cfssl authsign - "json: cannot unmarshal object into Go value of type []uint8"

[dsafont]

I'm trying to use the authsign endpoint with the standard authenticator and I get the following error:

curl -X POST -d '{ "token": "0123456789ABCDEF0123456789ABCDEF", "request":{"certificate_request": "-----BEGIN CERTIFICATE REQUEST-----\nMIIBUjCB+QIBADBqMQswCQYDVQQGEwJVUzEUMBIGA1UEChMLZXhhbXBsZS5jb20x\nFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xEzARBgNVBAgTCkNhbGlmb3JuaWExGDAW\nBgNVBAMTD3d3dy5leGFtcGxlLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\nBK/CtZaQ4VliKE+DLIVGLwtSxJgtUKRzGvN1EwI3HRgKDQ3l3urBIzHtUcdMq6HZ\nb8jX0O9fXYUOf4XWggrLk1agLTArBgkqhkiG9w0BCQ4xHjAcMBoGA1UdEQQTMBGC\nD3d3dy5leGFtcGxlLmNvbTAKBggqhkjOPQQDAgNIADBFAiAcvfhXnsLtzep2sKSa\n36W7G9PRbHh8zVGlw3Hph8jR1QIhAKfrgplKwXcUctU5grjQ8KXkJV8RxQUo5KKs\ngFnXYtkb\n-----END CERTIFICATE REQUEST-----"}}' http://localhost:8888/api/v1/cfssl/authsign | python -m json.tool

{
"errors": [
{
"code": 400,
"message": "json: cannot unmarshal object into Go value of type []uint8"
}
],
"messages": [],
"result": null,
"success": false
}

My cfssl config file:
{
"signing": {
"profiles": {
"CA": {
"usages": ["cert sign"],
"expiry": "720h",
"auth_key": "ca-auth"
},
"email": {
"usages": ["s/mime"],
"expiry": "720h"
}
},
"default": {
"usages": ["signing", "key encipherment", "server auth", "client auth"],
"expiry": "8760h",
"auth_key": "ca-auth"
}
},
"auth_keys": {
"ca-auth": {
"type":"standard",
"key":"0123456789ABCDEF0123456789ABCDEF"
}
},
"remotes": {
"localhost": "0.0.0.0:8888"
}
}

[YpNo]

+1

[akamac]

token != auth_key
Refer to docs and the way to generate a token

[akamac]

To generate the token in bash:

cat request.json | openssl dgst -sha256 -mac HMAC -macopt hexkey:$auth_key -binary | base64

[YpNo]

Thanks @akamac but doesn't works.

I have done the following:
CSR.csr

-----BEGIN CERTIFICATE REQUEST-----
MIIC6zCCAdMCAQAwfTELMAkGA1UEBhMCRlIxFjAUBgNVBAgMDUlsZS1kZS1GcmFu
Y2UxEjAQBgNVBAcMCVZpbmNlbm5lczERMA8GA1UECgwIQ29tcGFnbnkxDzANBgNV
BAsMBlJldGFpbDEeMBwGA1UEAwwVY29tcGFnbnkuZG9tYWluLmxvY2FsMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoHdA3hIAqL62+5iTcaLZg5zemPqh
D43AXCC3JBhFwcdx2GBGKWMS5voGNMRiFAD22ZfitJ5OtxXp+0IIUuHxT72kckFq
wAsXvahPLw5D+SYuJGoGYyK1ybDf8Sq2kuDY5npowDhBIeafIOLJ+nh67PGV78AY
ykJza8GAfNi5VKIZr02z05NlPvf6PF+zXkBEUq9p4BmF3IqfACqJWYuJa+S/f5D3
yNht7oBDRJeIDGxoDKXhKd0yh3nYf2GbUxSPnle9Hd5fWTaVTo7/qnCFc5T8S/OF
PqWfJmA1ONeXpVKGwpP/01CvKZOJmXIMgdNHczwRGKHST2J94PzLrz2u7QIDAQAB
oCkwJwYJKoZIhvcNAQkOMRowGDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIF4DANBgkq
hkiG9w0BAQsFAAOCAQEAKpGtKqP/KTnSjzfLlEoJ3cDr/kwcuOJbFJYnq5Es4Eso
LuzlPWBgpigrObZnyUoGYgoQnEjCTBZbZ59ZlweG0zjG9HXsjyz26aTnCIJw+Z3U
L18iKvpzA8kOJ1SASjEmVdAZjs9aa2/fOmzhrsbJCxpOgmJOuSw38w84RkWiwx4Z
Uj423f2cMhfHqA5gY6Nn1a506iM9FZ5JfXoD15aTmCWNIOntkYV8H3sqVJsXq6LF
e+MGEixhVb1MHn4of/i/7iqdjyYKlo1kGckMe0GyWLEZ5TRZhJvEdq3KoYOwxwnL
f581vS5NinCdU3lRnceNVy94Zp+AmIhzrGrSGYjT0g==
-----END CERTIFICATE REQUEST-----

auth_key=65F8d89AABCD45C5D757F6C12345678

cat CSR.csr | openssl dgst -sha256 -mac HMAC -macopt key:$(echo $auth_key | xxd -r -p -) -binary | openssl enc -e -base64

TwPKcO8Dm1u7ohEvwcbkEbCLwtGoryEog5U9zaALca0=

sign-request.json

{
  "token": "TwPKcO8Dm1u7ohEvwcbkEbCLwtGoryEog5U9zaALca0=",
  "request": {
    "certificate_request": "-----BEGIN CERTIFICATE REQUEST-----\nMIIC6zCCAdMCAQAwfTELMAkGA1UEBhMCRlIxFjAUBgNVBAgMDUlsZS1kZS1GcmFu\nY2UxEjAQBgNVBAcMCVZpbmNlbm5lczERMA8GA1UECgwIQ29tcGFnbnkxDzANBgNV\nBAsMBlJldGFpbDEeMBwGA1UEAwwVY29tcGFnbnkuZG9tYWluLmxvY2FsMIIBIjAN\nBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoHdA3hIAqL62+5iTcaLZg5zemPqh\nD43AXCC3JBhFwcdx2GBGKWMS5voGNMRiFAD22ZfitJ5OtxXp+0IIUuHxT72kckFq\nwAsXvahPLw5D+SYuJGoGYyK1ybDf8Sq2kuDY5npowDhBIeafIOLJ+nh67PGV78AY\nykJza8GAfNi5VKIZr02z05NlPvf6PF+zXkBEUq9p4BmF3IqfACqJWYuJa+S/f5D3\nyNht7oBDRJeIDGxoDKXhKd0yh3nYf2GbUxSPnle9Hd5fWTaVTo7/qnCFc5T8S/OF\nPqWfJmA1ONeXpVKGwpP/01CvKZOJmXIMgdNHczwRGKHST2J94PzLrz2u7QIDAQAB\noCkwJwYJKoZIhvcNAQkOMRowGDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIF4DANBgkq\nhkiG9w0BAQsFAAOCAQEAKpGtKqP/KTnSjzfLlEoJ3cDr/kwcuOJbFJYnq5Es4Eso\nLuzlPWBgpigrObZnyUoGYgoQnEjCTBZbZ59ZlweG0zjG9HXsjyz26aTnCIJw+Z3U\nL18iKvpzA8kOJ1SASjEmVdAZjs9aa2/fOmzhrsbJCxpOgmJOuSw38w84RkWiwx4Z\nUj423f2cMhfHqA5gY6Nn1a506iM9FZ5JfXoD15aTmCWNIOntkYV8H3sqVJsXq6LF\ne+MGEixhVb1MHn4of/i/7iqdjyYKlo1kGckMe0GyWLEZ5TRZhJvEdq3KoYOwxwnL\nf581vS5NinCdU3lRnceNVy94Zp+AmIhzrGrSGYjT0g==\n-----END CERTIFICATE REQUEST-----\n",
    "profile": "http",
    "label": "my-csr"
  }
}

Try:
curl -X POST -H "Content-Type: application/json" -d @sign-request.json http://localhost:8888/api/v1/cfssl/authsign | python -m json.tool

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1436  100   178  100  1258  36505   251k --:--:-- --:--:-- --:--:--  307k
{
    "errors": [
        {
            "code": 400,
            "message": "json: cannot unmarshal object into Go struct field AuthenticatedRequest.request of type []uint8"
        }
    ],
    "messages": [],
    "result": null,
    "success": false
}

[akamac]

@YpNo My bad, I edited the comment. Actually, you should feed the request.json containing {"certificate_request": "-----BEGIN CERTIFICATE REQUEST-----\n-----END CERTIFICATE REQUEST-----"}.
Also, the request field of the posted json should be base64 encoded.

[YpNo]

Hi @akamac,

Yes Got it !
Explanation for @dsafont:

• Create a sign_request.json like that:
  { "certificate_request": "-----BEGIN CERTIFICATE REQUEST-----\nMIIC6zCCAdMCAQAwfTELMAkGA1UEBhMCRlIxFjAUBgNVBAgMDUlsZS1kZS1GcmFu\nY2UxEjAQBgNVBAcMCVZpbmNlbm5lczERMA8GA1UECgwIQ29tcGFnbnkxDzANBgNV\nBAsMBlJldGFpbDEeMBwGA1UEAwwVY29tcGFnbnkuZG9tYWluLmxvY2FsMIIBIjAN\nBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoHdA3hIAqL62+5iTcaLZg5zemPqh\nD43AXCC3JBhFwcdx2GBGKWMS5voGNMRiFAD22ZfitJ5OtxXp+0IIUuHxT72kckFq\nwAsXvahPLw5D+SYuJGoGYyK1ybDf8Sq2kuDY5npowDhBIeafIOLJ+nh67PGV78AY\nykJza8GAfNi5VKIZr02z05NlPvf6PF+zXkBEUq9p4BmF3IqfACqJWYuJa+S/f5D3\nyNht7oBDRJeIDGxoDKXhKd0yh3nYf2GbUxSPnle9Hd5fWTaVTo7/qnCFc5T8S/OF\nPqWfJmA1ONeXpVKGwpP/01CvKZOJmXIMgdNHczwRGKHST2J94PzLrz2u7QIDAQAB\noCkwJwYJKoZIhvcNAQkOMRowGDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIF4DANBgkq\nhkiG9w0BAQsFAAOCAQEAKpGtKqP/KTnSjzfLlEoJ3cDr/kwcuOJbFJYnq5Es4Eso\nLuzlPWBgpigrObZnyUoGYgoQnEjCTBZbZ59ZlweG0zjG9HXsjyz26aTnCIJw+Z3U\nL18iKvpzA8kOJ1SASjEmVdAZjs9aa2/fOmzhrsbJCxpOgmJOuSw38w84RkWiwx4Z\nUj423f2cMhfHqA5gY6Nn1a506iM9FZ5JfXoD15aTmCWNIOntkYV8H3sqVJsXq6LF\ne+MGEixhVb1MHn4of/i/7iqdjyYKlo1kGckMe0GyWLEZ5TRZhJvEdq3KoYOwxwnL\nf581vS5NinCdU3lRnceNVy94Zp+AmIhzrGrSGYjT0g==\n-----END CERTIFICATE REQUEST-----\n", "profile": "http", "label": "my-csr" }

• Define a variable with your auth_key and generate a token
  auth_key=0123456ABCDEF0123456ABCDEF cat sign_request.json | openssl dgst -sha256 -mac HMAC -macopt hexkey:$auth_key -binary | base64
U9+OsmVYzM9DwegwyFNRjPVj5bNv7TlFJSaz/dAKRl4=

• Encode your sign_request in base64
  cat sign_request.json | base64
ewogICJjZXJ0aWZpY2F0ZV9yZXF1ZXN0IjogIi0tLS0tQkVHSU4gQ0VSVElGSUNBVEUgUkVRVUVTVC0tLS0tXG5NSUlDNnpDQ0FkTUNBUUF3ZlRFTE1Ba0dBMVVFQmhNQ1JsSXhGakFVQmdOVkJBZ01EVWxzWlMxa1pTMUdjbUZ1XG5ZMlV4RWpBUUJnTlZCQWNNQ1ZacGJtTmxibTVsY3pFUk1BOEdBMVVFQ2d3SVEyOXRjR0ZuYm5reER6QU5CZ05WXG5CQXNNQmxKbGRHRnBiREVlTUJ3R0ExVUVBd3dWWTI5dGNHRm5ibmt1Wkc5dFlXbHVMbXh2WTJGc01JSUJJakFOXG5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUFvSGRBM2hJQXFMNjIrNWlUY2FMWmc1emVtUHFoXG5ENDNBWENDM0pCaEZ3Y2R4MkdCR0tXTVM1dm9HTk1SaUZBRDIyWmZpdEo1T3R4WHArMElJVXVIeFQ3Mmtja0ZxXG53QXNYdmFoUEx3NUQrU1l1SkdvR1l5SzF5YkRmOFNxMmt1RFk1bnBvd0RoQkllYWZJT0xKK25oNjdQR1Y3OEFZXG55a0p6YThHQWZOaTVWS0lacjAyejA1TmxQdmY2UEYrelhrQkVVcTlwNEJtRjNJcWZBQ3FKV1l1SmErUy9mNUQzXG55Tmh0N29CRFJKZUlER3hvREtYaEtkMHloM25ZZjJHYlV4U1BubGU5SGQ1ZldUYVZUbzcvcW5DRmM1VDhTL09GXG5QcVdmSm1BMU9OZVhwVktHd3BQLzAxQ3ZLWk9KbVhJTWdkTkhjendSR0tIU1QySjk0UHpMcnoydTdRSURBUUFCXG5vQ2t3SndZSktvWklodmNOQVFrT01Sb3dHREFKQmdOVkhSTUVBakFBTUFzR0ExVWREd1FFQXdJRjREQU5CZ2txXG5oa2lHOXcwQkFRc0ZBQU9DQVFFQUtwR3RLcVAvS1RuU2p6ZkxsRW9KM2NEci9rd2N1T0piRkpZbnE1RXM0RXNvXG5MdXpsUFdCZ3BpZ3JPYlpueVVvR1lnb1FuRWpDVEJaYlo1OVpsd2VHMHpqRzlIWHNqeXoyNmFUbkNJSncrWjNVXG5MMThpS3ZwekE4a09KMVNBU2pFbVZkQVpqczlhYTIvZk9temhyc2JKQ3hwT2dtSk91U3czOHc4NFJrV2l3eDRaXG5VajQyM2YyY01oZkhxQTVnWTZObjFhNTA2aU05Rlo1SmZYb0QxNWFUbUNXTklPbnRrWVY4SDNzcVZKc1hxNkxGXG5lK01HRWl4aFZiMU1IbjRvZi9pLzdpcWRqeVlLbG8xa0dja01lMEd5V0xFWjVUUlpoSnZFZHEzS29ZT3d4d25MXG5mNTgxdlM1TmluQ2RVM2xSbmNlTlZ5OTRacCtBbUloenJHclNHWWpUMGc9PVxuLS0tLS1FTkQgQ0VSVElGSUNBVEUgUkVRVUVTVC0tLS0tXG4iLAogICJwcm9maWxlIjogImh0dHAiLAogICJsYWJlbCI6ICJteS1jc3IiCn0K

• Create your authsign_request.json
  { "token": "gXbwbqpvVp7SIi1D8V4I725LtUDO2t+bE4xuDiq+kiw=", "request": "ewogICAgImNlcnRpZmljYXRlX3JlcXVlc3QiOiAiLS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS1cbk1JSUM2ekNDQWRNQ0FRQXdmVEVMTUFrR0ExVUVCaE1DUmxJeEZqQVVCZ05WQkFnTURVbHNaUzFrWlMxR2NtRnVcblkyVXhFakFRQmdOVkJBY01DVlpwYm1ObGJtNWxjekVSTUE4R0ExVUVDZ3dJUTI5dGNHRm5ibmt4RHpBTkJnTlZcbkJBc01CbEpsZEdGcGJERWVNQndHQTFVRUF3d1ZZMjl0Y0dGbmJua3VaRzl0WVdsdUxteHZZMkZzTUlJQklqQU5cbkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQW9IZEEzaElBcUw2Mis1aVRjYUxaZzV6ZW1QcWhcbkQ0M0FYQ0MzSkJoRndjZHgyR0JHS1dNUzV2b0dOTVJpRkFEMjJaZml0SjVPdHhYcCswSUlVdUh4VDcya2NrRnFcbndBc1h2YWhQTHc1RCtTWXVKR29HWXlLAXliRGY4U3Eya3VEWTVucG93RGhCSWVhZklPTEorbmg2N1BHVjc4QVlcbnlrSnphOEdBZk5pNVZLSVpyMDJ6MDVObFB2ZjZQRit6WGtCRVVxOXA0Qm1GM0lxZkFDcUpXWXVKYStTL2Y1RDNcbnlOaHQ3b0JEUkplSURHeG9ES1hoS2QweWgzbllmMkdiVXhTUG5sZTlIZDVmV1RhVlRvNy9xbkNGYzVUOFMvT0ZcblBxV2ZKbUExT05lWHBWS0d3cFAvMDFDdktaT0ptWElNZ2ROSGN6d1JHS0hTVDJKOTRQekxyejJ1N1FJREFRQUJcbm9Da3dKd1lKS29aSWh2Y05BUWtPTVJvd0dEQUpCZ05WSFJNRUFqQUFNQXNHQTFVZER3UUVBd0lGNERBTkJna3FcbmhraUc5dzBCQVFzRkFBT0NBUUVBS3BHdEtxUC9LVG5TanpmTGxFb0ozY0RyL2t3Y3VPSmJGSllucTVFczRFc29cbkx1emxQV0JncGlnck9iWm55VW9HWWdvUW5FakNUQlpiWjU5Wmx3ZUcwempHOUhYc2p5ejI2YVRuQ0lKdytaM1VcbkwxOGlLdnB6QThrT0oxU0FTakVtVmRBWmpzOWFhMi9mT216aHJzYkpDeHBPZ21KT3VTdzM4dzg0UmtXaXd4NFpcblVqNDIzZjJjTWhmSHFBNWdZNk5uMWE1MDZpTTlGWjVKZlhvRDE1YVRtQ1dOSU9udGtZVjhIM3NxVkpzWHE2TEZcbmUrTUdFaXhoVmIxTUhuNG9mL2kvN2lxZGp5WUtsbzFrR2NrTWUwR3lXTEVaNVRSWmhKdkVkcTNLb1lPd3h3bkxcbmY1ODF2UzVOaW5DZFUzbFJuY2VOVnk5NFpwK0FtSWh6ckdyU0dZalQwZz92XG4tLS0tLUVORCBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS1cbiIsCiAgICAicHJvZmlsZSI6ICJodHRwIiwKICAgICJsYWJlbCI6ICJteS1jc3IiCn0K" }

And Try:
curl -X POST -H "Content-Type: application/json" -d @authsign_request.json http://localhost:8888/api/v1/cfssl/authsign | python -m json.tool
{ "errors": [], "messages": [], "result": { "certificate": "-----BEGIN CERTIFICATE-----\nXXXXXXXXXXXXX----END CERTIFICATE-----\n" }, "success": true }

Thanks @akamac
It will be a great idea, maybe, to improve the documentation :) Maybe, I'll do later ^^

Regards.

[ahaw021]

couple more python examples

from python-cfssl issues LasLabs/python-cfssl#26

cert_req = json.dumps({"certificate_request": req['certificate_request'].encode('utf-8'), "profile": "server"})+"\n"

gen_token = hmac.new("0123456789abcdef0123456789abcdef".decode("hex"), cert_req, hashlib.sha256)
dgst = base64.b64encode(gen_token.digest())
auth_req = api.auth_sign(token=dgst, request=base64.b64encode(cert_req))

my own python3 version using the codecs library (tested on python3.8):

import hmac
import hashlib
import json
import codecs

with open('csr.json',"r",encoding="UTF-8") as json_file:
    data = json_file.read()
    auth_key = "0123456789ABCDEF0123456789ABCDEF"
    hex_token = hmac.new(bytes.fromhex(auth_key), msg = bytes(data , 'latin-1'), digestmod = hashlib.sha256).hexdigest().upper()
    b64_token = codecs.encode(codecs.decode(hex_token, 'hex'), 'base64').decode()
    request = codecs.encode(bytes(data,"UTF-8"),"base64").decode()
    print(json.dumps({"token":b64_token,"request":request},indent=4))

Screenshot:

[ahaw021]

i have found this as well which covers multiple languages https://github.com/danharper/hmac-examples

this is my nodejs version as well which i think is a fairly simple implementation

var crypto = require('crypto');
var fs = require("fs")

const auth_key_as_hex = "0123456789ABCDEF0123456789ABCDEF"
const key_usable_for_crypto_hmac = new Buffer.from(auth_key_as_hex,"hex")
const cfssl_csr_as_buffer = fs.readFileSync("./csr.json","utf-8")

var hash = crypto.createHmac('sha256', key_usable_for_crypto_hmac)
hash.update(cfssl_csr_as_buffer);

var cfssl_auth_request_format = {
    "token":hash.digest("base64"),
    "request":Buffer.from(cfssl_csr_as_buffer).toString("base64")
}
console.log(JSON.stringify(cfssl_auth_request_format,null,4))