search

Venafi / VenafiPS

Powershell module to fully automate your Venafi TLS Protect Datacenter and Cloud platforms!
https://venafips.readthedocs.io/
Apache License 2.0
18 stars 7 forks source link

New-TppObject False-Positive When Creating Application Groups #222

Closed astro2000j closed 7 months ago

astro2000j commented 1 year ago

Issue:

While calling the New-TppObject when creating an application object (1-to-many feature), a certificate path is supplied to associate the application group to a single certificate object.

Replicate:

$atts = @{
    Certificate = '\ved\policy\OneToMany\mycert.test'
    'Enrollment Application DN' = '\ved\policy\OneToMany\Win1\App1'
    'HSM:CKA LABEL Format' = 'Date with CN'
    'HSM:Embed SANs in CSR' = 'No'
    'HSM:Import Certificate' = 'Import Certificate with Intermediate certificates'
    'HSM:Protection Type' = 'Softcard'
    'HSM:Requested Usecase' = 'TLS Server - RSA'
    'HSM:Reverse Subject DN' = 'No'
    'HSM:Token Label' = 'all_spec_chars'
}

New-TppObject -Path "\OneToMany\mycert.test - Pkcs11 App Group" -Class "PKCS11 Application Group" -Attribute $atts -VenafiSession $session

Expected Behavior:

When specifying an Application Group SuperClass type for the -Class parameter (i.e. - PKCS11 Application Group), the certificate association logic should be ignored.

Alternatively, adding a new parameter such as -SkipCertificateAssociation enables the developer to control when the certificate association logic is executed when creating a new object.

Workaround

Perform first call using the New-TppObject and exclude the Certificate attribute during creation. Then call the Set-TppAttribute to update the Application Group object with the "associated" certificate.

https://github.com/Venafi/VenafiPS/blob/b357a4247c320847089273fb84cd6bed6a60e1de/VenafiPS/Public/New-TppObject.ps1#L191C35-L191C35

gdbarron commented 1 year ago

Thanks for the issue. The one item I see missing is the problem and/or error with this, the 'actual behavior' section. I'm trying to understand if this is an issue with the module or the api.

astro2000j commented 1 year ago

@gdbarron i tagged the section (link in the description) where the behavior occurs. I found in the $error variable that the function was executing the Add-TppCertificateAssociation while trying to create the application group using the New-TppObject. The function evaluates if the certificate attribute exists in the payload. If it returns true, the association is attempted.

The application group needs the this config, but the application group isn’t an application object and this is what is causing the error. This seems to be coming from TPP which doesn’t allow a certificate association if the object is not an application type.

Here is the error:

Invoke-WebRequest: /Users/nelson.buya/.local/share/powershell/Modules/VenafiPS/5.8.1/Public/Invoke-VenafiRestMethod.ps1:254:40
Line |
 254 |  … put = $($response = Invoke-WebRequest @params -ErrorAction Stop) 4>&1
     |                        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | {"Error":"Application object error. \"PKCS11 Application Group\" is not
     | an Application object of DN
     | \"\\VED\\Policy\\PKCS11-Win\\testapi.lab.securafi.net - Pkcs11 App
     | Group\".","Success":false}
astro2000j commented 1 year ago

Here is the method stack from the $error:

PS /Users/nelson.buya> $err.Data.Values                                   

MethodName                             
----------                             
Invoke-VenafiRestMethod                
Add-TppCertificateAssociation<Process> 
New-TppObject                          
<ScriptBlock>                          
<ScriptBlock>                          
Invoke-VenafiRestMethod                
Add-TppCertificateAssociation<Process> 
New-TppObject                          
<ScriptBlock>                          
<ScriptBlock>                          
Invoke-VenafiRestMethod                
Add-TppCertificateAssociation<Process> 
New-TppObject                          
<ScriptBlock>                          
<ScriptBlock>                          
Invoke-VenafiRestMethod                
Add-TppCertificateAssociation<Process> 
New-TppObject                          
<ScriptBlock>                          
<ScriptBlock>
github-actions[bot] commented 10 months ago

This issue is stale because it has been open for 60 days with no activity.

github-actions[bot] commented 8 months ago

This issue is stale because it has been open for 60 days with no activity.

github-actions[bot] commented 7 months ago

This issue was closed because it has been inactive for 30 days since being marked as stale.