search

smallstep / cli

🧰 A zero trust swiss army knife for working with X509, OAuth, JWT, OATH OTP, etc.
https://smallstep.com/cli
Apache License 2.0
3.67k stars 255 forks source link

.Insecure.User variables are not set in templates when using --set "var=val" #624

Closed henschkowski closed 2 years ago

henschkowski commented 2 years ago

Subject of the issue

I've set up an offline CA and want to specify the certificate's DN with values that are supplied on the command line. Now the values I give to the "step ca" command with the --set option are not available in the template / generated certificate, they show as "<no value>". I'm referring to the documentation at https://smallstep.com/docs/step-ca/templates .

Your environment

Steps to reproduce

Set up a simple CA as per the docs. Then configure a JWK provisioner that has a template configured: Mine is like this:


   ...
   "authority": {
        "provisioners": [
            {
                "type": "JWK",
                "name": "web",
                "key": {
                                    ...
                                 },
                "options": {
                    "x509": {
                        "templateFile": "/home/stepca/web.tpl"
                    }
                }
            }
         ]
    ....

The file "/home/stepca/web.tpl" looks like this:

{
    "subject": {
        "country": "CH",
        "organization": "{{ .Insecure.User.org }}",
        "commonName": "{{ .Subject.CommonName }}",
    },
    "keyUsage": ["keyEncipherment", "digitalSignature"],
    "extKeyUsage": ["serverAuth", "clientAuth"],
    "sans": {{ toJson .SANs }}
}

I then execute this command line:

step ca certificate theCN new.crt new.key --provisioner web --set "org=MYORG" --offline

The resulting certificate does not have the organization field set:


openssl x509 -text -in new.crt | grep Subject
        Subject: C = CH, O = "<no value>", CN = theCN
        Subject Public Key Info:
            X509v3 Subject Key Identifier: 
            X509v3 Subject Alternative Name:

Expected behaviour

I would expect the generated certificate to have a Subject like this:

Subject: C = CH, O = "MYORG", CN = theCN

Actual behaviour

The value that I pass in via the command line's "--set" parameter is not available in the template, apparently.

maraino commented 2 years ago

The problem is the --offline mode, this works as expected with an online CA.