Cfssl api auth

From UVOO Tech Wiki
Revision as of 03:19, 14 August 2025 by Busk (talk | contribs) (Created page with " ``` 1. Generating an Authentication Key with openssl To generate a suitable hex-encoded key for CFSSL authentication, you can use openssl. A 32-byte (256-bit) key is a good c...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

``` 1. Generating an Authentication Key with openssl To generate a suitable hex-encoded key for CFSSL authentication, you can use openssl. A 32-byte (256-bit) key is a good choice for HMAC-SHA-256. openssl rand -hex 32

This command will output a 64-character hex string, which you can use as your auth_key. 2. CFSSL Server Configuration Example Here is an example config.json file for the CFSSL server. This file defines the auth_keys and the profiles that will be authenticated. { 

 "signing": {
   "default": {
     "expiry": "8760h"
   },
   "profiles": {
     "authenticated_profile": {
       "usages": [
         "signing",
         "key encipherment",
         "server auth",
         "client auth"
       ],
       "expiry": "8760h",
       "auth_remote": true
     }
   }
 },
 "auth_keys": {
   "my-key-id": {
     "key": "b6a7a00f2e3a1f4b8c9d1e0f2d3e4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f"
   }
 }

}

Key parts of the configuration: 

* signing.profiles.authenticated_profile: This defines a new signing profile. The key part is "auth_remote": true, which tells CFSSL that this profile can only be used with authenticated requests.
* auth_keys: This section holds the authentication keys.
  * my-key-id: This is an identifier for your key.
  * key: This is the hex-encoded key you generated with openssl.

3. Starting the CFSSL Server Once you have your config.json file, you can start the CFSSL server with this command: cfssl serve -config=config.json

Now, any request to the authsign endpoint using the authenticated_profile will require a valid HMAC-SHA-256 signature generated with the auth_keys. 4. Python Script to Generate the curl Request As mentioned, generating the HMAC token manually is difficult. Here is a Python script that simplifies the process by generating the authenticated curl command. import hmac import hashlib import json

auth_key_hex = "b6a7a00f2e3a1f4b8c9d1e0f2d3e4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f"

csr = """-----BEGIN CERTIFICATE REQUEST----- MIIC6jCCAVICAQAwJTEjMCEGA1UEAwwaYXV0aC1zaWduLmV4YW1wbGUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyYt6Yt1s1vH4kF7Vp7hL1jXq0sX0lJ3Yp5o8mJ7p1Qj0N6T7T4m6Y4n6Y7d8d0L8p4J4e4sX3m5x5q7q6j7w7s8z9o0p0a0b0d0c0b0a0t3l2o3l4m5j6k5n6n7k8o9o0o3p4q6r7s8t9o0t0p3q4r5s6t7u8v9w0x0y1y2z3a4b5c6d7e8f9g0h1i2j3k4l5m6n7o8p9q0r1s2t3u4v5w5x6y7z8a9b0c1d2e3f4g5h6i7j8k9l0m1n2o3p4q5r6s7t8u9v0w1x2y3z4a5b6c7d8e9f

END CERTIFICATE REQUEST-----

"""

request_payload = { 

   "hostname": "auth-sign.example.com",
   "request": csr,
   "profile": "authenticated_profile"

}

json_request = json.dumps(request_payload, sort_keys=True)

auth_key = bytes.fromhex(auth_key_hex) signature = hmac.new(auth_key, json_request.encode('utf-8'), hashlib.sha256).hexdigest()

curl_command = f"""curl -X POST \ 

 -H "Content-Type: application/json" \
 -d '{{"request": {json.dumps(json_request)}, "token": "{signature}"}}' \
 https://your-cfssl-server.com:8080/api/v1/cfssl/authsign

"""

print(curl_command)

````

Retrieved from "https://tech.uvoo.io/index.php?title=Cfssl_api_auth&oldid=5623"