Difference between revisions of "Cfssl api auth"
Jump to navigation
Jump to search
(Created page with " ``` 1. Generating an Authentication Key with openssl To generate a suitable hex-encoded key for CFSSL authentication, you can use openssl. A 32-byte (256-bit) key is a good c...") |
|||
| Line 1: | Line 1: | ||
| − | |||
1. Generating an Authentication Key with openssl | 1. Generating an Authentication Key with openssl | ||
To generate a suitable hex-encoded key for CFSSL authentication, you can use openssl. A 32-byte (256-bit) key is a good choice for HMAC-SHA-256. | To generate a suitable hex-encoded key for CFSSL authentication, you can use openssl. A 32-byte (256-bit) key is a good choice for HMAC-SHA-256. | ||
| + | ``` | ||
openssl rand -hex 32 | openssl rand -hex 32 | ||
| + | ``` | ||
This command will output a 64-character hex string, which you can use as your auth_key. | This command will output a 64-character hex string, which you can use as your auth_key. | ||
2. CFSSL Server Configuration Example | 2. CFSSL Server Configuration Example | ||
Here is an example config.json file for the CFSSL server. This file defines the auth_keys and the profiles that will be authenticated. | Here is an example config.json file for the CFSSL server. This file defines the auth_keys and the profiles that will be authenticated. | ||
| + | |||
| + | ``` | ||
{ | { | ||
"signing": { | "signing": { | ||
| Line 32: | Line 35: | ||
} | } | ||
} | } | ||
| + | ``` | ||
Key parts of the configuration: | Key parts of the configuration: | ||
| Line 40: | Line 44: | ||
3. Starting the CFSSL Server | 3. Starting the CFSSL Server | ||
Once you have your config.json file, you can start the CFSSL server with this command: | Once you have your config.json file, you can start the CFSSL server with this command: | ||
| + | ``` | ||
cfssl serve -config=config.json | cfssl serve -config=config.json | ||
| + | ``` | ||
Now, any request to the authsign endpoint using the authenticated_profile will require a valid HMAC-SHA-256 signature generated with the auth_keys. | Now, any request to the authsign endpoint using the authenticated_profile will require a valid HMAC-SHA-256 signature generated with the auth_keys. | ||
4. Python Script to Generate the curl Request | 4. Python Script to Generate the curl Request | ||
As mentioned, generating the HMAC token manually is difficult. Here is a Python script that simplifies the process by generating the authenticated curl command. | As mentioned, generating the HMAC token manually is difficult. Here is a Python script that simplifies the process by generating the authenticated curl command. | ||
| + | ``` | ||
import hmac | import hmac | ||
import hashlib | import hashlib | ||
| Line 66: | Line 73: | ||
auth_key = bytes.fromhex(auth_key_hex) | auth_key = bytes.fromhex(auth_key_hex) | ||
signature = hmac.new(auth_key, json_request.encode('utf-8'), hashlib.sha256).hexdigest() | signature = hmac.new(auth_key, json_request.encode('utf-8'), hashlib.sha256).hexdigest() | ||
| + | ``` | ||
| + | |||
| + | |||
| + | ``` | ||
curl_command = f"""curl -X POST \\ | curl_command = f"""curl -X POST \\ | ||
-H "Content-Type: application/json" \\ | -H "Content-Type: application/json" \\ | ||
| Line 75: | Line 86: | ||
print(curl_command) | print(curl_command) | ||
| − | + | ``` | |
Latest revision as of 03:23, 14 August 2025
- Generating an Authentication Key with openssl To generate a suitable hex-encoded key for CFSSL authentication, you can use openssl. A 32-byte (256-bit) key is a good choice for HMAC-SHA-256.
openssl rand -hex 32
This command will output a 64-character hex string, which you can use as your auth_key. 2. CFSSL Server Configuration Example Here is an example config.json file for the CFSSL server. This file defines the auth_keys and the profiles that will be authenticated.
{
"signing": {
"default": {
"expiry": "8760h"
},
"profiles": {
"authenticated_profile": {
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "8760h",
"auth_remote": true
}
}
},
"auth_keys": {
"my-key-id": {
"key": "b6a7a00f2e3a1f4b8c9d1e0f2d3e4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f"
}
}
}
Key parts of the configuration:
* signing.profiles.authenticated_profile: This defines a new signing profile. The key part is "auth_remote": true, which tells CFSSL that this profile can only be used with authenticated requests. * auth_keys: This section holds the authentication keys. * my-key-id: This is an identifier for your key. * key: This is the hex-encoded key you generated with openssl.
3. Starting the CFSSL Server Once you have your config.json file, you can start the CFSSL server with this command:
cfssl serve -config=config.json
Now, any request to the authsign endpoint using the authenticated_profile will require a valid HMAC-SHA-256 signature generated with the auth_keys. 4. Python Script to Generate the curl Request As mentioned, generating the HMAC token manually is difficult. Here is a Python script that simplifies the process by generating the authenticated curl command.
import hmac
import hashlib
import json
auth_key_hex = "b6a7a00f2e3a1f4b8c9d1e0f2d3e4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f"
csr = """-----BEGIN CERTIFICATE REQUEST-----
MIIC6jCCAVICAQAwJTEjMCEGA1UEAwwaYXV0aC1zaWduLmV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyYt6Yt1s1vH4kF7Vp7hL1jXq0sX0lJ3Yp5o8mJ7p1Qj0N6T7T4m6Y4n6Y7d8d0L8p4J4e4sX3m5x5q7q6j7w7s8z9o0p0a0b0d0c0b0a0t3l2o3l4m5j6k5n6n7k8o9o0o3p4q6r7s8t9o0t0p3q4r5s6t7u8v9w0x0y1y2z3a4b5c6d7e8f9g0h1i2j3k4l5m6n7o8p9q0r1s2t3u4v5w5x6y7z8a9b0c1d2e3f4g5h6i7j8k9l0m1n2o3p4q5r6s7t8u9v0w1x2y3z4a5b6c7d8e9f
-----END CERTIFICATE REQUEST-----
"""
request_payload = {
"hostname": "auth-sign.example.com",
"request": csr,
"profile": "authenticated_profile"
}
json_request = json.dumps(request_payload, sort_keys=True)
auth_key = bytes.fromhex(auth_key_hex)
signature = hmac.new(auth_key, json_request.encode('utf-8'), hashlib.sha256).hexdigest()
curl_command = f"""curl -X POST \\
-H "Content-Type: application/json" \\
-d '{{"request": {json.dumps(json_request)}, "token": "{signature}"}}' \\
https://your-cfssl-server.com:8080/api/v1/cfssl/authsign
"""
print(curl_command)