search

cloudflare / cfssl

CFSSL: Cloudflare's PKI and TLS toolkit
https://cfssl.org/
BSD 2-Clause "Simplified" License
8.56k stars 1.09k forks source link

Inserting Root Certificate into Database Fails Due to Missing AKI #1385

Open thebluesoul opened 1 week ago

thebluesoul commented 1 week ago

Description:

I am trying to store root certificate information in a MySQL database using the api/v1/cfssl/certadd API. However, I encounter an error due to the missing authority_key_identifier (AKI) in the root certificate.

I want to insert a root certificate into a MySQL database using either the cfssl HTTP API or the cfssl binary tool.

Steps to Reproduce:

Use the following API request to insert the root certificate:

root@3740aa34a622:/etc/cfssl#  cat ./certs/ca.pem
-----BEGIN CERTIFICATE-----
MIID6DCCAtCgAwIBAgIUDSiWMRW9BdZNzmuNO35gl8QuqOwwDQYJKoZIhvcNAQEL
BQAwgYsxCzAJBgNVBAYTAktSMRQwEgYDVQQIEwtHeWVvbmdnaS1kbzESMBAGA1UE
BxMJQW55YW5nLXNpMRYwFAYDVQQKEw1HRU5JQU5TLCBJTkMuMSIwIAYDVQQLExlU
ZWNobmljYWwgUmVzZWFyY2ggQ2VudGVyMRYwFAYDVQQDEw0xOTIuMTY4LjM1LjYw
MB4XDTI0MDYyNzEwNDMwMFoXDTI5MDYyNjEwNDMwMFowgYsxCzAJBgNVBAYTAktS
MRQwEgYDVQQIEwtHeWVvbmdnaS1kbzESMBAGA1UEBxMJQW55YW5nLXNpMRYwFAYD
VQQKEw1HRU5JQU5TLCBJTkMuMSIwIAYDVQQLExlUZWNobmljYWwgUmVzZWFyY2gg
Q2VudGVyMRYwFAYDVQQDEw0xOTIuMTY4LjM1LjYwMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEA2bVcpuWARNAI9mKdXyvVOOuBw+YSb87VgkYMt4UcDQky
59dtLoOjrXuIR2jh6zQIIlfpq5Yr4JINs42TW0hXEcOjnu/nUrinhYmHIybhehZQ
sphAR+1zubAba4fdyYcmA6kx7Q+Hcdg3JpEl8iofayblU7L5bmxN8yzCB/X+AZbk
e1zl0Z1nZUu/luMZeHPpyNjq8O3/PseAf84OhkglTKGAq82vOCCPYY6cRHGGwLxj
WApVCHKhiTqpH4PVxKccUDpYdV10jTVvcPBejuCNPKHE9C7MGrLrs6IjzWISQGBX
UynInksm48Zj5vcI/fFWeQ99GHtz1VJp/GHdOgRsFQIDAQABo0IwQDAOBgNVHQ8B
Af8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU8/CAnSjrFHJUXNNt
BOPaDmV3/TYwDQYJKoZIhvcNAQELBQADggEBAFdjg9j2n4RZnjaQAmfJpVl5J5fi
/CdGeqm4yCli6dCxgdqAPSrN+duW06UAsY6BvcJSwzAm6Wrt2KEjYjjWH71ZcGVd
sCAgp//8bCrsaGId1/UgHfcGrNnK79IQgmh5/RZUqAEpwZge6kvZ1uzzL6sSdjNU
g9comNH5jaqSisT54XNmnPDA11IDJRTuKizezT6ge6q+Jcxib9D/Qa8gyZSP1k6F
RZyRIlm0ERki7wEu3LMKUgXZ0bI1lHjLmeBv+uPQfRXJeGGlS7Bo7Hu7kYhajP9D
JRpQr3vv8ca3Q0neELalF9Ebj72eN4LJj5P06uai1s0fsOThtzks0k5PjZA=
-----END CERTIFICATE-----
root@3740aa34a622:/etc/cfssl# 

root@3740aa34a622:/etc/cfssl#  curl -X POST http://192.168.35.60:8889/api/v1/cfssl/certadd -H 'Content-Type: application/json' -d '{
  "authority_key_identifier": "F3F0809D28EB1472545CD36D04E3DA0E6577FD36",
  "expiry": "2029-06-26T10:43:00Z",
  "pem": "-----BEGIN CERTIFICATE-----\nMIID6DCCAtCgAwIBAgIUDSiWMRW9BdZNzmuNO35gl8QuqOwwDQYJKoZIhvcNAQEL\nBQAwgYsxCzAJBgNVBAYTAktSMRQwEgYDVQQIEwtHeWVvbmdnaS1kbzESMBAGA1UE\nBxMJQW55YW5nLXNpMRYwFAYDVQQKEw1HRU5JQU5TLCBJTkMuMSIwIAYDVQQLExlU\nZWNobmljYWwgUmVzZWFyY2ggQ2VudGVyMRYwFAYDVQQDEw0xOTIuMTY4LjM1LjYw\nMB4XDTI0MDYyNzEwNDMwMFoXDTI5MDYyNjEwNDMwMFowgYsxCzAJBgNVBAYTAktS\nMRQwEgYDVQQIEwtHeWVvbmdnaS1kbzESMBAGA1UEBxMJQW55YW5nLXNpMRYwFAYD\nVQQKEw1HRU5JQU5TLCBJTkMuMSIwIAYDVQQLExlUZWNobmljYWwgUmVzZWFyY2gg\nQ2VudGVyMRYwFAYDVQQDEw0xOTIuMTY4LjM1LjYwMIIBIjANBgkqhkiG9w0BAQEF\nAAOCAQ8AMIIBCgKCAQEA2bVcpuWARNAI9mKdXyvVOOuBw+YSb87VgkYMt4UcDQky\n59dtLoOjrXuIR2jh6zQIIlfpq5Yr4JINs42TW0hXEcOjnu/nUrinhYmHIybhehZQ\nsphAR+1zubAba4fdyYcmA6kx7Q+Hcdg3JpEl8iofayblU7L5bmxN8yzCB/X+AZbk\ne1zl0Z1nZUu/luMZeHPpyNjq8O3/PseAf84OhkglTKGAq82vOCCPYY6cRHGGwLxj\nWApVCHKhiTqpH4PVxKccUDpYdV10jTVvcPBejuCNPKHE9C7MGrLrs6IjzWISQGBX\nUynInksm48Zj5vcI/fFWeQ99GHtz1VJp/GHdOgRsFQIDAQABo0IwQDAOBgNVHQ8B\nAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU8/CAnSjrFHJUXNNt\nBOPaDmV3/TYwDQYJKoZIhvcNAQELBQADggEBAFdjg9j2n4RZnjaQAmfJpVl5J5fi\n/CdGeqm4yCli6dCxgdqAPSrN+duW06UAsY6BvcJSwzAm6Wrt2KEjYjjWH71ZcGVd\nsCAgp//8bCrsaGId1/UgHfcGrNnK79IQgmh5/RZUqAEpwZge6kvZ1uzzL6sSdjNU\ng9comNH5jaqSisT54XNmnPDA11IDJRTuKizezT6ge6q+Jcxib9D/Qa8gyZSP1k6F\nRZyRIlm0ERki7wEu3LMKUgXZ0bI1lHjLmeBv+uPQfRXJeGGlS7Bo7Hu7kYhajP9D\nJRpQr3vv8ca3Q0neELalF9Ebj72eN4LJj5P06uai1s0fsOThtzks0k5PjZA=\n-----END CERTIFICATE-----",
  "serial_number": "75121993374272132312375006869829137882009217260",
  "status": "good",
  "common_name": "192.168.35.60"
}'

The following error occurs:

{"success":false,"result":null,"errors":[{"code":400,"message":"Authority key identifier of request and certificate do not match"}],"messages":[]}

Reason:

This error occurs because the root certificate does not have an AKI value. I attempted to use the SKI value instead of the AKI, but the same error occurs due to the following code in insert.go:

if !bytes.Equal(aki, cert.AuthorityKeyId) {
    return errors.NewBadRequestString("Authority key identifier of request and certificate do not match")
}