Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to invoke the authsign api #864

Open
annakz opened this issue Feb 25, 2018 · 4 comments
Open

Unable to invoke the authsign api #864

annakz opened this issue Feb 25, 2018 · 4 comments

Comments

@annakz
Copy link

annakz commented Feb 25, 2018

@kisom @anniephan Following this issue- #460 , I'm unable to generate a valid authsign request, and keep getting the 'invalid token' response: {"success":false,"result":null,"errors":[{"code":400,"message":"invalid token"}],"messages":[]} .
I attempted to write a java program that creates an authsign request: I used the auth test config for the cfssl server, and the code:

...
	private static String key = "0123456789ABCDEF0123456789ABCDEF";

	public static String encode(String key, String data) throws Exception {
		Mac sha256_HMAC = Mac.getInstance("HmacSHA256");
		String keyHex= Hex.encodeHexString(key.getBytes("UTF-8"));
		
		SecretKeySpec secret_key = new SecretKeySpec(keyHex.getBytes(), "HmacSHA256");
		// use key
		sha256_HMAC.init(secret_key);
		// combine with cert signing request
		byte[] updatedHmacWithReq = sha256_HMAC.doFinal(data.getBytes("UTF-8"));
		// HMAC-SHA256 to base64
		return Base64.encodeBase64String(updatedHmacWithReq);
	}

	public static void main(String [] args) throws Exception {
		System.out.println("Token in base 64:");
		System.out.println(encode(key, signReq));
		System.out.println(Request in base 64:");
		System.out.println(Base64.encodeBase64String(signReq.getBytes()));
	}
...

And then used the printed token and request for authsign request, and got "invalid token" for different signReq requests- the signReq is String loaded from file:
{
"request": "-----BEGIN CERTIFICATE REQUEST----- ... -----END CERTIFICATE REQUEST-----\n",
"profile": "CA"
}

@krish7919 In addition, as mentioned- the testdata does not work with the API.

Can someone suggest what is not correct in my authsign request generation? Or reference to an example of generating json for an authsign request?

Thanks!
@jimmypw
Copy link

jimmypw commented Mar 22, 2018
edited
Loading

Read the API docs again. You need to wrap the inner request in an outer request. This is the ruby code I use.

def authsign(authkey, csr, options = {})
            inner_request = {
               :certificate_request => csr 
            }.merge(options)

            inner_request_json = JSON.generate(inner_request)
            token = OpenSSL::HMAC.digest("SHA256", hexdecode(authkey), inner_request_json)

            outer_request = {
                :token => Base64.strict_encode64(token),
                :request => Base64.strict_encode64(inner_request_json)
            }
            response = @conn.post('/api/v1/cfssl/authsign', JSON.generate(outer_request))
            process_response(response)
end

@cspeidel
Copy link

@annakz The key in your example is already a hex-encoded string. Try to decode it instead of encode it, before doing the b64 encoded HMAC.

This is how I do it in Python 2.7:

auth_key = "0123456789ABCDEF0123456789ABCDEF"
key = auth_key.decode('hex')
request['token'] = base64.b64encode(hmac.new(key, csr, digestmod=hashlib.sha256).digest())

@akamac akamac mentioned this issue Jun 12, 2018
Open
@akamac
Copy link
Contributor

akamac commented Jun 12, 2018
edited
Loading

To generate the token in bash:

cat request.json | openssl dgst -sha256 -mac HMAC -macopt hexkey:$auth_key -binary | base64

@krish7919
Copy link
Contributor

Here's bit by bit instructions, just in case. Also includes using SANs.

Create a keypair and the corresponding CSR

$ openssl req -new -newkey rsa:2048 -nodes \
    -out     example.csr \
    -keyout example.key

Generate the authenticated request

$ onboarding_key="XXXXX"
$ cn=example.com
$ csr=$(cat "example.csr")
$ sans=""
$ certificate_req=$(jq -n -c -j \
                    --arg csr  "${csr}" \
                    --arg cn   "${cn}" \
                    --arg sans "${sans}" \
                    '{"certificate_request":($csr+"\n"),"profile":"self-signed-ca","hosts":([ $cn ] + ($sans | split(" ")))}')
$ base64_certificate_req=$(printf '%s' "${certificate_req}" | base64 | tr -d '\n')
$ hex_encoded_onboarding_key="$(echo -n "${onboarding_key}" \
                                | od -tx1 -An -v \
                                | tr -d ' ' \
                                | tr -d '\n' )"
$ base64_token=$(printf '%s' "${certificate_req}" | \
                openssl dgst -sha256 -binary -mac HMAC -macopt "hexkey:${hex_encoded_onboarding_key}" | \
                base64 | tr -d '\n')
$ auth_req=$(jq -n -c -j \
             --arg token "${base64_token}" \
             --arg req "${base64_certificate_req}" \
             '{"token":$token,"request":$req}')
$ echo "$auth_req" > example_authsign_request.json

Send request to the self-signed CA

$ curl -k -X POST -d @example_authsign_request.json \
    -H "Content-Type: application/json" \
    "https://self.signed.ca.com:8088/api/v1/cfssl/authsign" \
    | jq -r '.result.certificate' > example.crt

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@akamac @jimmypw @krish7919 @annakz @cspeidel