The czertainly-keystore-entity-provider from 3keycompany

Incorrect error handling and invalid error reporting when working with remote ssh keystore

Describe the bug

When trying to access pkcs12 keystore on a Linux server which missing keytool command CZERTAINLY doesn't report problem correctly.

In case I want just to synchronize keystore (ie. read it into CZERTAINLY) it doesn't report anything. I would expect info that there was problem to read key store.

In case I want to push some certificate into keystore it reports: Failed to push Certificate (400): Failed to push Certificate 1c525054-6f0e-4752-a304-35aeaa06c0bd to Location test-p12. Reason: {"message":""} I expect to get info that there is some problem like bash: keytool: command not found.

I'm testing on version 2.10.0.

To Reproduce
Steps to reproduce the behavior:

Prepare testing server without keytool
Define location on that server
Try to push there some certificate
See error

Expected behavior
I expect to receive some helpful error.

Additional context
There is no useful error message inside keystore-entity-provider POD:

2024-02-01T18:01:43.377Z  INFO 9 --- [nio-8080-exec-1] .p.e.k.s.i.LocationAttributesServiceImpl : Getting the Attributes for Location of Entity test with UUID c75ae346-a83a-482d-a778-c6fe77e38dd3
2024-02-01T18:01:43.378Z  INFO 9 --- [nio-8080-exec-1] .p.e.k.s.i.LocationAttributesServiceImpl : Getting the Attributes for Push of Entity test with UUID c75ae346-a83a-482d-a778-c6fe77e38dd3
2024-02-01T18:01:43.395Z  WARN 9 --- []-nio2-thread-4] o.a.s.c.k.AcceptAllServerKeyVerifier     : Server at /192.168.1.164:22 presented unverified EC key: SHA256:sOzXOJfiKR2gzPDxyp/4sWilZ7J+kx0PE4RBIHrNVAQ
2024-02-01T18:01:43.395Z  WARN 9 --- []-nio2-thread-4] o.a.s.c.k.KnownHostsServerKeyVerifier    : handleKnownHostsFileUpdateFailure(ClientSessionImpl[test@/192.168.1.164:22])[/192.168.1.164:22] failed (FileSystemException) to update key=ecdsa-sha2-nistp256-SHA256:sOzXOJfiKR2gzPDxyp/4sWilZ7J+kx0PE4RBIHrNVAQ in /opt/czertainly/.ssh/known_hosts: /opt/czertainly/.ssh/known_hosts: Read-only file system
2024-02-01T18:01:43.396Z  INFO 9 --- []-nio2-thread-4] .s.c.k.e.p.HostBoundPubkeyAuthentication : Server announced support for [email protected] version 0
2024-02-01T18:01:44.003Z  WARN 9 --- []-nio2-thread-3] o.a.s.c.k.AcceptAllServerKeyVerifier     : Server at /192.168.1.164:22 presented unverified EC key: SHA256:sOzXOJfiKR2gzPDxyp/4sWilZ7J+kx0PE4RBIHrNVAQ
2024-02-01T18:01:44.004Z  WARN 9 --- []-nio2-thread-3] o.a.s.c.k.KnownHostsServerKeyVerifier    : handleKnownHostsFileUpdateFailure(ClientSessionImpl[test@/192.168.1.164:22])[/192.168.1.164:22] failed (FileSystemException) to update key=ecdsa-sha2-nistp256-SHA256:sOzXOJfiKR2gzPDxyp/4sWilZ7J+kx0PE4RBIHrNVAQ in /opt/czertainly/.ssh/known_hosts: /opt/czertainly/.ssh/known_hosts: Read-only file system
2024-02-01T18:01:44.005Z  INFO 9 --- []-nio2-thread-3] .s.c.k.e.p.HostBoundPubkeyAuthentication : Server announced support for [email protected] version 0
2024-02-01T18:01:44.229Z  WARN 9 --- []-nio2-thread-3] o.a.s.c.k.AcceptAllServerKeyVerifier     : Server at /192.168.1.164:22 presented unverified EC key: SHA256:sOzXOJfiKR2gzPDxyp/4sWilZ7J+kx0PE4RBIHrNVAQ
2024-02-01T18:01:44.229Z  WARN 9 --- []-nio2-thread-3] o.a.s.c.k.KnownHostsServerKeyVerifier    : handleKnownHostsFileUpdateFailure(ClientSessionImpl[test@/192.168.1.164:22])[/192.168.1.164:22] failed (FileSystemException) to update key=ecdsa-sha2-nistp256-SHA256:sOzXOJfiKR2gzPDxyp/4sWilZ7J+kx0PE4RBIHrNVAQ in /opt/czertainly/.ssh/known_hosts: /opt/czertainly/.ssh/known_hosts: Read-only file system
2024-02-01T18:01:44.230Z  INFO 9 --- []-nio2-thread-3] .s.c.k.e.p.HostBoundPubkeyAuthentication : Server announced support for [email protected] version 0
2024-02-01T18:01:44.444Z  WARN 9 --- []-nio2-thread-2] o.a.s.c.k.AcceptAllServerKeyVerifier     : Server at /192.168.1.164:22 presented unverified EC key: SHA256:sOzXOJfiKR2gzPDxyp/4sWilZ7J+kx0PE4RBIHrNVAQ
2024-02-01T18:01:44.445Z  WARN 9 --- []-nio2-thread-2] o.a.s.c.k.KnownHostsServerKeyVerifier    : handleKnownHostsFileUpdateFailure(ClientSessionImpl[test@/192.168.1.164:22])[/192.168.1.164:22] failed (FileSystemException) to update key=ecdsa-sha2-nistp256-SHA256:sOzXOJfiKR2gzPDxyp/4sWilZ7J+kx0PE4RBIHrNVAQ in /opt/czertainly/.ssh/known_hosts: /opt/czertainly/.ssh/known_hosts: Read-only file system
2024-02-01T18:01:44.445Z  INFO 9 --- []-nio2-thread-2] .s.c.k.e.p.HostBoundPubkeyAuthentication : Server announced support for [email protected] version 0
2024-02-01T18:01:44.663Z  INFO 9 --- [nio-8080-exec-1] c.c.p.e.k.ExceptionHandlingAdvice        : HTTP 400:

Calling remote commands is not correctly handling errors. Here is transcription of executed commands:

Feb  1 19:01:43 syslog test[53144]: executing scp -t -- /tmp/WETZ7Qecy5k=
Feb  1 19:01:43 syslog test[53144]: executing scp -t -- /tmp/WETZ7Qecy5k=
Feb  1 19:01:44 syslog test[53155]: executing keytool -importcert -keystore /home/test/cert-clt.p12 -storetype PKCS12 -storepass whatever -alias czertainly -file /tmp/WETZ7Qecy5k= -trustcacerts -noprompt
Feb  1 19:01:44 syslog test[53155]: executing keytool -importcert -keystore /home/test/cert-clt.p12 -storetype PKCS12 -storepass whatever -alias czertainly -file /tmp/WETZ7Qecy5k= -trustcacerts -noprompt
Feb  1 19:01:44 syslog test[53164]: executing keytool -list -rfc -keystore /home/test/cert-clt.p12 -storetype PKCS12 -storepass whatever -alias czertainly
Feb  1 19:01:44 syslog test[53164]: executing keytool -list -rfc -keystore /home/test/cert-clt.p12 -storetype PKCS12 -storepass whatever -alias czertainly
Feb  1 19:01:44 syslog test[53173]: executing rm /tmp/WETZ7Qecy5k=
Feb  1 19:01:44 syslog test[53173]: executing rm /tmp/WETZ7Qecy5k=

Note that:

CZERTAINLY tries to executes several keytool commands even after the first one is failing (keytool cmd is not present on target server`), this means that it doesn't handle errors correctly.
Commands are duplicated.

To record commands what are being executed place:

Match User test
        ForceCommand /bin/bash -rc 'logger -p user.notice "executing $SSH_ORIGINAL_COMMAND"; $SSH_ORIGINAL_COMMAND'

test is username of used user, executed commands are logged into /var/log/user.log file on default Debian Bookworm system.

Fix metadata assignment for keystore entries

The metadata attributes are overwritten instead of appended in LocationServiceImpl.

For example in the method pushCertificateToLocation, there is:

PushCertificateResponseDto responseDto = new PushCertificateResponseDto();
responseDto.setCertificateMetadata(List.of(getAliasMetadata(alias)));

// and later in the code:
responseDto.setCertificateMetadata(List.of(getEntryTypeMetadata(certs.get(0).isKeyEntry())));

Intention was to append metadata attributes, however it will be replaced and cause issues during certificate renewal in the keystore, because no alias attribute is found.

Implement sample Entity Provider for Java KeyStore

Implement connector with Entity provider function group for Java KeyStore.

manage locations on server
manage certificates in locations
communicate with server through SSH to push and retrieve certificates from location

3keycompany / czertainly-keystore-entity-provider Goto Github PK

czertainly-keystore-entity-provider's People

Contributors

Stargazers

Watchers

czertainly-keystore-entity-provider's Issues

Incorrect error handling and invalid error reporting when working with remote ssh keystore

Fix metadata assignment for keystore entries

Implement sample Entity Provider for Java KeyStore

When syncing certificates in location, do not send self signed certificates created in Keystore when generating CSR

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent