search

cloudflare / cfssl

CFSSL: Cloudflare's PKI and TLS toolkit
https://cfssl.org/
BSD 2-Clause "Simplified" License
8.66k stars 1.1k forks source link

auth_key not working on default profile #1093

Open allir opened 4 years ago

allir commented 4 years ago

Hey, it seems for me that they "auth_key" is not working when supplied in the default profile. When running cfssl serve it throws a warning for the /sign endpoint. Note: I'm using cfssl version 1.4.1 installed via homebrew.

The warning that is shown:

2020/04/06 12:27:32 [WARNING] endpoint 'sign' is disabled: {"code":5200,"message":"Invalid or unknown policy"}

Here is the config file I'm using:

{
    "signing": {
        "default": {
            "auth_key": "key1",
            "expiry": "8760h",
            "crl_url": "http://localhost:8888/api/v1/cfssl/crl",
            "ocsp_url": "http://localhost:8889",
            "usages": [
                "signing",
                "key encipherment",
                "server auth",
                "client auth"
            ]
        },
        "profiles": {
            "intermediate": {
                "auth_key": "key1",
                "expiry": "43800h",
                "usages": [
                    "cert sign",
                    "crl sign"
                ],
                "ca_constraint": {
                    "is_ca": true,
                    "max_path_len": 0,
                    "max_path_len_zero": true
                }
            },
            "ocsp": {
                "auth_key": "key1",
                "expiry": "43800h",
                "usages": [
                    "digital signature",
                    "ocsp signing"
                ]
            },
            "server": {
                "auth_key": "key1",
                "expiry": "8760h",
                "usages": [
                  "signing",
                  "key encipherment",
                  "server auth",
                  "client auth"
                ]
            },
            "client": {
                "auth_key": "key1",
                "expiry": "8760h",
                "usages": [
                  "signing",
                  "key encipherment",
                  "client auth",
                  "email protection"
                ]
            }
        }
    },
    "auth_keys": {
        "key1": {
            "type": "standard",
            "key": "E50195DC233B5689D162472009476BFD"
        }
    }
}

If I remove the "auth_key" from the default profile it works. But then the default profile does not require any authentication and therefore can be used without a key.

2020/04/06 12:29:55 [INFO] endpoint '/api/v1/cfssl/scan' is enabled

As a workaround I've been removing all usages from the default profile so it can't be used to sign certificates. In both cases, with or without key on default profile, the other profiles work without issues.

Roydon commented 4 years ago

I am facing exact same issue.

mattpallissard commented 4 years ago

Likewise.

Cylindric commented 3 years ago

@Roydon or @mattpallissard you ever resolve this? I'm having the same problem and there's very little info out there about CFSSL.

mattpallissard commented 3 years ago

@Cylindric, We implemented the workaround above. No default profile. Something like this should work.

        "signing": {
                "default": {
                        "expiry": "1h",
                        "usages": [],
                        "auth_key": "default"
                        },
                "profiles": {
                        "foo":  {
                                "auth_key": "foo",
                                "expiry": "1h",
                                "usages": [
                                        "critical",
                                        "signing",
                                        "key encipherment",
                                        "data encipherment",
                                        "server auth"
                                ]
                        },
                        "bar": {
                                "auth_key": "bar",
                                "expiry": "2h",
                                "usages": [
                                        "hurr",
                                        "durr",
                                        "ima sheep"
                                ]
                        }
        },
        "auth_keys": {
                 "default": {
                        "key": "defaultkeydatagoeshere",
                        "type": "standard"
                },
                "foo": {
                        "key": "fookeydatagoeshere",
                        "type": "standard"
                },
                "bar": {
                        "key": "barkeydatagoeshere",
                        "type": "standard"
                }
        }
}

As an aside, I can't remember why we left a default key in there. I'd venture to guess that it wouldn't start up without it.

Anyway, best of luck. This product works as advertised but is very clearly an internal tool that the community can use and modify as they see fit. Not a product that's built around community adoption. As a result, it's got some rough edges but does the job.

creaky commented 9 months ago

It appears this is expected behaviour. The /api/v1/cfssl/sign endpoint is used for unauthenticated remote signing requests.

If no unauthenticated singing profiles exist, then the endpoint 'sign' is disabled with {"code":5200,"message":"Invalid or unknown policy"} message printed on starting cfssl serve.

All signing profiles with authentication defined makes use of the /api/v1/cfssl/authsign endpoint.

Ensure the client is configured to use authentication when requesting remote signing.