Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to enroll elliptic curve certificates from TPP #17

Open
tr1ck3r opened this issue Nov 13, 2020 · 0 comments
Open

Unable to enroll elliptic curve certificates from TPP #17

tr1ck3r opened this issue Nov 13, 2020 · 0 comments
Assignees
@rvelaVenafi
Labels
bug Something isn't working

Comments

@tr1ck3r
Copy link
Member

tr1ck3r commented Nov 13, 2020

PROBLEM SUMMARY
Unable to enroll elliptic curve certificates from Trust Protection Platform

STEPS TO REPRODUCE

  1. Add the following to a file called ecc.rb, modifying the url, user, password, trust_bundle, and ZONE values to match your TPP environment: 
    require 'vcert'

ZONE = 'VCert\\Ruby'.freeze

conn = Vcert::Connection.new url: 'https://tpp-beta.venafi.example', \
   user: 'admin', password: 'newPassw0rd!', trust_bundle: '/opt/venafi/bundle.pem'

request = Vcert::Request.new common_name: "test.venafi.example", \
  san_dns: ["san1-test.venafi.example","san2-test.venafi.example"], \
  key_type: Vcert::KeyType.new('ecdsa', 'prime256v1')

zone_config = conn.zone_configuration(ZONE)
request.update_from_zone_config(zone_config)
puts "#{request.csr}"

certificate = conn.request_and_retrieve(request, ZONE, timeout: 600)
puts "#{certificate.cert}"
  2. Execute ruby ecc.rb

EXPECTED RESULTS
ECDSA key pair and CSR are generated and successfully enrolled using TPP.

ACTUAL RESULTS
If the TPP policy suggests RSA 2048 (which means it can be overridden by the requester) the following error:

Traceback (most recent call last):
        3: from ecc.rb:16:in `<main>'
        2: from /var/lib/gems/2.5.0/gems/vcert-0.1.1/lib/vcert.rb:64:in `request_and_retrieve'
        1: from /var/lib/gems/2.5.0/gems/vcert-0.1.1/lib/vcert.rb:30:in `request'
/var/lib/gems/2.5.0/gems/vcert-0.1.1/lib/tpp/tpp.rb:22:in `request': Status  400 (Vcert::ServerUnexpectedBehaviorError)

If the TPP policy suggests or requires (locked) ECDSA P256 the following error:

Traceback (most recent call last):
        3: from bug.rb:12:in `<main>'
        2: from /var/lib/gems/2.5.0/gems/vcert-0.1.1/lib/vcert.rb:46:in `zone_configuration'
        1: from /var/lib/gems/2.5.0/gems/vcert-0.1.1/lib/tpp/tpp.rb:54:in `zone_configuration'
/var/lib/gems/2.5.0/gems/vcert-0.1.1/lib/tpp/tpp.rb:221:in `parse_zone_configuration': undefined method `[]' for nil:NilClass (NoMethodError)

ENVIRONMENT DETAILS
Trust Protection Platform 20.3.2

COMMENTS/WORKAROUNDS
Trust Protection Platform supports three elliptic curves: p256, p384, and p521. Based on review of the code it looks like VCert-Ruby is supporting p224 but not p384 so that is a related bug.

vcert-ruby/lib/objects/objects.rb

Line 8 in 40c8dc7

SUPPORTED_CURVES = ["secp224r1", "prime256v1", "secp521r1"]

vcert-ruby/lib/tpp/tpp.rb

Line 322 in 40c8dc7

curve = {"p224" => "secp224r1", "p256" => "prime256v1", "p521" => "secp521r1"}[policy["KeyPair"]["EllipticCurve"]["Value"].downcase]

@tr1ck3r tr1ck3r mentioned this issue Nov 13, 2020
Merged
@tr1ck3r tr1ck3r added the bug Something isn't working label Nov 13, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rvelaVenafi rvelaVenafi

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tr1ck3r @rvelaVenafi