globalsign / est Goto Github PK

Hello,

i succesfully compile estclient under Ubuntu (amd64) and Raspbian (armv6l) but seems that i can't compile estclient under Windows; this is the output i get:

C:\Windows\System32>go version
go version go1.22.0 windows/amd64

C:\Windows\System32>go install github.com/globalsign/est/cmd/estclient@latest
github.com/ThalesIgnite/crypto11
C:\Users\xxx.yyy\go\pkg\mod\github.com!thales!ignite\[email protected]\crypto11.go:120:16: undefined: pkcs11.ObjectHandle
C:\Users\xxx.yyy\go\pkg\mod\github.com!thales!ignite\[email protected]\crypto11.go:139:22: undefined: pkcs11.ObjectHandle
C:\Users\xxx.yyy\go\pkg\mod\github.com!thales!ignite\[email protected]\crypto11.go:167:14: undefined: pkcs11.Ctx
C:\Users\xxx.yyy\go\pkg\mod\github.com!thales!ignite\[email protected]\crypto11.go:170:16: undefined: pkcs11.TokenInfo
C:\Users\xxx.yyy\go\pkg\mod\github.com!thales!ignite\[email protected]\crypto11.go:176:27: undefined: pkcs11.SessionHandle
C:\Users\xxx.yyy\go\pkg\mod\github.com!thales!ignite\[email protected]\aead.go:56:64: undefined: pkcs11.Mechanism
C:\Users\xxx.yyy\go\pkg\mod\github.com!thales!ignite\[email protected]\aead.go:56:83: undefined: pkcs11.GCMParams
C:\Users\xxx.yyy\go\pkg\mod\github.com!thales!ignite\[email protected]\attributes.go:15:25: undefined: pkcs11.Attribute
C:\Users\xxx.yyy\go\pkg\mod\github.com!thales!ignite\[email protected]\sessions.go:34:17: undefined: pkcs11.Ctx
C:\Users\xxx.yyy\go\pkg\mod\github.com!thales!ignite\[email protected]\sessions.go:35:16: undefined: pkcs11.SessionHandle
C:\Users\xxx.yyy\go\pkg\mod\github.com!thales!ignite\[email protected]\crypto11.go:139:22: too many errors

i am not very skilled with go.

How can it be?

Thank you very much

During reenrollment it is required that the certificate used to authenticate, must be same as obtained during enrollment. Unfortunately it cannot work in a case when est server is communicating with client which is not using this cert directly.

E.g. when EST server is communicating with a registrar from this RFC: https://datatracker.ietf.org/doc/html/rfc9148#name-https-coaps-registrar
In mentioned case Registrar cannot use certificate obtained during enrollment as it is EST client's certificate, and private key of this client is not available on Registrar.

It would be nice to disable such check by introducing some flag to config, so it could be turned off in that case.

Some lists in the documentation comments are indented, causing them to be formatted as code blocks in godoc.org.

Outdent the comments to the same level as the surrounding documentation.

1. gofmt -s should be run on some files.
2. Couple of ineffectual assignments to err, handle errors.

I tried

go get github.com/globalsign/est
go install github.com/globalsign/est/cmd/estserver
go install github.com/globalsign/est/cmd/estclient

but it gave me these errors:

go install github.com/globalsign/est/cmd/estserver
    go/src/github.com/globalsign/est/internal/mockca/ca.go:39:2: cannot find package "github.com/globalsign/pemfile" in any of:
        /usr/lib/go-1.14/src/github.com/globalsign/pemfile (from $GOROOT)
        /root/go/src/github.com/globalsign/pemfile (from $GOPATH)

go install github.com/globalsign/est/cmd/estclient
cannot find module providing package github.com/globalsign/est/cmd/estclient: working directory is not part of a module

Instead, I just used this for installation:

go get -u github.com/globalsign/est/cmd/estserver
~/go/bin/estserver -version
go get -u github.com/globalsign/est/cmd/estclient
~/go/bin/estclient version

Hello,

my system is running the latest go version go1.18.2 linux/amd64

With this version, the mentioned install guide is deprecated since following error is shown:

Following commands are working instead:
go install github.com/globalsign/est/cmd/estserver@latest
go install github.com/globalsign/est/cmd/estclient@latest

Ciao,
with regards to the following statement:

Using a configuration file, we can enroll with a private key resident on a hardware module, such as a hardware security module (HSM) or a Trusted Platform Module 2.0 (TPM) device. Refer to the documentation for more details.

How do I find the documentation? I would like to test EST server with a virtual TPM like described in https://docs.microsoft.com/en-us/azure/iot-edge/how-to-auto-provision-simulated-device-linux?view=iotedge-2018-06
Thanks!

The call to logger.Errorf in recoverer should be a call to logger.Errorw.

Hello,

I'm trying to use the estclient for certificate enrollment together with an Aruba Clearpass server, which also provides an EST URL.

After installing the estclient successfully, I downloaded all required server certificates to my linux host and tried to enroll a certificate. Since the Clearpass URL doesn't listen on https://<EST-SERVER-IP-ADDRESS>/.well-known/est/simpleenroll but instead listens to https://<EST-SERVER-IP-ADDRESS>/.well-known/est/ca:<NUMBER> it's not possible to enroll a certificate.

The estclient only expects the server IP address and the listening port and appends the string /.well-known-est-simpleenroll automatically, so no custom paths are supported.

Feature request:

• Allow full URL strings for parameter -server

We are considering to use the server in production along with local CA implementation. We are aware that when we start the server we have the notification not to use it in Production mode. Is it possible to clarify what are the risks in doing so, in order to try to find a workaround?

Hello,

The command go install github.com/globalsign/est/cmd/estclient throws the following error:

github.com/globalsign/tpmkeys /go/pkg/mod/github.com/globalsign/[email protected]/key.go:68:23: not enough arguments in call to tpm2.Sign have (io.ReadWriter, tpmutil.Handle, string, []byte, *tpm2.SigScheme) want (io.ReadWriter, tpmutil.Handle, string, []byte, *tpm2.Ticket, *tpm2.SigScheme)

Any idea on how to resolve this?

Because it employs commands, estclient help is the correct way to invoke the help system, but estclient -help will still yield a help message showing the correct command to use.

For the server, estserver -help is the correct way, but estserver help will ignore the argument and start up the server. For consistency, behavior should be modified so that estserver help invokes the help system.

Hello,

The package implements different APIs of EST protocol.
It expects the CSR to be ready for use, like in the enroll method.

Is it possible to generate the CSR at runtime?
And can we fetch the TLS unique value from the current client implementation?

Typical use-case: include TLS-unique value (in TLS 1.2)
Such as, after establishing the TLS connection between server and client,

1. the TLS unique value can be retrieved from the client
2. the TLS unique value can included in the CSR
3. The CSR can be signed with my private key
4. Pass the signed CSR to the EST enroll method

Thank you very much

Ubuntu 18.04 on WSL clean install

$go get github.com/globalsign/est
# github.com/go-chi/chi
go/src/github.com/go-chi/chi/tree.go:60:20: invalid operation: 2 << n (shift count type int, must be unsigned integer)
# github.com/google/go-tpm/tpm2
go/src/github.com/google/go-tpm/tpm2/open_other.go:38:6: undefined: errors.Is

Hi,
If I use curl to request a certificate over the /simpleenroll endpoint, I get the "400 invalid base64 encoding" response from the EST server.

I guess the problem is caused by the BEGIN/END CERTIFICATE REQUEST header and footer in the CSR.
The EST server indeed tries to base64 decode the entire incoming CSR, header&footer included... and that causes the 'invalid base64 encoding' error.

If I remove the header/footer from the CSR, everything works.

Here are the steps to reproduce the issue:

# create a CSR
openssl req -new -nodes \
    -newkey rsa:4096 -keyout key.pem \
    -subj "/C=US/ST=Somewhere/L=Somewhere/O=company x/OU=iot/CN=device1" \
    -out csr.pem

...and you will get a csr.pem like this:

-----BEGIN CERTIFICATE REQUEST-----
MIIErjCCApYCAQAwaTELMAkGA1UEBhMCVVMxEjAQBgNVBAgMCVNvbWV3aGVyZTES
MBAGA1UEBwwJU29tZXdoZXJlMRIwEAYDVQQKDAljb21wYW55IHgxDDAKBgNVBAsM
...
t8jXqWb7efx/YiP7OFQL3DvM7+3gbgkjMoTD4mJu7GQzsMwZl5r8ecy0TXuputR7
WjM=
-----END CERTIFICATE REQUEST-----

Let's submit the CSR over the simpleenroll endpoint to request for the certificate:

# submit CSR (-k to trust the self-signed server certificate)
curl -X POST --data-binary "@csr.pem" \
      -H "Content-Type: application/pkcs10" \
      -H "Content-Transfer-Encoding: base64" \
      -k \
      https://est.contoso.com:8449/.well-known/est/simpleenroll

...and I get the 400 invalid base64 encoding error.

If I remove the header/footer from the CSR and re-submit it to the EST server, it works and I get a response with a proper certificate.

This is btw what happens if you use the EST server to issue certificates for the Azure IoT Edge 1.2 via the built-in EST integration.
The IoT Edge will issue a CSR including the header and footer, and it will get a "400 invalid base64 encoding ERROR" as a response.

As a workaround, I patched the EST server code to remove the header/footer (if any) from the incoming CSR before performing the base64 decoding. Patch is here: arlotito@502dbf8

With that patch applied, both curl and iotedge work without issues.

I also created a containerized est server here

I'd be happy if you could have a look at it and tell me what you think.
I'm also happy to open a PR if it helps.

Thanks!

Per section 6.8 of RFC2045 which defines the Content-Transfer-Encoding header:

The encoded output stream must be represented in lines of no more than 76 characters each. All line breaks or other characters not found in Table 1 must be ignored by decoding software.

Currently, no line breaks appear in base64-encoded output.

All base64-encoded output used in a message with a Content-Transfer-Encoding value of base64 should be broken into lines of 76 or less characters.