search

openziti / ziti-tunnel-sdk-c

Apache License 2.0
43 stars 17 forks source link

enroll segfault with external CA #680

Open qrkourier opened 1 year ago

qrkourier commented 1 year ago

I added and verified a CA enabled for auto-enroll. I issued a client cert from the external CA that I'd verified. I downloaded the verified CA's JWT. I attempted to enroll with latest ziti-edge-tunnel. The controller is 0.28.0. After enroll the identity exists but the output file is empty.

❯ ziti-edge-tunnel version                                                                                                                                                                                      
v0.21.5-local                                                                                                                                                                                                   

❯ ziti-edge-tunnel enroll --cert ~/.config/ziti/environments/pki/magenta/certs/kentest-client0.cert --key ~/.config/ziti/environments/pki/magenta/keys/kentest-client0.key --jwt /tmp/1Mh6VPNScwB6Adk8aKsS6N.jwt
 --identity /tmp/kentest-client0.json --name "kentest-client0 custom name overrided at enroll"           
(841720)[        0.000]    INFO ziti-sdk:utils.c:188 ziti_log_set_level() set log level: root=3/INFO
(841720)[        0.000]    INFO ziti-sdk:utils.c:188 ziti_log_set_level() set log level: root=3/INFO
(841720)[        0.000]    INFO ziti-sdk:ziti_enroll.c:90 ziti_enroll() Ziti C SDK version 0.32.8 @d7f329f(HEAD) starting enrollment at (2023-06-14T20:55:47.201)
[1]    841720 segmentation fault (core dumped)  ziti-edge-tunnel enroll --cert  --key  --jwt /tmp/1Mh6VPNScwB6Adk8aKsS6N.jwt 

❯ file /tmp/kentest-client0.json 
/tmp/kentest-client0.json: empty

❯ cat /tmp/1Mh6VPNScwB6Adk8aKsS6N.jwt
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJlbSI6ImNhIiwiaXNzIjoiaHR0cHM6Ly9jbGllbnQuY2FuYXJ5Lm9wZW56aXRpLmlvOjQ0My8ifQ.majkoxdVYnqDP493CHOivsGRdHvWsSLCEnJVjsXq_ef-VwxDFRFxXbk_RQMjinXH-SjKxD16sLF_aNotyOmtL0iica1t996VvjYvIubSAQVNZ_HsXrAdNwNM2WgC8fWkapw-Rc80T4r_pvxg3D2uQvECXSWTF4I1b6vyurYqK-JAZNsKGrysXIDU02-o7YwmPTM86ndGpKAanhijDNiDn4Sfj4JQFpXod5-lplewfEvjZZYfWzr8QcqbIE2Ey33rCbX_85Sdo-5foYuYAhlH3ezMv1OCaVD_doWcm5zDKaALru0KVNz-SkIr9mSLiV3ntWiD341CabsoyxSJ2bb1zN3rFYGHwSKH2_etRpEOU7rIih53uQbhPXqKA3r-f07WXii3CVCvGSF6tUfvFYxFsZ1q_wQlORj8NVx1oBZAaD6XtOitTVB9seV1LPvUr9x9rJCHftzB_G9k0SMoE8S6kJ-U-C_FCX7L3-H_QlWuX64h0uViQmoXRH4tZT9zxwqPfnMsM4IHzhvZQo8PvQA4DJiu3x0wzCpVUmd2mR4lnwz5iSikIYGxqhYn0H78sNPfJXs24SptlExBU0tRCJPK80ry3-xdzgvJXLfwdZ8CGi_d6ZQHaHkXmbfQtCq-WTuQonoK5S5di45IFXIDVDLVeDjkW4LxAaCIjG22LpsUXxo%                                

❯ cat ~/.config/ziti/environments/pki/magenta/certs/kentest-client0.cert
-----BEGIN CERTIFICATE-----
MIIEpjCCAo6gAwIBAgIQOxvUii1+pkiV+fls3LSJbjANBgkqhkiG9w0BAQsFADBa
MQswCQYDVQQGEwJVUzESMBAGA1UEBxMJQ2hhcmxvdHRlMRMwEQYDVQQKEwpOZXRG
b3VuZHJ5MRAwDgYDVQQLEwdBRFYtREVWMRAwDgYDVQQDEwdtYWdlbnRhMB4XDTIz
MDYxNDIwNTA0M1oXDTI0MDYxMzIwNTE0MlowYjELMAkGA1UEBhMCVVMxEjAQBgNV
BAcTCUNoYXJsb3R0ZTETMBEGA1UEChMKTmV0Rm91bmRyeTEQMA4GA1UECxMHQURW
LURFVjEYMBYGA1UEAxMPa2VudGVzdC1jbGllbnQwMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAyJgm8BJ9IeYkJxPX/rUHnc8VwJASO9db43qLrUjtEbOz
m6PBFJedMJ5WnGwL/tgm2DJm0SCU8mIMNJhlAyr4EUTup6wI2SG1MdR365Ad0tCr
0UfBmQIbQIhLcbbQalDfi5e4LbWwXdAF5WQ4rlXbniVqB1g8gJ6axg6HXQQ0O4gN
2yxbH6KYshR8LOjDcvk7Kd9TaK5ZrC2G1Bhc4Wj9aDNNcLmmnDiXZ668GCSKIW0h
bPe+YLdyP+bOpCRTs2sy3WQAB8ATr5gFV4ZKiz8oIgGP3T8BVUfz2EQMWdg2mEwz
nq8Qy1ZX8wcQIvufsinMdVlm1LuusGC5547PsKLjrQIDAQABo2AwXjAOBgNVHQ8B
Af8EBAMCBeAwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUm4dzR1S4PlI+b6aHsVci
9WdO5DgwHwYDVR0jBBgwFoAUSheSf+TuAwd1HZ0Z+ruCvWsDjTIwDQYJKoZIhvcN
AQELBQADggIBAChgnSGxkYq5M2AmBU42SCc/9Lb3xYNSb3f0/I1JGaSeZF/aN0HB
md0pmrh4/iitk20a9n4cfKgTEOTZRYWcRcQbtyzzuUHXeiFJ3omENH5ToawWaEdi
x7RrgVNxz3qTbgvSokHIeMHgble16oesBShk2TNRQ8buaKf8Om6z+n9fp7cBuZee
5IZViB0f9OSj5FABy/9r+RKp29WX8VFcpPYBlv5fA5p2SIrZHQM+j3VnusaJy64p
1AF5aKfz7kjWqVQeJ5zfULMfXvXhh9z3tOrhFMS7TNlxqtTvYzbHkLUk1zYdMtws
lV3nsSZ/U0aLu3BFyHjh6vgOTU3/Eo3iIpLLBuHKfPmbv48RNm8ElusuQSUIxFKV
nL1iqNui2GUV1iVY6omrRk7OKerm+ZhVJXySCHBhIIanUfdqUZ7gcs4xbJ42FthJ
WBXvBZf3lcwdVotcTCtq9NREeENFqIDHoJ9xgpgp2pRpgtBA22qdnkYniClhkCMe
PAK5YYLi9WJ7EcqaJiBTS7iD36tYbuM8UWy9t4ZzKCkhDJtKoZ0xL516RHCY4BJd
wUJoFBQpy0IuUiWvMnnrTeZGJ2VZPnbmMdNhoNcqRwB30c5ft5S2Yapok6W4eiCn
IFcVzGn9GAjSr/8U48BEwP8a7XSIWq8QhSlRwnhpBd8Jy5GoATnszubK
-----END CERTIFICATE-----

Analysis of the reusable autoca token:

{
    "header": {
        "alg": "RS256",
        "typ": "JWT"
    },
    "payload": {
        "em": "ca",
        "iss": "https://client.canary.openziti.io:443/"
    },
    "analysis": {
        "signature_valid": false,
        "enrollment_method": "reusable token for auto-creating an identity from a trusted external CA"
    }
}
qrkourier commented 1 year ago 
❯ apport-unpack /var/crash/_opt_openziti_bin_ziti-edge-tunnel.1000.crash /tmp/crashpack

❯ gdb $(realpath $(which ziti-edge-tunnel)) -c /tmp/crashpack/CoreDump
GNU gdb (Ubuntu 12.1-0ubuntu1~22.04) 12.1
Copyright (C) 2022 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /opt/openziti/bin/ziti-edge-tunnel...
[New LWP 841720]
[New LWP 841722]
[New LWP 841721]
[New LWP 841723]
[New LWP 841724]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `ziti-edge-tunnel enroll --cert /home/kbingham/.config/ziti/environments/pki/mag'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  __strlen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:74
74      ../sysdeps/x86_64/multiarch/strlen-avx2.S: No such file or directory.
[Current thread is 1 (Thread 0x7f95711eb740 (LWP 841720))]
(gdb)
qrkourier commented 1 year ago 
(gdb) bt 
#0  __strlen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:74
#1  0x00005591a620719a in enroll_cb (er=0x5591a888d280, err=<optimized out>, enroll_ctx=0x5591a887fa00) at /github/workspace/build/_deps/ziti-sdk-c-src/library/ziti_enroll.c:250
#2  0x00005591a62088c0 in ctrl_default_cb (s=<optimized out>, e=<optimized out>, resp=0x5591a88811a0) at /github/workspace/build/_deps/ziti-sdk-c-src/library/ziti_ctrl.c:197
#3  0x00005591a6209a08 in ctrl_body_cb (req=0x5591a8881240, b=<optimized out>, len=<optimized out>) at /github/workspace/build/_deps/ziti-sdk-c-src/library/ziti_ctrl.c:369
#4  0x00005591a623e085 in http_message_cb (parser=<optimized out>) at /github/workspace/build/_deps/tlsuv-src/src/http_req.c:270
#5  0x00005591a624598a in llhttp.internal_execute ()
#6  0x00005591a623e2ef in http_req_process (req=req@entry=0x5591a8881240, 
    buf=0x5591a8899f80 "HTTP/1.1 200 OK\r\nContent-Encoding: gzip\r\nContent-Length: 42\r\nContent-Type: application/json\r\nServer: ziti-controller/v0.28.0\r\nZiti-Instance-Id: clilsmet700000d9r2huknzsu\r\nDate: Wed, 14 Jun 2023 20:55:"..., len=len@entry=252) at /github/workspace/build/_deps/tlsuv-src/src/http_req.c:77
#7  0x00005591a623c956 in http_read_cb (link=<optimized out>, nread=252, buf=0x7ffc9f877700) at /github/workspace/build/_deps/tlsuv-src/src/http.c:86
#8  0x00005591a6242bc2 in uv_link_propagate_read_cb (link=<optimized out>, nread=<optimized out>, buf=<optimized out>) at /github/workspace/build/_deps/tlsuv-src/deps/uv_link_t/src/uv_link_t.c:295
#9  0x00005591a623f630 in tls_read_cb (l=0x5591a8880e40, nread=<optimized out>, b=0x7ffc9f877700) at /github/workspace/build/_deps/tlsuv-src/src/tls_link.c:178
#10 0x00005591a6242bc2 in uv_link_propagate_read_cb (link=<optimized out>, nread=<optimized out>, buf=<optimized out>) at /github/workspace/build/_deps/tlsuv-src/deps/uv_link_t/src/uv_link_t.c:295
#11 0x00005591a625a61f in uv.read ()
#12 0x00005591a625af30 in uv.stream_io ()
#13 0x00005591a6262d1d in uv.io_poll ()
#14 0x00005591a6250046 in uv_run ()
#15 0x00005591a61f0a68 in enroll (argc=<optimized out>, argv=<optimized out>) at /github/workspace/programs/ziti-edge-tunnel/ziti-edge-tunnel.c:2185
#16 0x00005591a61ee3e0 in main (argc=12, argv=0x7ffc9f87ac18) at /github/workspace/programs/ziti-edge-tunnel/ziti-edge-tunnel.c:3198
qrkourier commented 1 year ago

CoreDump.gz

qrkourier commented 1 year ago 
❯ ziti edge list cas 'name="kentest magenta CA"' -j | jq 
{
  "data": [
    {
      "_links": {
        "jwt": {
          "href": "./cas/1Mh6VPNScwB6Adk8aKsS6N/jwt"
        },
        "self": {
          "href": "./cas/1Mh6VPNScwB6Adk8aKsS6N"
        }
      },
      "createdAt": "2023-06-14T20:50:09.895Z",
      "id": "1Mh6VPNScwB6Adk8aKsS6N",
      "tags": {},
      "updatedAt": "2023-06-14T20:51:05.288Z",
      "certPem": "-----BEGIN CERTIFICATE-----\nMIIFoTCCA4mgAwIBAgIQEQG1pb7zuKbPhcE7i/+K1TANBgkqhkiG9w0BAQsFADBa\nMQswCQYDVQQGEwJVUzESMBAGA1UEBxMJQ2hhcmxvdHRlMRMwEQYDVQQKEwpOZXRG\nb3VuZHJ5MRAwDgYDVQQLEwdBRFYtREVWMRAwDgYDVQQDEwdtYWdlbnRhMB4XDTIz\nMDYxNDIwNDgwNFoXDTMzMDYxMTIwNDkwM1owWjELMAkGA1UEBhMCVVMxEjAQBgNV\nBAcTCUNoYXJsb3R0ZTETMBEGA1UEChMKTmV0Rm91bmRyeTEQMA4GA1UECxMHQURW\nLURFVjEQMA4GA1UEAxMHbWFnZW50YTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCC\nAgoCggIBAOe1PyqxRmHRwoHdfBVf7AmhkP7gj9d4aG/LH7Gt6wOI8I/pEjOlFPyv\nuGoJQRFaiKZp8NPmI1YNry+bTlgZe9hy1hO398Kdr7w0KfU0ySkMo5vH3GiqIqt0\n201IUeekrN9JvF4r55G8XL5AcHXXeJrcEcs5j0VdRTcfHpk2XTAZzSBgi+4RH5lN\nos0Kwqa4eYJIwZA8ygj7c+xGJKtvK1ofPXlUB0Lbjxuo1ctC59JQIS3LG0EflTFO\nz710+sJkO/vA156oTNxADFcUkhVW13VzkhVGJ9k+9tP1jVdLsAflLysflFeTpdgF\nz/h5TRSwsOrJs4GdDhh23S+Po79fmNwqM/uKe82TLF3XL866ear2YY82JBdoYur7\nTITMSHWGQQ8XVRhQcYVX3s9tEl7NPAD3y0gDg7ltJcodjsFKMhOxTpp9qsZIlzVw\n7wnPs2Gv3nhLqFFR/81tS3NWeqBKArDoVyr/dumiNVPHz9brpqu8MGMguBlt/kdm\nAJRTIUPNpRsqCgsFHQJH3OjooE+r3tG7mEFPP9aatTPEMmdOwX9brZrpHopPAfRx\nF5mWmqqDP4X/n5amOQtLIt3HvDeSvsHFkcASywJgjXpOJ4CfFcMWVGjXhasWrlhK\nHVhbbhY8W5fXqQRmBjsNsUitb1kwFpMZax17qv5z91PGcPYn4xh3AgMBAAGjYzBh\nMA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRKF5J/\n5O4DB3UdnRn6u4K9awONMjAfBgNVHSMEGDAWgBRKF5J/5O4DB3UdnRn6u4K9awON\nMjANBgkqhkiG9w0BAQsFAAOCAgEAYHdYVH0tk6PgYMnnceHZUMHD7blFYbvpX7Sf\nvRXEGTaDztlEj2ktds592nt21aUo4KiW8ueO8AvbNusI08kkhhzUtVdP69p0ImS0\nSn+rGEOJ3NEUVIBgUI8jwDkIapOhAbkN4S2z/2sCo+vQHYQsgLifOzhQ9U1DQ8aB\ne4ZKWRFR6EXngtPG33nv1ImJlvqXYUMLbYU0a4sflotaCSwhfo5TyfnARpIhlilZ\nCJh6RoSCZwcyPMHjRrAkjVWXdh7cbRqZxV8W/TsuPgv4TjWMxaZpb8mmI5ZbrioG\neiitOyWzANtMpWkCCd9Y8XtKfriD35GQqG00db2MCvFdp+a2HCA5V/lDQL3fPwmy\n3JCDto8aoFu5k6Q77skVgOM/NUyr4FMyAyzzN1BiqYh7srMCgPG7Keevg/Jtc0+m\n6oBJwsK1eahIk8kd4ixa40znlUPM9puqngzuF4rvyGBf+HsfmSaEJzYkmuyi4dx7\nF0IFkHSlMHIeHRNi5mirS5zszbosjwdv2l7GfDo4LKZeAZQqssQBTpV7WxDS3j3m\nm3W6FvSHr0zdZyLrmYR7QXWz/8vSLrgIWk0gIRpKnn4UfLaoR7ocCBAynmFbV0Hr\nUN+Cj0PNjFNgBO1Xj+8gbOg8Rw0yncJEdsPO1aGcwuja2zJW/0xilm38w3zILhng\nUy17T2w=\n-----END CERTIFICATE-----\n",
      "fingerprint": "1a851410c3e2125b6b28d5aa48b209d63eea68a6",
      "identityNameFormat": "[caName]-[commonName]",
      "identityRoles": null,
      "isAuthEnabled": true,
      "isAutoCaEnrollmentEnabled": true,
      "isOttCaEnrollmentEnabled": false,
      "isVerified": true,
      "name": "kentest magenta CA",
      "verificationToken": "Jbc0GkWU0"
    }
  ],
  "meta": {
    "filterableFields": [
      "isVerified",
      "isAutoCaEnrollmentEnabled",
      "isOttCaEnrollmentEnabled",
      "isAuthEnabled",
      "createdAt",
      "name",
      "fingerprint",
      "isSystem",
      "verificationToken",
      "id",
      "updatedAt",
      "tags"
    ],
    "pagination": {
      "limit": 10,
      "offset": 0,
      "totalCount": 1
    }
  }
}
❯ ziti edge list identities 'id="KwAfGkbB0"' -j | jq
{
  "data": [
    {
      "_links": {
        "auth-policies": {
          "href": "./auth-policies/default"
        },
        "authenticators": {
          "href": "./identities/KwAfGkbB0/authenticators"
        },
        "edge-router-policies": {
          "href": "./identities/KwAfGkbB0/edge-router-policies"
        },
        "edge-routers": {
          "href": "./identities/KwAfGkbB0/edge-routers"
        },
        "enrollments": {
          "href": "./identities/KwAfGkbB0/enrollments"
        },
        "failed-service-requests": {
          "href": "./identities/KwAfGkbB0/failed-service-requests"
        },
        "posture-data": {
          "href": "./identities/KwAfGkbB0/posture-data"
        },
        "self": {
          "href": "./identities/KwAfGkbB0"
        },
        "service-configs": {
          "href": "./identities/KwAfGkbB0/service-configs"
        },
        "service-policies": {
          "href": "./identities/KwAfGkbB0/service-policies"
        },
        "services": {
          "href": "./identities/KwAfGkbB0/services"
        }
      },
      "createdAt": "2023-06-14T20:55:47.961Z",
      "id": "KwAfGkbB0",
      "tags": {},
      "updatedAt": "2023-06-14T20:55:47.961Z",
      "appData": {},
      "authPolicy": {
        "_links": {
          "self": {
            "href": "./auth-policies/default"
          }
        },
        "entity": "auth-policies",
        "id": "default",
        "name": "Default"
      },
      "authPolicyId": "default",
      "authenticators": {
        "cert": {
          "fingerprint": "4c9fe2db45b95aa064aa2c9c6cee5f2d5d84501e",
          "id": "ldJZGkbU0"
        }
      },
      "defaultHostingCost": 0,
      "defaultHostingPrecedence": "default",
      "disabled": false,
      "enrollment": {},
      "envInfo": {},
      "externalId": null,
      "hasApiSession": false,
      "hasEdgeRouterConnection": false,
      "isAdmin": false,
      "isDefaultAdmin": false,
      "isMfaEnabled": false,
      "name": "kentest magenta CA-kentest-client0",
      "roleAttributes": null,
      "sdkInfo": {},
      "serviceHostingCosts": {},
      "serviceHostingPrecedences": {},
      "type": {
        "_links": {
          "self": {
            "href": "./identity-types/Device"
          }
        },
        "entity": "identity-types",
        "id": "Device",
        "name": "Device"
      },
      "typeId": "Device"
    }
  ],
  "meta": {
    "filterableFields": [
      "createdAt",
      "tags",
      "type",
      "authPolicyId",
      "id",
      "updatedAt",
      "isSystem",
      "roleAttributes",
      "name",
      "externalId",
      "isAdmin",
      "isDefaultAdmin"
    ],
    "pagination": {
      "limit": 10,
      "offset": 0,
      "totalCount": 1
    }
  }
}
qrkourier commented 1 year ago

I confirmed the segfault recurs when the enroll --name flag is not present.

qrkourier commented 1 year ago

I didn't have any problem enrolling with a third client cert with ziti edge enroll, and I'm able to connect to services with the resulting identity JSON file.