If there is info missing in the API request, supplement it with information pulled out of the CSR pem.

TBD: add unit tests. I'm putting this PR up early to give the CFSSL devs a chance to get started on code review.

The recently added method replaceSliceIfEmpty from aeaf899bba868e70ba78c478be99b7b4cb266915 interferes with clearing unwanted Name fields.

The logic today chooses to copy the CSR-supplied Name fields if the signer.Subject object includes strings of length 0.

We need to be able to clear these fields, as we cannot trust the user's input, but passing strings of length 0 no longer does the trick. Of course, we can't send nil pointers either.

We need some better way to indicate to CFSSL to discard the CSR names.

Adds new scan command, that performs a variety of connectivity and TLS protocol tests.

Unfortunately, some of these require importing the go standard library's crypto/tls package's source in order to access private members. These are used in scan/tls/cfsslscan_*.go files to export additional functionality not supplied by the crypto/tls API.

Support for the standard CFSSL HTTP API is forthcoming, but comments on this initial structure might be useful first.

CFSSL is capable of generating CRLs, but mainly in a swiss army knife fashion. This PR enables CFSSL to generate a CRL out of its configured DB/CA, both in CLI and API Server mode.

TODO:

• [x] Unit Tests
• [x] Endpoint Documentation

This submission adds support for ECDSA (P224, P256, P384, P521) for crypto.pkcs11.Key. This code was tested with a smart-card (P256) and a software token (other curves).

Why do I get this warning when trying to create a server certificate using an intermediate CA?

> cfssl version
Version: 1.2.0
Revision: dev
Runtime: go1.7.4

> cfssl gencert -ca .\intermediate.pem -ca-key .\intermediate-key.pem -config .\intermediate-signing-config.json -profile server .\server.json | cfssljson -bare server
2017/01/24 15:24:42 [INFO] generate received request
2017/01/24 15:24:42 [INFO] received CSR
2017/01/24 15:24:42 [INFO] generating key: ecdsa-256
2017/01/24 15:24:42 [INFO] encoded CSR
2017/01/24 15:24:42 [INFO] signed certificate with serial number 696568760590259425976467472465542311375839466856
2017/01/24 15:24:42 [WARNING] This certificate lacks a "hosts" field. This makes it unsuitable for
websites. For more information see the Baseline Requirements for the Issuance and Management
of Publicly-Trusted Certificates, v.1.1.6, from the CA/Browser Forum (https://cabforum.org);
specifically, section 10.2.3 ("Information Requirements").

intermediate-signing-config.json:

{
  "signing": {
    "default": {
      "expiry": "8760h"
    },
    "profiles": {
      "server": {
        "expiry": "8760h",
        "usages": [
          "signing",
          "key encipherment",
          "server auth"
        ]
      }
    }
  }
}

server.json

{
  "CN": "example.net",
  "hosts": [
    "example.net",
    "www.example.net"
  ],
  "key": {
    "algo": "ecdsa",
    "size": 256
  },
  "names": [
    {
      "C": "US",
      "L": "CA",
      "ST": "San Francisco"
    }
  ]
}

Output of cfssl-certinfo -cert .\server.pem:

{
  "subject": {
    "common_name": "example.net",
    "country": "US",
    "locality": "CA",
    "province": "San Francisco",
    "names": [
      "US",
      "San Francisco",
      "CA",
      "example.net"
    ]
  },
  "issuer": {
    "common_name": "My Intermediate CA"
    [Shortened]
  },
  "serial_number": "696568760590259425976467472465542311375839466856",
  "sans": [
    "example.net",
    "www.example.net"
  ],
  "not_before": "2017-01-24T14:20:00Z",
  "not_after": "2018-01-24T14:20:00Z",
  "sigalg": "ECDSAWithSHA256"
  [Shortened]
}

Hi,

I'm trying to setup an internal CA using CFSSL. Started experimenting. Followed bootstrap.txt, the build and install all went fine, I created a ca.json file, and ended up with a ca.pem and ca-key.pem file. I moved them into /etc/cfssl, but when I started cfssl server it throws a lot of errors starting with this:

2016/03/29 09:58:23 [INFO] Initializing signer
2016/03/29 09:58:23 [WARNING] couldn't initialize signer: {"code":2000,"message":"Unknown private key error"}
2016/03/29 09:58:23 [WARNING] couldn't initialize ocsp signer: open : no such file or directory
2016/03/29 09:58:23 [INFO] Setting up '/api/v1/cfssl/newkey' endpoint
2016/03/29 09:58:23 [INFO] setting up key / CSR generator
2016/03/29 09:58:23 [INFO] Setting up '/api/v1/cfssl/ocspsign' endpoint
2016/03/29 09:58:23 [WARNING] endpoint '/api/v1/cfssl/ocspsign' is disabled: signer not initialized
... more like this ...

It looks like some of the fields in the JSON config (address, db-config, and aki at least) are not being read from JSON. I can set the address and db-config flags from the command line, but that's a bit less than ideal.

I also tried setting the aki field using the -aki flag, but it isn't getting inserted into the certificates.authority_key_identifier column in MySQL, preventing certificate revocation. I assume it's not being read from the config file, but it could be a separate issue altogether.

Edit: I should probably mention that this is compiled with go 1.8, the linux x86_64 package from golang.org/dl/

Here are my setup steps:

$ git clone https://github.com/cloudflare/cfssl.git $GOPATH/src/github.com/cloudflare/cfssl
$ cd $GOPATH/src/github.com/cloudflare/cfssl/
$ pushd cli/serve && rice embed-go && popd
$ go get github.com/cloudflare/cfssl/cmd/cfssl
$ go get github.com/cloudflare/cfssl/cmd/...
$ cfssl serve -ca ca.pem -ca-key ca-key.pem -config config.json
2017/03/29 14:40:45 [INFO] Initializing signer
2017/03/29 14:40:45 [WARNING] couldn't initialize ocsp signer: open : no such file or directory
2017/03/29 14:40:45 [INFO] endpoint '/api/v1/cfssl/gencrl' is enabled
2017/03/29 14:40:45 [WARNING] endpoint 'ocspsign' is disabled: signer not initialized
2017/03/29 14:40:45 [INFO] endpoint '/api/v1/cfssl/init_ca' is enabled
2017/03/29 14:40:45 [INFO] endpoint '/api/v1/cfssl/certinfo' is enabled
2017/03/29 14:40:45 [WARNING] endpoint 'revoke' is disabled: cert db not configured (missing -db-config)
2017/03/29 14:40:45 [INFO] endpoint '/' is enabled
2017/03/29 14:40:45 [INFO] setting up key / CSR generator
2017/03/29 14:40:45 [INFO] endpoint '/api/v1/cfssl/newkey' is enabled
2017/03/29 14:40:45 [INFO] endpoint '/api/v1/cfssl/scan' is enabled
2017/03/29 14:40:45 [INFO] endpoint '/api/v1/cfssl/scaninfo' is enabled
2017/03/29 14:40:45 [WARNING] endpoint 'sign' is disabled: {"code":5200,"message":"Invalid or unknown policy"}
2017/03/29 14:40:45 [INFO] endpoint '/api/v1/cfssl/info' is enabled
2017/03/29 14:40:45 [INFO] endpoint '/api/v1/cfssl/newcert' is enabled
2017/03/29 14:40:45 [INFO] bundler API ready
2017/03/29 14:40:45 [INFO] endpoint '/api/v1/cfssl/bundle' is enabled
2017/03/29 14:40:45 [INFO] endpoint '/api/v1/cfssl/authsign' is enabled
2017/03/29 14:40:45 [WARNING] endpoint 'crl' is disabled: cert db not configured (missing -db-config)
2017/03/29 14:40:45 [INFO] Handler set up complete.
2017/03/29 14:40:45 [INFO] Now listening on 127.0.0.1:8888

This is the config I'm using:

{
    "address": "10.x.x.x",
    "cafile": "/etc/cfssl/ca.pem",
    "cakeyfile": "/etc/cfssl/ca-key.pem",
    "tls-cert": "<removed>",
    "tls-key": "<removed>",
    "responder": "<removed>",
    "responder-key": "<removed>",
    "aki": "<removed>",
    "db-config": "/etc/cfssl/db-config.json",
    "signing": {
	"profiles": {
            "server": {
                "auth_key": "key1",
                "expiry": "8760h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "server auth"
                ]
            },
            "client": {
                "auth_key": "key1",
                "expiry": "8760h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "client auth"
                ]
            }
        },
        "default": {
            "auth_key": "key1",
            "expiry": "8760h",
            "usages": [
                "signing",
                "key encipherment",
                "client auth",
                "server auth"
            ]
        }
    },
    "auth_keys": {
        "key1": {
            "type": "standard",
            "key": "<removed>"
        }
    }
}

Uses a hardcoded SQLite db.

When a certificate is signed, it is recorded in the cert store.

Later, the revoke tool can be used to revoke a certificate.

cfssl ocspgen will generate a file of concatenated OCSP responses for all unexpired certificates in the cert store.

I'm opening the PR to gather feedback on this very partial implementation and run CI tests

Added tags "-tls-cert" and "-tls-key" for "cfssl serve" command. With a endpoint user's certificate and key (pem files) , the cfssl can be served on a secure HTTP protocol (HTTPS)

using Go's default cipher suites , please comment if your browser supports other cipher suites thats not listed.

TLS_RSA_WITH_RC4_128_SHA                
TLS_RSA_WITH_3DES_EDE_CBC_SHA           
TLS_RSA_WITH_AES_128_CBC_SHA            
TLS_RSA_WITH_AES_256_CBC_SHA            
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA       
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA    
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA   
TLS_ECDHE_RSA_WITH_RC4_128_SHA          
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA    
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA      
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256  
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

This is to fix the test issue blocking other pull requests. The initial static tests on bundler are showing their age and need to be improve/rewritten. This is the first step of this. And more will come.

Summary of changes:

• Revert the initial design of SHA1 deprecation policy being part of platform metadata because it makes metadata bloated. Instead, the platform metadata should only contain info on CA trust root stores and crypto support.
• New design of SHA1 deprecation consideration
  • It's only about browsers.
  • It's currently only for warning purpose.
  • The list of SHA1 deprecated browsers are much more static than root certificate stores.
• Create a new type called SHA1Deprecated to handle SHA1 deprecation warning.
• Make it explicit that ubiquity scoring doesn't take SHA1 deprecation into account. Right now the weights of Chrome browsers in the original metadata file is encoded as 0. So this is a safe change. And the scoring can be changed later, in a more flexible way.
• Hardcode the list of Chrome versions that would conditionally reject SHA1 certificate chain. And we can certainly add more in the future.
• Rename function DeprecatedSHA1Platforms to DeprecatedSHA1Browsers
• Make sure the tests about SHA1 deprecation warning is the same in bundler.
• Switch from static tests of SHA1 deprecation warning to dynamic ones in bundler package.
• improve test coverage in ubiquity package

The cfssl docker images supports amd64 arch only. Are there any plans to extend its support to other architectures?

Also we did not got much clarity on how the docker images for cfssl are getting build and published. Could you please elaborate on how its done?

We feel that enabling docker buildx support will be the simplest way to achieve multi-arch support and we would like to provide assistance (if the idea sounds good). Please let us know your thoughts.

Running the following

cfssl bundle -ca-bundle /path/ca.pem -int-bundle /path/intermediate_ca.pem -cert /path/web.pem | cfssljson -bare web-full

The call returns fine, but nothing is produced. Without piping to cfssljon I can see that the bundle does get produced.

sh-4.2$ cfssljson -version
Version: 1.6.3
Runtime: go1.18

I generated my self-signed CA by cfssl gencert -initca, but the default term of validity is 5 years. How can I modify it to 10 years ? I don’t want to recreate a new CA, because it has signed a lot of sub CAs.

Anyone can help me ? Thanks so much .

• [x] follow-up of / depends on https://github.com/cloudflare/cfssl/pull/1255

This was the only location where this assertion library was used; all other code in this repository used Go's stdlib for assertions. The remaining uses in this package could be replaced without too much trouble, which allowed for the dependency (including its indirect dependencies) to be removed altogether.

Context

Creating a certificate authority using a two-tier key heirarchy. Root here is used ONLY to generate a new CA, and is stored in a 'secure' location under my bed

Usage

cfssl gencert -initca -profile intermediate -config config.json -ca root.pem -ca-key root-key.pem ca-csr.json

Expected outcome:

Generates a new CA certificate signed by the Root certificate, which includes the options specified by the profile "intermediate" in config.json

Actual outcome:

Generates a basic self signed certificate as if no options were specified.

Workaround 1

Generate and sign the certificate as two separate steps i.e. cfssl gencert -initca csr.json | cfssljson -bare ca cfssl sign -profile intermediate -config config.json ...

Workaround 2

Including

"ca_constraint": {
    "is_ca": true
}

in the config.json profile for a certificate has a similar outcome.

Notes

This can be confusing to understand, especially considering the documentation makes no mention of keys invalidating other keys. In this case, I was unaware that my config options were being ignored until inspected the certificate directly. Would be handy to have a warning if arguments are discarded.

Thanks! :)

Hi, thank you very much for this super helpful library! I was wondering whether it is easily possible to create an own go web server that uses the cfssl instead of creating a wrapper server that forwards requests to it?