing request (example here) to create an auth token -- the token is the HMAC-SHA256 of the serialised request. This auth token and original cert signing request is base64'ed into the full json request to authsign here.

The auth key is also specified with the remote signer in cfssl serve's config file (example here).

@RobHumphris
Copy link

I've taken @anniephan 's steps and attempted to convert them so that I can use them with our nodejs application:

var https = require('http');
var fs = require('fs');
var crypto = require("crypto");

...
fs.readFile('authsignRequest.json', (err, csr) => {
        var keyBytes = new Buffer(*correct key string*, "hex");
        if (err) throw err;

        var json = {
            token: crypto.createHmac("sha256", keyBytes) // use key
                .update(csr) // combine with cert signing request
                .digest("base64"), // HMAC-SHA256 to base64
            request: csr.toString('base64') // cert signing request to base64
        };

        postRequest(json, (response) => {
            // do something with the certificate response
        });
    });
...

It took a bit of time to understand the Go script but it worked and I got a certificate, I'll be handing it onto the Devs to make it "Production Grade", but I hope it helps people for an example.

Thanks for making this project Open Source, its a great piece of work.

@kisom kisom added this to the Release 1.2 milestone Feb 1, 2016
@bkleef
Copy link

bkleef commented Sep 16, 2016

@kisom so cfssl gencert or cfssl sign doesn't have any param to specify auth_key like -auth-key and so sign by authsign instead of sign endpoint?

@aclairekeum
Copy link

aclairekeum commented Jul 27, 2017
edited
Loading

Trying to find a good reference in regards using the authsign endpoint. Have tried posting the example json testdata body to endpoint, but have been getting
{"success":false,"result":null,"errors":[{"code":400,"message":"Unable to parse authenticated sign request"}],"messages":[]}
and on the cfssl side, I'm seeing
failed to unmarshal request from authenticated request: invalid character '\n' in string literal

I would assume that the testdata (authrequest.json) should be working with the key in (auth_test.go) and at least it shouldn't fail at the sign handler stage. Does anyone have a clue on what the issue might be?

The links that @anniephan has kindly provided are now both broken. If there's another reference that I could take a look at, that'd be helpful too.

@krish7919
Copy link
Contributor

Facing the same issue as @aclairekeum above.
The testdata does not work with the API.

@annakz annakz mentioned this issue Feb 25, 2018
Open
@gsib
Copy link

gsib commented May 25, 2021

Trying to find a good reference in regards using the authsign endpoint. Have tried posting the example json testdata body to endpoint, but have been getting
{"success":false,"result":null,"errors":[{"code":400,"message":"Unable to parse authenticated sign request"}],"messages":[]}
and on the cfssl side, I'm seeing
failed to unmarshal request from authenticated request: invalid character '\n' in string literal

I would assume that the testdata (authrequest.json) should be working with the key in (auth_test.go) and at least it shouldn't fail at the sign handler stage. Does anyone have a clue on what the issue might be?

The links that @anniephan has kindly provided are now both broken. If there's another reference that I could take a look at, that'd be helpful too.

You need to:

  1. decode the "request" using something like https://www.base64decode.org/.
  2. Then, in the "-----BEGIN CERTIFICATE REQUEST----- ..." content, replace the line-break character "\n" with "\n". You may also need to provide the profile name as it is empty in the example. i.e "profile": "",
  3. Encode the request content back to base64 and put it back in authrequest.json

The json parser breaks when it hits "\n" hence the above error.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
documentation
Projects
None yet
Milestone
Release 1.2
Development

No branches or pull requests
9 participants
@kisom @RobHumphris @hinman @bkleef @aclairekeum @krish7919 @grittygrease @anniephan @gsib