search

Keyfactor / ejbca-vault-pki-engine

EJBCA PKI Engine and Backend for HashiCorp Vault. Used to issue, sign, and revoke certificates using the EJBCA CA.
Apache License 2.0
6 stars 2 forks source link

Path `issue` requires CN in `data` regardless of `require_cn` in role #3

Closed m8rmclaren closed 1 year ago

m8rmclaren commented 1 year ago

Log from @svenska-primekey

2023-08-31T20:00:09.801Z [DEBUG] secrets.ejbca-vault-pki-engine.ejbca-vault-pki-engine_7fad1b39.ejbca-vault-pki-engine.ejbca-vault-pki-engine: panic: interface conversion: interface {} is nil, not string
2023-08-31T20:00:09.801Z [DEBUG] secrets.ejbca-vault-pki-engine.ejbca-vault-pki-engine_7fad1b39.ejbca-vault-pki-engine.ejbca-vault-pki-engine
2023-08-31T20:00:09.801Z [DEBUG] secrets.ejbca-vault-pki-engine.ejbca-vault-pki-engine_7fad1b39.ejbca-vault-pki-engine.ejbca-vault-pki-engine: goroutine 128 [running]:
2023-08-31T20:00:09.801Z [DEBUG] secrets.ejbca-vault-pki-engine.ejbca-vault-pki-engine_7fad1b39.ejbca-vault-pki-engine.ejbca-vault-pki-engine: github.com/Keyfactor/ejbca-vault-pki-engine.(*issueSignHelper).getSubject(_)
2023-08-31T20:00:09.801Z [DEBUG] secrets.ejbca-vault-pki-engine.ejbca-vault-pki-engine_7fad1b39.ejbca-vault-pki-engine.ejbca-vault-pki-engine:  /tmp/ejbca-vault-pki-engine-1.0.0/certs_util.go:504 +0x268
2023-08-31T20:00:09.801Z [DEBUG] secrets.ejbca-vault-pki-engine.ejbca-vault-pki-engine_7fad1b39.ejbca-vault-pki-engine.ejbca-vault-pki-engine: github.com/Keyfactor/ejbca-vault-pki-engine.(*issueSignHelper).CreateCsr(0xc000409b30)
2023-08-31T20:00:09.801Z [DEBUG] secrets.ejbca-vault-pki-engine.ejbca-vault-pki-engine_7fad1b39.ejbca-vault-pki-engine.ejbca-vault-pki-engine:  /tmp/ejbca-vault-pki-engine-1.0.0/certs_util.go:626 +0x58
2023-08-31T20:00:09.801Z [DEBUG] secrets.ejbca-vault-pki-engine.ejbca-vault-pki-engine_7fad1b39.ejbca-vault-pki-engine.ejbca-vault-pki-engine: github.com/Keyfactor/ejbca-vault-pki-engine.(*issueSignResponseBuilder).IssueCertificate(0xc00024f6a8)
2023-08-31T20:00:09.801Z [DEBUG] secrets.ejbca-vault-pki-engine.ejbca-vault-pki-engine_7fad1b39.ejbca-vault-pki-engine.ejbca-vault-pki-engine:  /tmp/ejbca-vault-pki-engine-1.0.0/certs_util.go:115 +0x33
2023-08-31T20:00:09.801Z [DEBUG] secrets.ejbca-vault-pki-engine.ejbca-vault-pki-engine_7fad1b39.ejbca-vault-pki-engine.ejbca-vault-pki-engine: github.com/Keyfactor/ejbca-vault-pki-engine.(*ejbcaBackend).pathIssue(0xc000125590, {0xce3730?, 0xc0004094d0}, 0xc0005d8380, 0xc000116c10)
2023-08-31T20:00:09.801Z [DEBUG] secrets.ejbca-vault-pki-engine.ejbca-vault-pki-engine_7fad1b39.ejbca-vault-pki-engine.ejbca-vault-pki-engine:  /tmp/ejbca-vault-pki-engine-1.0.0/path_issue_sign.go:412 +0x1cc
2023-08-31T20:00:09.801Z [DEBUG] secrets.ejbca-vault-pki-engine.ejbca-vault-pki-engine_7fad1b39.ejbca-vault-pki-engine.ejbca-vault-pki-engine: github.com/hashicorp/vault/sdk/framework.(*Backend).HandleRequest(0xc0003b8000, {0xce3730, 0xc0004094d0}, 0xc0005d8380)
2023-08-31T20:00:09.801Z [DEBUG] secrets.ejbca-vault-pki-engine.ejbca-vault-pki-engine_7fad1b39.ejbca-vault-pki-engine.ejbca-vault-pki-engine:  /go/pkg/mod/github.com/hashicorp/vault/sdk@v0.9.0/framework/backend.go:300 +0xa88
2023-08-31T20:00:09.802Z [DEBUG] secrets.ejbca-vault-pki-engine.ejbca-vault-pki-engine_7fad1b39.ejbca-vault-pki-engine.ejbca-vault-pki-engine: github.com/hashicorp/vault/sdk/plugin.(*backendGRPCPluginServer).HandleRequest(0xb654c0?, {0xce3730, 0xc0004094d0}, 0xc00043a580)
2023-08-31T20:00:09.802Z [DEBUG] secrets.ejbca-vault-pki-engine.ejbca-vault-pki-engine_7fad1b39.ejbca-vault-pki-engine.ejbca-vault-pki-engine:  /go/pkg/mod/github.com/hashicorp/vault/sdk@v0.9.0/plugin/grpc_backend_server.go:145 +0x16e
2023-08-31T20:00:09.802Z [DEBUG] secrets.ejbca-vault-pki-engine.ejbca-vault-pki-engine_7fad1b39.ejbca-vault-pki-engine.ejbca-vault-pki-engine: github.com/hashicorp/vault/sdk/plugin/pb._Backend_HandleRequest_Handler({0xb990c0?, 0xc000280cd0}, {0xce3730, 0xc0004094d0}, 0xc000135ce0, 0x0)
2023-08-31T20:00:09.802Z [DEBUG] secrets.ejbca-vault-pki-engine.ejbca-vault-pki-engine_7fad1b39.ejbca-vault-pki-engine.ejbca-vault-pki-engine:  /go/pkg/mod/github.com/hashicorp/vault/sdk@v0.9.0/plugin/pb/backend_grpc.pb.go:227 +0x169
2023-08-31T20:00:09.802Z [DEBUG] secrets.ejbca-vault-pki-engine.ejbca-vault-pki-engine_7fad1b39.ejbca-vault-pki-engine.ejbca-vault-pki-engine: google.golang.org/grpc.(*Server).processUnaryRPC(0xc0002696c0, {0xce7540, 0xc00047c000}, 0xc00043c240, 0xc00031f770, 0x11a3780, 0x0)
2023-08-31T20:00:09.802Z [DEBUG] secrets.ejbca-vault-pki-engine.ejbca-vault-pki-engine_7fad1b39.ejbca-vault-pki-engine.ejbca-vault-pki-engine:  /go/pkg/mod/google.golang.org/grpc@v1.41.0/server.go:1279 +0xcd5
2023-08-31T20:00:09.802Z [DEBUG] secrets.ejbca-vault-pki-engine.ejbca-vault-pki-engine_7fad1b39.ejbca-vault-pki-engine.ejbca-vault-pki-engine: google.golang.org/grpc.(*Server).handleStream(0xc0002696c0, {0xce7540, 0xc00047c000}, 0xc00043c240, 0x0)
2023-08-31T20:00:09.802Z [DEBUG] secrets.ejbca-vault-pki-engine.ejbca-vault-pki-engine_7fad1b39.ejbca-vault-pki-engine.ejbca-vault-pki-engine:  /go/pkg/mod/google.golang.org/grpc@v1.41.0/server.go:1608 +0x9e7
2023-08-31T20:00:09.802Z [DEBUG] secrets.ejbca-vault-pki-engine.ejbca-vault-pki-engine_7fad1b39.ejbca-vault-pki-engine.ejbca-vault-pki-engine: google.golang.org/grpc.(*Server).serveStreams.func1.2()
2023-08-31T20:00:09.802Z [DEBUG] secrets.ejbca-vault-pki-engine.ejbca-vault-pki-engine_7fad1b39.ejbca-vault-pki-engine.ejbca-vault-pki-engine:  /go/pkg/mod/google.golang.org/grpc@v1.41.0/server.go:923 +0x8d
2023-08-31T20:00:09.802Z [DEBUG] secrets.ejbca-vault-pki-engine.ejbca-vault-pki-engine_7fad1b39.ejbca-vault-pki-engine.ejbca-vault-pki-engine: created by google.golang.org/grpc.(*Server).serveStreams.func1 in goroutine 52
2023-08-31T20:00:09.802Z [DEBUG] secrets.ejbca-vault-pki-engine.ejbca-vault-pki-engine_7fad1b39.ejbca-vault-pki-engine.ejbca-vault-pki-engine:  /go/pkg/mod/google.golang.org/grpc@v1.41.0/server.go:921 +0x246
2023-08-31T20:00:09.804Z [DEBUG] secrets.ejbca-vault-pki-engine.ejbca-vault-pki-engine_7fad1b39.ejbca-vault-pki-engine.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = error reading from server: EOF"
2023-08-31T20:00:09.804Z [ERROR] secrets.ejbca-vault-pki-engine.ejbca-vault-pki-engine_7fad1b39.ejbca-vault-pki-engine: plugin process exited: path=/usr/local/libexec/vault/ejbca-vault-pki-engine pid=27422 error="exit status 2"
2023-08-31T20:00:32.000Z [DEBUG] secrets.ejbca-vault-pki-engine.ejbca-vault-pki-engine_7fad1b39: plugin: reloading plugin backend: plugin=ejbca-vault-pki-engine
2023-08-31T20:00:32.000Z [DEBUG] core.ejbca-vault-pki-engine: reload external plugin process

Encountered when using the following path:

Error writing data to ejbca100/issue/client-auth-5d: Error making API request.

URL: PUT https://api.vault/v1/ejbca100/issue/client-auth-5d
Code: 500. Errors:

* 1 error occurred:
    * rpc error: code = Unavailable desc = error reading from server: EOF
m8rmclaren commented 1 year ago

Add logic to only return error if no CN was provided but role requires one:

    cnInterface := i.data.Get("common_name")

    cn, ok := cnInterface.(string)
    if !ok {
        return pkix.Name{}, fmt.Errorf("common_name is not a string")
    }

    if i.role.RequireCN && cn == "" {
        return pkix.Name{}, fmt.Errorf("common_name is required for role called %q", i.getRoleName())
    }