Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: Invalid JSON when applying template data to provisioner makes ca.json empty #994

Closed
mirex05 opened this issue Aug 3, 2023 · 2 comments · Fixed by #995
Closed

[Bug]: Invalid JSON when applying template data to provisioner makes ca.json empty #994

mirex05 opened this issue Aug 3, 2023 · 2 comments · Fixed by #995
Labels
bug needs triage Waiting for discussion / prioritization by team
Milestone
v0.25.0

Comments

@mirex05
Copy link

mirex05 commented Aug 3, 2023

Steps to Reproduce

Try to add provisioner using step CLI with invalid JSON template:

step ca provisioner add acme --type ACME --force-cn --x509-template-data templates/acme-default.tpl --include-root

acme-default.tpl (with missed quoting at issuer field value):

{
	"subject": {
        "country": "US",
        "organization": "ACME Corp",
        "organizationalUnit": "ACME Team",
        "commonName": "{{ toJson .Subject.CommonName }}"
    },
	"issuer": {{ toJson .Subject.CommonName }},
	"keyUsage": ["keyEncipherment", "digitalSignature"],
	"extKeyUsage": ["serverAuth", "clientAuth"]
}

Your Environment

  • OS - Debian 12
  • step CLI Version - 0.24.4 (linux/amd64)

Expected Behavior

Only error output by step CLI, without any modifications to ca.json.

Actual Behavior

Error output by step CLI:
error writing /etc/step-ca/.step/config/ca.json: json: error calling MarshalJSON for type json.RawMessage: invalid character '{' looking for beginning of object key string
and ca.json becomes empty.

Additional Context

No response

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).
@mirex05 mirex05 added bug needs triage Waiting for discussion / prioritization by team labels Aug 3, 2023
@maraino
Copy link
Collaborator

maraino commented Aug 4, 2023

Hi @mirex05, this is definitively a bug. Are you trying to set the template data or just a template?

If it is a template, it probably should be:

{
  "subject": {
    "country": "US",
    "organization": "ACME Corp",
    "organizationalUnit": "ACME Team",
    "commonName": {{ toJson .Subject.CommonName }}
  },
{{- if typeIs "*rsa.PublicKey" .Insecure.CR.PublicKey }}
  "keyUsage": ["keyEncipherment", "digitalSignature"],
{{- else }}
  "keyUsage": ["digitalSignature"],
{{- end }}
  "extKeyUsage": ["serverAuth", "clientAuth"]
}

The "issuer" will always be overwritten when we sign the certificate, so you don't really need it. The common name should be without quotes because you are using toJson, and the key usage keyEncipherment is only for RSA keys.

It doesn't make sense to use the template data without a template. The template data is information that you add in the ca.json that can be consumed by a template, for example, with this template data:

"templateData": {
  "country": "US",
  "organization": "Acme Corp.",
  "organizationalUnit": "Coyote"
}

You can create a template that sets the subject like this:

{
  "subject": {
    "country": {{ toJson .country }},
    "organization": {{ toJson .organization }},
    "organizationalUnit": {{ toJson .organizationalUnit }},
    "commonName": {{ toJson .Subject.CommonName }}
  },
{{- if typeIs "*rsa.PublicKey" .Insecure.CR.PublicKey }}
  "keyUsage": ["keyEncipherment", "digitalSignature"],
{{- else }}
  "keyUsage": ["digitalSignature"],
{{- end }}
  "extKeyUsage": ["serverAuth", "clientAuth"]
}

The toJson function is not really required. You can do "{{ .country }}", but it sanitizes the data in the variables so nothing unexpected is injected.

maraino added a commit to smallstep/certificates that referenced this issue Aug 4, 2023
@maraino
Write configuration only if encoding succeeds
ac5db13 
This commit fixes a problem when the ca.json is truncated if the
encoding of the configuration fails. This can happen adding a new
provisioner with a bad template data.

Related to smallstep/cli#994
maraino added a commit to smallstep/certificates that referenced this issue Aug 4, 2023
@maraino
Write configuration only if encoding succeeds
30ce9e6 
This commit fixes a problem when the ca.json is truncated if the
encoding of the configuration fails. This can happen by adding a new
provisioner with bad template data.

Related to smallstep/cli#994
@maraino maraino mentioned this issue Aug 4, 2023
Merged
@mirex05
Copy link
Author

mirex05 commented Aug 4, 2023
edited
Loading

Hi @maraino, currently it's only a lab before setting up step CA to production, so i just doing some experiments and see how it works. Thanks for detailed explanation about the difference between template and template data, now it's definitely clear to me what should i use.

maraino added a commit that referenced this issue Aug 4, 2023
@maraino
Upgrade certificates to fix empty ca.json on errors
7dc8bdc 
This commit upgrades certificates with a fix for empty ca.json if
a provisioner is added with an invalid template data.

Fixes #994
@maraino maraino mentioned this issue Aug 4, 2023
Merged
@maraino maraino added this to the v0.24.5 milestone Aug 4, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug needs triage Waiting for discussion / prioritization by team
Projects
None yet
Milestone
v0.25.0
Development

Successfully merging a pull request may close this issue.

Upgrade certificates to fix empty ca.json on errors smallstep/cli
2 participants
@maraino @mirex05