Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CSR API doesn't allow "NEW CERTIFICATE REQUEST" PEM blocks #68677

Closed
mlbiam opened this issue Sep 14, 2018 · 8 comments
Closed

CSR API doesn't allow "NEW CERTIFICATE REQUEST" PEM blocks #68677

mlbiam opened this issue Sep 14, 2018 · 8 comments
Labels
kind/feature Categorizes issue or PR as related to a new feature. lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. priority/backlog Higher priority than priority/awaiting-more-evidence. sig/auth Categorizes an issue or PR as relevant to SIG Auth.

Comments

@mlbiam
Copy link

mlbiam commented Sep 14, 2018
edited by liggitt
Loading

Is this a BUG REPORT or FEATURE REQUEST?:

Uncomment only one, leave it on its own line:

/kind feature

What happened:

when submitting the below CSR to k8s for signing (generated by the Java keytool) :

-----BEGIN NEW CERTIFICATE REQUEST-----
MIIDBjCCAe4CAQAwgZAxCzAJBgNVBAYTAnVzMREwDwYDVQQIEwh2aXJnaW5pYTET
MBEGA1UEBxMKYWxleGFuZHJpYTEZMBcGA1UEChMQdHJlbW9sbyBzZWN1cml0eTEM
MAoGA1UECxMDazhzMTAwLgYDVQQDEydvcGVudW5pc29uLm9wZW51bmlzb24uc3Zj
LmNsdXN0ZXIubG9jYWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCx
FzAGkAZV+elqzmZ+tqQmqLK1Wy/DTWSAYOsv2ORh1rTLxy6z5TpUod70cbhBBZ0n
m033wEdYmP81GES5bV2BJPkab7Q2JimAqnSS+pv/JecNuTpiToNqUIFxxTqweXz7
H1QPOcnKgnu3JbzjJQvAmfhQvZ67GEtFjywAq91/SPPGuUePPNoOdSRt0yItRRWW
WCxLxKEn3QNcsXjekIS/Z1wStDnW+mB/KdDVniYS9XFUuOpSpIxfHG6adu7YiCKf
mAfjHMcviNBSw3vA8d8smrVvoxxdzZs0aWFZYj/fCB2qUQoaWB/9Ne5I+DorAmrW
n68khcS0nLlXaHBhKf35AgMBAAGgMDAuBgkqhkiG9w0BCQ4xITAfMB0GA1UdDgQW
BBSPLhkeyyI+BkmIq3vlijP80r5EuTANBgkqhkiG9w0BAQsFAAOCAQEAi2wUR08F
c/uUjz/XuowooCS7skgvZRd5aU1qw5637f8eIJc6KHn4cYeL7a6y3s4BbgaUH9ZU
nRosuWTvXBMMLq/2AHLxUXlLcaem7pMDmq3li14I/Y7PYIqHT14G6RydAE/sdz0u
wTM/I7xrtlVMO9b5znZyqVJScLabtCMs0kwpBZU3gSe8aYo3+p7wjUyZnfah6Ya4
/qvUwy34gbjvRMg66b7Q9vtDfSDmQarUXtARDwNvOYg6jH2Jpbe/5GjpxZQ4Xaow
vhtbrccS/dBlVpZT1wI6Ro9XYv8Ib2mbqhE20MXbnUe+a/nRGOVwLiTP0cgJOvx2
w4YZkqIHUAfZwA==
-----END NEW CERTIFICATE REQUEST-----

k8s rejects the request with the error message: The CertificateSigningRequest "openunison.openunison.svc.cluster.local" is invalid: spec.request: Invalid value: []byte{0x2d,...}: PEM block type must be CERTIFICATE REQUEST

What you expected to happen:

This is a valid PEM encoded CSR, so the request should be submitted. @liggitt noticed that the keytool generated CSR has the word NEW in the header and footer. Removing the word NEW allowed for the CSR to be submitted.

How to reproduce it (as minimally and precisely as possible):

Submit the following CSR:

apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
  name: openunison.openunison.svc.cluster.local
spec:
  groups:
  - system:authenticated
  request: LS0tLS1CRUdJTiBORVcgQ0VSVElGSUNBVEUgUkVRVUVTVC0tLS0tCk1JSURCakNDQWU0Q0FRQXdnWkF4Q3pBSkJnTlZCQVlUQW5Wek1SRXdEd1lEVlFRSUV3aDJhWEpuYVc1cFlURVQKTUJFR0ExVUVCeE1LWVd4bGVHRnVaSEpwWVRFWk1CY0dBMVVFQ2hNUWRISmxiVzlzYnlCelpXTjFjbWwwZVRFTQpNQW9HQTFVRUN4TURhemh6TVRBd0xnWURWUVFERXlkdmNHVnVkVzVwYzI5dUxtOXdaVzUxYm1semIyNHVjM1pqCkxtTnNkWE4wWlhJdWJHOWpZV3d3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRQ3gKRnpBR2tBWlYrZWxxem1aK3RxUW1xTEsxV3kvRFRXU0FZT3N2Mk9SaDFyVEx4eTZ6NVRwVW9kNzBjYmhCQlowbgptMDMzd0VkWW1QODFHRVM1YlYyQkpQa2FiN1EySmltQXFuU1MrcHYvSmVjTnVUcGlUb05xVUlGeHhUcXdlWHo3CkgxUVBPY25LZ251M0piempKUXZBbWZoUXZaNjdHRXRGanl3QXE5MS9TUFBHdVVlUFBOb09kU1J0MHlJdFJSV1cKV0N4THhLRW4zUU5jc1hqZWtJUy9aMXdTdERuVyttQi9LZERWbmlZUzlYRlV1T3BTcEl4ZkhHNmFkdTdZaUNLZgptQWZqSE1jdmlOQlN3M3ZBOGQ4c21yVnZveHhkelpzMGFXRlpZai9mQ0IycVVRb2FXQi85TmU1SStEb3JBbXJXCm42OGtoY1MwbkxsWGFIQmhLZjM1QWdNQkFBR2dNREF1QmdrcWhraUc5dzBCQ1E0eElUQWZNQjBHQTFVZERnUVcKQkJTUExoa2V5eUkrQmttSXEzdmxpalA4MHI1RXVUQU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFpMndVUjA4RgpjL3VVanovWHVvd29vQ1M3c2tndlpSZDVhVTFxdzU2MzdmOGVJSmM2S0huNGNZZUw3YTZ5M3M0QmJnYVVIOVpVCm5Sb3N1V1R2WEJNTUxxLzJBSEx4VVhsTGNhZW03cE1EbXEzbGkxNEkvWTdQWUlxSFQxNEc2UnlkQUUvc2R6MHUKd1RNL0k3eHJ0bFZNTzliNXpuWnlxVkpTY0xhYnRDTXMwa3dwQlpVM2dTZThhWW8zK3A3d2pVeVpuZmFoNllhNAovcXZVd3kzNGdianZSTWc2NmI3UTl2dERmU0RtUWFyVVh0QVJEd052T1lnNmpIMkpwYmUvNUdqcHhaUTRYYW93CnZodGJyY2NTL2RCbFZwWlQxd0k2Um85WFl2OEliMm1icWhFMjBNWGJuVWUrYS9uUkdPVndMaVRQMGNnSk92eDIKdzRZWmtxSUhVQWZad0E9PQotLS0tLUVORCBORVcgQ0VSVElGSUNBVEUgUkVRVUVTVC0tLS0tCg==
  usages:
  - digital signature
  - key encipherment
  - server auth

Anything else we need to know?:

Environment:

  • Kubernetes version (use kubectl version):
Client Version: version.Info{Major:"1", Minor:"11", GitVersion:"v1.11.2", GitCommit:"bb9ffb1654d4a729bb4cec18ff088eacc153c239", GitTreeState:"clean", BuildDate:"2018-08-07T23:17:28Z", GoVersion:"go1.10.3", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"11", GitVersion:"v1.11.2", GitCommit:"bb9ffb1654d4a729bb4cec18ff088eacc153c239", GitTreeState:"clean", BuildDate:"2018-08-07T23:08:19Z", GoVersion:"go1.10.3", Compiler:"gc", Platform:"linux/amd64"}
  • Cloud provider or hardware configuration:
  • OS (e.g. from /etc/os-release):
NAME="Ubuntu"
VERSION="18.04.1 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.1 LTS"
VERSION_ID="18.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=bionic
UBUNTU_CODENAME=bionic

- Kernel (e.g. `uname -a`):
`Linux k8s-login-master 4.15.0-29-generic #31-Ubuntu SMP Tue Jul 17 15:39:52 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux`
- Install tools:
kubeadm
- Others:
Cert and CSR generated by java keytool
@k8s-ci-robot k8s-ci-robot added the kind/bug Categorizes issue or PR as related to a bug. label Sep 14, 2018
@k8s-ci-robot
Copy link
Contributor

@mlbiam: There are no sig labels on this issue. Please add a sig label by either:

  1. mentioning a sig: @kubernetes/sig-<group-name>-<group-suffix>
    e.g., @kubernetes/sig-contributor-experience-<group-suffix> to notify the contributor experience sig, OR

  2. specifying the label manually: /sig <group-name>
    e.g., /sig scalability to apply the sig/scalability label

Note: Method 1 will trigger an email to the group. See the group list.
The <group-suffix> in method 1 has to be replaced with one of these: bugs, feature-requests, pr-reviews, test-failures, proposals.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added the needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. label Sep 14, 2018
@liggitt
Copy link
Member

liggitt commented Sep 14, 2018
edited
Loading

That header isn't actually required by the standard for this (c.f.
https://stackoverflow.com/a/29725273/54696)

From
https://www.rfc-editor.org/rfc/rfc7468.txt:

The label "NEW CERTIFICATE REQUEST" is also in wide use. Generators
conforming to this document MUST generate "CERTIFICATE REQUEST"
labels. Parsers MAY treat "NEW CERTIFICATE REQUEST" as equivalent to
"CERTIFICATE REQUEST".

if "NEW CERTIFICATE REQUEST" is a known alternate representation (openssl indicates it is the old PEM header for CSRs), I don't mind allowing it.

/cc @mikedanese

@liggitt liggitt added kind/feature Categorizes issue or PR as related to a new feature. sig/auth Categorizes an issue or PR as relevant to SIG Auth. and removed kind/bug Categorizes issue or PR as related to a bug. needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Sep 14, 2018
@liggitt liggitt changed the title CA rejects properly PEM encoded CSRs if header is not whats expected CSR API doesn't allow "NEW CERTIFICATE REQUEST" PEM blocks Sep 14, 2018
@k8s-ci-robot k8s-ci-robot added the kind/bug Categorizes issue or PR as related to a bug. label Sep 14, 2018
@liggitt liggitt added priority/backlog Higher priority than priority/awaiting-more-evidence. and removed kind/bug Categorizes issue or PR as related to a bug. labels Sep 14, 2018
@mikedanese
Copy link
Member

"NEW CERTIFICATE REQUEST" has been "deprecated" for 20 years in the openssl codebase... What problem would supporting this actually fix?

@liggitt
Copy link
Member

liggitt commented Sep 17, 2018

apparently it is still produced by the java keytool when generating CSRs (see description)

@liggitt liggitt mentioned this issue Sep 22, 2018
Closed
@fejta-bot
Copy link

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Dec 16, 2018
@fejta-bot
Copy link

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten

@k8s-ci-robot k8s-ci-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Jan 15, 2019
@fejta-bot
Copy link

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

@k8s-ci-robot
Copy link
Contributor

@fejta-bot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/feature Categorizes issue or PR as related to a new feature. lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. priority/backlog Higher priority than priority/awaiting-more-evidence. sig/auth Categorizes an issue or PR as relevant to SIG Auth.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@liggitt @mikedanese @mlbiam @k8s-ci-robot @fejta-bot