cfssl icon indicating copy to clipboard operation
cfssl copied to clipboard

Published 20 hours ago verified publisher icon cloudflare

[cfssljson] parsing bundle and root certificate

Open abezard opened this issue 6 years ago • 0 comments

Maybe I'm misunderstanding something but I think #842 should be reverted? When using cfssljson against the result of sign request submitted via API, I can either generate ca-bundle.pem + ca-root.pem by using the argument -bare or generate ca.pem by not using the -bare argument but there's no way to generate the 3 files out of only 1 command.

When submitting a sign request via the API (/api/v1/cfssl/sign), we get the following type of response:

{
  "result": {
    "bundle": {
      "bundle": "-----BEGIN CERTIFICATE----- < redacted > -----END CERTIFICATE-----\n-----BEGIN CERTIFICATE----- < redacted > -----END CERTIFICATE-----\n-----BEGIN CERTIFICATE----- < redacted > -----END CERTIFICATE-----",
      "root": "-----BEGIN CERTIFICATE----- < redacted > -----END CERTIFICATE-----",
    },
  },
}

Now if you pipe that to cfssljson with the argument -bare, the whole json blob is going to be put in input (err = json.Unmarshal(fileData, &input)) and the data structure in input will remain the same than the one returned by the API.

Which means that cert will never be populated (as input["certificate"] and input["cert"] don't exist, only input["result"]["certificate"] and input["result"]["bundle"]["cert"] exist):

if contents, ok := input["cert"]; ok {
	cert = contents.(string)
} else if contents, ok = input["certificate"]; ok {
	cert = contents.(string)
}

And therefore ca.pem will never be generated:

if cert != "" {
		outs = append(outs, outputFile{
			Filename: baseName + ".pem",
			Contents: cert,
			Perms:    0664,
		})
}

Now if you don't use the -bare argument, you're going to get input = response.Result (L.97) which means that the data structure of input won't be similar to what was return by the API. Instead it will be something like:

"bundle": {
      "bundle": "-----BEGIN CERTIFICATE----- < redacted > -----END CERTIFICATE-----\n-----BEGIN CERTIFICATE----- < redacted > -----END CERTIFICATE-----\n-----BEGIN CERTIFICATE----- < redacted > -----END CERTIFICATE-----",
      "root": "-----BEGIN CERTIFICATE----- < redacted > -----END CERTIFICATE-----",
    },
  }

With that data structure, the test L.157 fails (if result, ok := input["result"].(map[string]interface{}); ok {) and, as a result, the ca-bundle.pem + ca-root.pem doesn't get generated.

abezard avatar Jul 18 '19 17:07 abezard