Skip to content

Commit

Permalink
Subject DN configuration (#296)
Browse files Browse the repository at this point in the history 
Add subject DN configuration options to certd and refactor create_cert
  • Loading branch information
@onalante-msft
onalante-msft authored Oct 19, 2021
1 parent 9a12cd3 commit 550dad8
Show file tree
Hide file tree
Showing 30 changed files with 875 additions and 1,045 deletions.
80 changes: 79 additions & 1 deletion Cargo.lock
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion aziotctl/Cargo.toml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@ aziot-keys-common = { path = "../key/aziot-keys-common" }
aziot-tpmd-config = { path = "../tpm/aziot-tpmd-config" }
aziotctl-common = { path = "./aziotctl-common" }
config-common = { path = "../config-common" }
http-common = { path = "../http-common", features = ["tokio1"] }
http-common = { path = "../http-common" }
mini-sntp = { path = "../mini-sntp" }
openssl2 = { path = "../openssl2" }
openssl-sys2 = { path = "../openssl-sys2" }
Expand Down
38 changes: 26 additions & 12 deletions aziotctl/aziotctl-common/src/config/apply.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -335,11 +335,14 @@ pub fn run(
aziotcs_keys.keys.push(super::EST_ID_ID.to_owned());

Some(aziot_certd_config::EstAuthX509 {
identity: (super::EST_ID_ID.to_owned(), super::EST_ID_ID.to_owned()),
bootstrap_identity: Some((
super::EST_BOOTSTRAP_ID.to_owned(),
super::EST_BOOTSTRAP_ID.to_owned(),
)),
identity: aziot_certd_config::CertificateWithPrivateKey {
cert: super::EST_ID_ID.to_owned(),
pk: super::EST_ID_ID.to_owned(),
},
bootstrap_identity: Some(aziot_certd_config::CertificateWithPrivateKey {
cert: super::EST_BOOTSTRAP_ID.to_owned(),
pk: super::EST_BOOTSTRAP_ID.to_owned(),
}),
})
}

Expand All @@ -356,7 +359,10 @@ pub fn run(
aziotcs_keys.keys.push(super::EST_ID_ID.to_owned());

Some(aziot_certd_config::EstAuthX509 {
identity: (super::EST_ID_ID.to_owned(), super::EST_ID_ID.to_owned()),
identity: aziot_certd_config::CertificateWithPrivateKey {
cert: super::EST_ID_ID.to_owned(),
pk: super::EST_ID_ID.to_owned(),
},
bootstrap_identity: None,
})
}
Expand All @@ -376,8 +382,8 @@ pub fn run(
.collect();

Some(aziot_certd_config::Est {
auth,
trusted_certs,
auth,
urls,
})
} else {
Expand All @@ -391,7 +397,7 @@ pub fn run(
cert_issuance_certs
.insert(super::LOCAL_CA.to_owned(), into_cert_options(cert, None));

Some(aziot_certd_config::LocalCa {
Some(aziot_certd_config::CertificateWithPrivateKey {
cert: super::LOCAL_CA.to_owned(),
pk: super::LOCAL_CA.to_owned(),
})
Expand All @@ -406,7 +412,7 @@ pub fn run(
preloaded_keys.insert(super::LOCAL_CA.to_owned(), pk);
aziotcs_keys.keys.push(super::LOCAL_CA.to_owned());

Some(aziot_certd_config::LocalCa {
Some(aziot_certd_config::CertificateWithPrivateKey {
cert: super::LOCAL_CA.to_owned(),
pk: super::LOCAL_CA.to_owned(),
})
Expand Down Expand Up @@ -494,7 +500,9 @@ fn into_cert_options(
};

aziot_certd_config::CertIssuanceOptions {
common_name: opts.common_name,
subject: opts
.common_name
.map(aziot_certd_config::CertSubject::CommonName),
expiry_days: opts.expiry_days,
method,
}
Expand Down Expand Up @@ -528,7 +536,10 @@ pub fn set_est_auth(
preloaded_keys.insert(bootstrap_cert_id.clone(), bootstrap_identity_pk.clone());
aziotcs_keys.keys.push(bootstrap_cert_id.clone());

Some((bootstrap_cert_id.clone(), bootstrap_cert_id))
Some(aziot_certd_config::CertificateWithPrivateKey {
cert: bootstrap_cert_id.clone(),
pk: bootstrap_cert_id,
})
}

super_config::EstAuthX509::Identity {
Expand All @@ -548,7 +559,10 @@ pub fn set_est_auth(
aziotcs_keys.keys.push(identity_cert_id.clone());

aziot_certd_config::EstAuthX509 {
identity: (identity_cert_id.clone(), identity_cert_id),
identity: aziot_certd_config::CertificateWithPrivateKey {
cert: identity_cert_id.clone(),
pk: identity_cert_id,
},
bootstrap_identity,
}
});
Expand Down
2 changes: 1 addition & 1 deletion aziotctl/aziotctl-common/src/config/super_config.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -200,8 +200,8 @@ pub enum DpsAttestationMethod {

#[derive(Debug, Default, Deserialize, Serialize)]
pub struct CertIssuance {
pub est: Option<Est>,
pub local_ca: Option<LocalCa>,
pub est: Option<Est>,
}

#[derive(Debug, Deserialize, Serialize)]
Expand Down
2 changes: 1 addition & 1 deletion aziotctl/aziotctl-common/test-files/apply/dps-x509-pkcs11-est-bootstrap/certd.toml
View file
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
homedir_path = "/var/lib/aziot/certd"
[cert_issuance.est]
trusted_certs = ["est-server-ca-1"]
username = "estuser"
password = "estpwd"
identity_cert = "est-id"
identity_pk = "est-id"
bootstrap_identity_cert = "est-bootstrap-id"
bootstrap_identity_pk = "est-bootstrap-id"
trusted_certs = ["est-server-ca-1"]

[cert_issuance.est.urls]
default = "https://example.org/.well-known/est"
Expand Down
2 changes: 1 addition & 1 deletion aziotctl/aziotctl-common/test-files/apply/dps-x509-pkcs11-est-custom-bootstrap/certd.toml
View file
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
homedir_path = "/var/lib/aziot/certd"
[cert_issuance.est]
trusted_certs = ["est-server-ca-1"]
username = "estuser"
password = "estpwd"
identity_cert = "est-id"
identity_pk = "est-id"
bootstrap_identity_cert = "est-bootstrap-id"
bootstrap_identity_pk = "est-bootstrap-id"
trusted_certs = ["est-server-ca-1"]

[cert_issuance.est.urls]
default = "https://example.org/.well-known/est"
Expand Down
2 changes: 1 addition & 1 deletion aziotctl/aziotctl-common/test-files/apply/dps-x509-pkcs11-est/certd.toml
View file
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@
homedir_path = "/var/lib/aziot/certd"
[cert_issuance.est]
trusted_certs = ["est-server-ca-1"]
username = "estuser"
password = "estpwd"
identity_cert = "est-id"
identity_pk = "est-id"
trusted_certs = ["est-server-ca-1"]

[cert_issuance.est.urls]
default = "https://example.org/.well-known/est"
Expand Down
10 changes: 6 additions & 4 deletions aziotctl/src/internal/check/checks/cert_expiry.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -122,10 +122,12 @@ impl EstIdentityBootstrapCerts {
.and_then(|est| est.auth.x509.as_ref())
.map(|x509| {
(
(&x509.identity.0, "x509 identity"),
x509.bootstrap_identity
.as_ref()
.map(|(cert, _)| (cert, "x509 bootstrap")),
(&x509.identity.cert, "x509 identity"),
x509.bootstrap_identity.as_ref().map(
|aziot_certd_config::CertificateWithPrivateKey { cert, .. }| {
(cert, "x509 bootstrap")
},
),
)
});

Expand Down
2 changes: 1 addition & 1 deletion aziotd/Cargo.toml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,5 +17,5 @@ aziot-identityd = { path = "../identity/aziot-identityd" }
aziot-keyd = { path = "../key/aziot-keyd" }
aziot-tpmd = { path = "../tpm/aziot-tpmd" }
config-common = { path = "../config-common" }
http-common = { path = "../http-common", features = ["tokio1"] }
http-common = { path = "../http-common" }
logger = { path = "../logger" }
2 changes: 1 addition & 1 deletion cert/aziot-cert-client-async/Cargo.toml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,4 +11,4 @@ percent-encoding = "2"

aziot-cert-common-http = { path = "../aziot-cert-common-http" }
aziot-key-common = { path = "../../key/aziot-key-common" }
http-common = { path = "../../http-common", features = ["tokio1"] }
http-common = { path = "../../http-common" }
1 change: 1 addition & 0 deletions cert/aziot-certd-config/Cargo.toml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ hex = "0.4"
libc = "0.2"
openssl = "0.10"
serde = { version = "1", features = ["derive"] }
serde_with = "1"
url = { version = "2", features = ["serde"] }

http-common = { path = "../../http-common" }
Expand Down
Loading

6 comments on commit 550dad8

@ksaye
Copy link

@ksaye ksaye commented on 550dad8 Nov 8, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@onalante-msft,
This change introduces an error for me. I am using this EST Server, and the commit before 292 works fine.

When I use this commit, my EST fails with a EST_ERR_BAD_PKCS10 error.

Here are the iotedge log files below:

Nov 08 17:26:19 githubtest systemd[1]: Started Azure IoT Identity Service.
Nov 08 17:26:19 githubtest aziot-identityd[16781]: 2021-11-08T23:26:19Z [INFO] - Starting service...
Nov 08 17:26:19 githubtest aziot-identityd[16781]: 2021-11-08T23:26:19Z [INFO] - Version - 1.2.3
Nov 08 17:26:19 githubtest aziot-identityd[16781]: 2021-11-08T23:26:19Z [INFO] - Provisioning starting. Reason: Startup
Nov 08 17:26:19 githubtest aziot-identityd[16781]: 2021-11-08T23:26:19Z [DBUG] - [hyper::proto::h1::io] flushed 81 bytes
Nov 08 17:26:19 githubtest aziot-identityd[16781]: 2021-11-08T23:26:19Z [DBUG] - [hyper::proto::h1::io] parsed 3 headers
Nov 08 17:26:19 githubtest aziot-identityd[16781]: 2021-11-08T23:26:19Z [DBUG] - [hyper::proto::h1::conn] incoming body is content-length (1474 bytes)
Nov 08 17:26:19 githubtest aziot-identityd[16781]: 2021-11-08T23:26:19Z [DBUG] - [hyper::proto::h1::conn] incoming body completed
Nov 08 17:26:19 githubtest aziot-identityd[16781]: 2021-11-08T23:26:19Z [INFO] - device-id has expired. Renewing certificate
Nov 08 17:26:19 githubtest aziot-identityd[16781]: 2021-11-08T23:26:19Z [DBUG] - [hyper::proto::h1::io] flushed 75 bytes
Nov 08 17:26:19 githubtest aziot-identityd[16781]: 2021-11-08T23:26:19Z [DBUG] - [hyper::proto::h1::io] parsed 3 headers
Nov 08 17:26:19 githubtest aziot-identityd[16781]: 2021-11-08T23:26:19Z [DBUG] - [hyper::proto::h1::conn] incoming body is content-length (248 bytes)
Nov 08 17:26:19 githubtest aziot-identityd[16781]: 2021-11-08T23:26:19Z [DBUG] - [hyper::proto::h1::conn] incoming body completed
Nov 08 17:26:19 githubtest aziot-identityd[16781]: 2021-11-08T23:26:19Z [DBUG] - [hyper::proto::h1::io] flushed 369 bytes
Nov 08 17:26:19 githubtest aziot-identityd[16781]: 2021-11-08T23:26:19Z [DBUG] - [hyper::proto::h1::io] parsed 2 headers
Nov 08 17:26:19 githubtest aziot-identityd[16781]: 2021-11-08T23:26:19Z [DBUG] - [hyper::proto::h1::conn] incoming body is empty
Nov 08 17:26:19 githubtest aziot-identityd[16781]: 2021-11-08T23:26:19Z [DBUG] - [hyper::proto::h1::io] flushed 174 bytes
Nov 08 17:26:19 githubtest aziot-identityd[16781]: 2021-11-08T23:26:19Z [DBUG] - [hyper::proto::h1::io] parsed 3 headers
Nov 08 17:26:19 githubtest aziot-identityd[16781]: 2021-11-08T23:26:19Z [DBUG] - [hyper::proto::h1::conn] incoming body is content-length (248 bytes)
Nov 08 17:26:19 githubtest aziot-identityd[16781]: 2021-11-08T23:26:19Z [DBUG] - [hyper::proto::h1::conn] incoming body completed
Nov 08 17:26:20 githubtest aziot-identityd[16781]: 2021-11-08T23:26:20Z [DBUG] - [hyper::proto::h1::io] flushed 1076 bytes
Nov 08 17:26:20 githubtest aziot-identityd[16781]: 2021-11-08T23:26:20Z [DBUG] - [hyper::proto::h1::io] parsed 3 headers
Nov 08 17:26:20 githubtest aziot-identityd[16781]: 2021-11-08T23:26:20Z [DBUG] - [hyper::proto::h1::conn] incoming body is content-length (28 bytes)
Nov 08 17:26:20 githubtest aziot-identityd[16781]: 2021-11-08T23:26:20Z [DBUG] - [hyper::proto::h1::conn] incoming body completed
Nov 08 17:26:20 githubtest aziot-identityd[16781]: 2021-11-08T23:26:20Z [ERR!] - Failed to provision with IoT Hub, and no valid device backup was found: internal error
Nov 08 17:26:20 githubtest aziot-identityd[16781]: 2021-11-08T23:26:20Z [ERR!] - service encountered an error
Nov 08 17:26:20 githubtest aziot-identityd[16781]: 2021-11-08T23:26:20Z [ERR!] - caused by: internal error
Nov 08 17:26:20 githubtest aziot-identityd[16781]: 2021-11-08T23:26:20Z [ERR!] - caused by: could not create certificate
Nov 08 17:26:20 githubtest aziot-identityd[16781]: 2021-11-08T23:26:20Z [ERR!] - caused by: internal error
Nov 08 17:26:20 githubtest aziot-identityd[16781]: 2021-11-08T23:26:20Z [ERR!] -    0: <unknown>
Nov 08 17:26:20 githubtest aziot-identityd[16781]:    1: <unknown>
Nov 08 17:26:20 githubtest systemd[1]: aziot-identityd.service: Main process exited, code=exited, status=1/FAILURE
Nov 08 17:26:20 githubtest systemd[1]: aziot-identityd.service: Failed with result 'exit-code'.
^C
ksaye@githubtest:~$ sudo journalctl -f -u aziot-certd
-- Logs begin at Mon 2021-11-08 15:44:10 CST. --
Nov 08 17:26:25 githubtest aziot-certd[16628]: 2021-11-08T23:26:25Z [DBUG] - [hyper::proto::h1::io] flushed 114 bytes
Nov 08 17:26:25 githubtest aziot-certd[16628]: 2021-11-08T23:26:25Z [DBUG] - [hyper::proto::h1::io] parsed 4 headers
Nov 08 17:26:25 githubtest aziot-certd[16628]: 2021-11-08T23:26:25Z [DBUG] - [hyper::proto::h1::conn] incoming body is content-length (545 bytes)
Nov 08 17:26:25 githubtest aziot-certd[16628]: 2021-11-08T23:26:25Z [DBUG] - [hyper::proto::h1::conn] incoming body completed
Nov 08 17:26:25 githubtest aziot-certd[16628]: 2021-11-08T23:26:25Z [ERR!] - !!! internal error
Nov 08 17:26:25 githubtest aziot-certd[16628]: 2021-11-08T23:26:25Z [ERR!] - !!! caused by: could not create cert
Nov 08 17:26:25 githubtest aziot-certd[16628]: 2021-11-08T23:26:25Z [ERR!] - !!! caused by: EST endpoint did not return successful response: 400 Bad Request b"Error 400: Bad Request\nInvalid or corrupted pkcs10 request.\n"
Nov 08 17:26:25 githubtest aziot-certd[16628]: 2021-11-08T23:26:25Z [INFO] - --> 500 {"content-type": "application/json"}
Nov 08 17:26:25 githubtest aziot-certd[16628]: 2021-11-08T23:26:25Z [DBUG] - [hyper::proto::h1::io] flushed 155 bytes
Nov 08 17:26:25 githubtest aziot-certd[16628]: 2021-11-08T23:26:25Z [DBUG] - [hyper::proto::h1::conn] read eof

Here is the EST Error:

/libest/src/est/.libs/libest-3.2.0p.so(+0xa520) [0x7f4073906520]
/libest/src/est/.libs/libest-3.2.0p.so(+0x1ad0d) [0x7f4073916d0d]
/libest/src/est/.libs/libest-3.2.0p.so(+0x1b88b) [0x7f407391788b]
/libest/src/est/.libs/libest-3.2.0p.so(est_server_handle_request+0x25d) [0x7f407391879d]
/libest/example/server/.libs/estserver(+0xea86) [0x560ecc545a86]
/lib/x86_64-linux-gnu/libpthread.so.0(+0x76db) [0x7f4072f8c6db]
/lib/x86_64-linux-gnu/libc.so.6(clone+0x3f) [0x7f4072cb571f]

***EST [INFO][est_server_handle_request:1788]--> SSL_shutdown succeeded
***EST [INFO][est_server_handle_request:1784]--> Two-phase SSL_shutdown initiated
***EST [INFO][est_server_handle_request:1719]--> Peer IP address: 192.168.15.66
***EST [INFO][est_server_handle_request:1720]--> Peer port      : 44782
***EST [INFO][ossl_verify_cb:162]--> enter function: ok=1 cert_error=0
***EST [INFO][ossl_verify_cb:162]--> enter function: ok=1 cert_error=0
***EST [INFO][est_server_handle_request:1719]--> Peer IP address: 192.168.15.66
***EST [INFO][est_server_handle_request:1720]--> Peer port      : 44784
***EST [INFO][ossl_verify_cb:162]--> enter function: ok=1 cert_error=0
***EST [INFO][ossl_verify_cb:162]--> enter function: ok=1 cert_error=0
***EST [INFO][ossl_verify_cb:162]--> enter function: ok=1 cert_error=0
***EST [INFO][ossl_verify_cb:162]--> enter function: ok=1 cert_error=0
***EST [INFO][ossl_verify_cb:162]--> enter function: ok=1 cert_error=0
***EST [INFO][ossl_verify_cb:162]--> enter function: ok=1 cert_error=0
***EST [INFO][parse_http_message:1160]--> request_len=210
***EST [INFO][parse_http_message:1161]--> request uri=/.well-known/est/simpleenroll
***EST [INFO][handle_request:1276]--> /.well-known/est/simpleenroll
***EST [INFO][check_for_TLS_cert_auth:554]--> TLS: client certificate is valid
***EST [ERROR][est_server_parse_csr:1031]--> Problem reading DER encoded certificate request

/libest/src/est/.libs/libest-3.2.0p.so(+0xa520) [0x7f4073906520]
/libest/src/est/.libs/libest-3.2.0p.so(est_server_parse_csr+0x94) [0x7f4073911024]
/libest/src/est/.libs/libest-3.2.0p.so(est_handle_simple_enroll+0x5fc) [0x7f40739125ac]
/libest/src/est/.libs/libest-3.2.0p.so(est_http_request+0x9b3) [0x7f4073916193]
/libest/src/est/.libs/libest-3.2.0p.so(+0x1c143) [0x7f4073918143]
/libest/src/est/.libs/libest-3.2.0p.so(est_server_handle_request+0x25d) [0x7f407391879d]
/libest/example/server/.libs/estserver(+0xea86) [0x560ecc545a86]
/lib/x86_64-linux-gnu/libpthread.so.0(+0x76db) [0x7f4072f8c6db]
/lib/x86_64-linux-gnu/libc.so.6(clone+0x3f) [0x7f4072cb571f]

***EST [ERROR][est_handle_simple_enroll:1713]--> Unable to parse the PKCS10 CSR sent by the client

/libest/src/est/.libs/libest-3.2.0p.so(+0xa520) [0x7f4073906520]
/libest/src/est/.libs/libest-3.2.0p.so(est_handle_simple_enroll+0x631) [0x7f40739125e1]
/libest/src/est/.libs/libest-3.2.0p.so(est_http_request+0x9b3) [0x7f4073916193]
/libest/src/est/.libs/libest-3.2.0p.so(+0x1c143) [0x7f4073918143]
/libest/src/est/.libs/libest-3.2.0p.so(est_server_handle_request+0x25d) [0x7f407391879d]
/libest/example/server/.libs/estserver(+0xea86) [0x560ecc545a86]
/lib/x86_64-linux-gnu/libpthread.so.0(+0x76db) [0x7f4072f8c6db]
/lib/x86_64-linux-gnu/libc.so.6(clone+0x3f) [0x7f4072cb571f]

***EST [WARNING][est_http_request:2948]--> Enrollment failed with rc=9 (EST_ERR_BAD_PKCS10)


/libest/src/est/.libs/libest-3.2.0p.so(+0xa520) [0x7f4073906520]
/libest/src/est/.libs/libest-3.2.0p.so(est_http_request+0x55b) [0x7f4073915d3b]
/libest/src/est/.libs/libest-3.2.0p.so(+0x1c143) [0x7f4073918143]
/libest/src/est/.libs/libest-3.2.0p.so(est_server_handle_request+0x25d) [0x7f407391879d]
/libest/example/server/.libs/estserver(+0xea86) [0x560ecc545a86]
/lib/x86_64-linux-gnu/libpthread.so.0(+0x76db) [0x7f4072f8c6db]
/lib/x86_64-linux-gnu/libc.so.6(clone+0x3f) [0x7f4072cb571f]

***EST [INFO][mg_send_http_error:392]--> [Error 400: Bad Request
Invalid or corrupted pkcs10 request.
]
***EST [ERROR][est_mg_handler:1250]--> EST error response code: 9 (EST_ERR_BAD_PKCS10)


/libest/src/est/.libs/libest-3.2.0p.so(+0xa520) [0x7f4073906520]
/libest/src/est/.libs/libest-3.2.0p.so(+0x1c184) [0x7f4073918184]
/libest/src/est/.libs/libest-3.2.0p.so(est_server_handle_request+0x25d) [0x7f407391879d]
/libest/example/server/.libs/estserver(+0xea86) [0x560ecc545a86]
/lib/x86_64-linux-gnu/libpthread.so.0(+0x76db) [0x7f4072f8c6db]
/lib/x86_64-linux-gnu/libc.so.6(clone+0x3f) [0x7f4072cb571f]

***EST [WARNING][handle_request:1283]--> Incoming request failed rv=9 (EST_ERR_BAD_PKCS10)

/libest/src/est/.libs/libest-3.2.0p.so(+0xa520) [0x7f4073906520]
/libest/src/est/.libs/libest-3.2.0p.so(+0x1c1bc) [0x7f40739181bc]
/libest/src/est/.libs/libest-3.2.0p.so(est_server_handle_request+0x25d) [0x7f407391879d]
/libest/example/server/.libs/estserver(+0xea86) [0x560ecc545a86]
/lib/x86_64-linux-gnu/libpthread.so.0(+0x76db) [0x7f4072f8c6db]
/lib/x86_64-linux-gnu/libc.so.6(clone+0x3f) [0x7f4072cb571f]

***EST [INFO][log_access:1314]--> 192.168.15.66 [08/Nov/2021:23:10:31 +0000] "POST /.well-known/est/simpleenroll HTTP/1.1" 400 60
***EST [INFO][log_header:1292]-->  -
***EST [INFO][log_header:1292]-->  -
***EST [INFO][parse_http_message:1160]--> request_len=114
***EST [INFO][parse_http_message:1161]--> request uri=/.well-known/est/cacerts
***EST [INFO][handle_request:1276]--> /.well-known/est/cacerts
***EST [INFO][est_server_handle_cacerts:286]--> Server: CA certs set locally, responding with locally set CA certs response
***EST [INFO][est_handle_cacerts:222]--> CA certs successfully sent to EST client
***EST [INFO][log_access:1314]--> 192.168.15.66 [08/Nov/2021:23:10:31 +0000] "GET /.well-known/est/cacerts HTTP/1.1" -1 0
***EST [INFO][log_header:1292]-->  -
***EST [INFO][log_header:1292]-->  -
***EST [INFO][est_server_handle_request:1784]--> Two-phase SSL_shutdown initiated
***EST [ERROR][pull:597]--> SSL_read error, code: 6


/libest/src/est/.libs/libest-3.2.0p.so(+0xa520) [0x7f4073906520]
/libest/src/est/.libs/libest-3.2.0p.so(+0x1ad0d) [0x7f4073916d0d]
/libest/src/est/.libs/libest-3.2.0p.so(+0x1b88b) [0x7f407391788b]
/libest/src/est/.libs/libest-3.2.0p.so(est_server_handle_request+0x25d) [0x7f407391879d]
/libest/example/server/.libs/estserver(+0xea86) [0x560ecc545a86]
/lib/x86_64-linux-gnu/libpthread.so.0(+0x76db) [0x7f4072f8c6db]
/lib/x86_64-linux-gnu/libc.so.6(clone+0x3f) [0x7f4072cb571f]

@onalante-msft
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cisco's EST server does not accept unchunked base64 inputs since it does not set BIO_FLAGS_BASE64_NO_NL (pertinent issue). Previously, we would PEM-encode and manually strip the header and footer from the CSR, which would produce output with the appropriate chunk size for the server. This commit switches to an unchunked base64 encoding of the DER bytes1.

Footnotes

  1. https://github.com/Azure/iot-identity-service/blob/550dad87a3222858137395343c82c67fc14e6fdd/cert/aziot-certd/src/lib.rs#L434

@ksaye
Copy link

@ksaye ksaye commented on 550dad8 Nov 9, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you. I guess I will stop using the Cisco EST.

@arsing
Copy link
Member

@arsing arsing commented on 550dad8 Nov 9, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

libest might be popular enough to be worth supporting despite its bug. We could artificially split the String ourselves?

@ksaye
Copy link

@ksaye ksaye commented on 550dad8 Nov 9, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

that would be AWESOME

@onalante-msft
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

#313

Please sign in to comment.