Skip to content
This repository was archived by the owner on May 30, 2025. It is now read-only.
This repository was archived by the owner on May 30, 2025. It is now read-only.

Unable to enroll elliptic curve certificates from TPP #17

Open
Open
Unable to enroll elliptic curve certificates from TPP#17
Assignees
rvelaVenafi
Labels
bugSomething isn't working
@tr1ck3r

Description

@tr1ck3r
tr1ck3r
opened on Nov 13, 2020

PROBLEM SUMMARY
Unable to enroll elliptic curve certificates from Trust Protection Platform

STEPS TO REPRODUCE

  1. Add the following to a file called ecc.rb, modifying the url, user, password, trust_bundle, and ZONE values to match your TPP environment: 
    require 'vcert'

ZONE = 'VCert\\Ruby'.freeze

conn = Vcert::Connection.new url: 'https://tpp-beta.venafi.example', \
   user: 'admin', password: 'newPassw0rd!', trust_bundle: '/opt/venafi/bundle.pem'

request = Vcert::Request.new common_name: "test.venafi.example", \
  san_dns: ["san1-test.venafi.example","san2-test.venafi.example"], \
  key_type: Vcert::KeyType.new('ecdsa', 'prime256v1')

zone_config = conn.zone_configuration(ZONE)
request.update_from_zone_config(zone_config)
puts "#{request.csr}"

certificate = conn.request_and_retrieve(request, ZONE, timeout: 600)
puts "#{certificate.cert}"
  2. Execute ruby ecc.rb

EXPECTED RESULTS
ECDSA key pair and CSR are generated and successfully enrolled using TPP.

ACTUAL RESULTS
If the TPP policy suggests RSA 2048 (which means it can be overridden by the requester) the following error:

Traceback (most recent call last):
        3: from ecc.rb:16:in `<main>'
        2: from /var/lib/gems/2.5.0/gems/vcert-0.1.1/lib/vcert.rb:64:in `request_and_retrieve'
        1: from /var/lib/gems/2.5.0/gems/vcert-0.1.1/lib/vcert.rb:30:in `request'
/var/lib/gems/2.5.0/gems/vcert-0.1.1/lib/tpp/tpp.rb:22:in `request': Status  400 (Vcert::ServerUnexpectedBehaviorError)

If the TPP policy suggests or requires (locked) ECDSA P256 the following error:

Traceback (most recent call last):
        3: from bug.rb:12:in `<main>'
        2: from /var/lib/gems/2.5.0/gems/vcert-0.1.1/lib/vcert.rb:46:in `zone_configuration'
        1: from /var/lib/gems/2.5.0/gems/vcert-0.1.1/lib/tpp/tpp.rb:54:in `zone_configuration'
/var/lib/gems/2.5.0/gems/vcert-0.1.1/lib/tpp/tpp.rb:221:in `parse_zone_configuration': undefined method `[]' for nil:NilClass (NoMethodError)

ENVIRONMENT DETAILS
Trust Protection Platform 20.3.2

COMMENTS/WORKAROUNDS
Trust Protection Platform supports three elliptic curves: p256, p384, and p521. Based on review of the code it looks like VCert-Ruby is supporting p224 but not p384 so that is a related bug.

vcert-ruby/lib/objects/objects.rb

Line 8 in 40c8dc7

SUPPORTED_CURVES = ["secp224r1", "prime256v1", "secp521r1"]

vcert-ruby/lib/tpp/tpp.rb

Line 322 in 40c8dc7

curve = {"p224" => "secp224r1", "p256" => "prime256v1", "p521" => "secp521r1"}[policy["KeyPair"]["EllipticCurve"]["Value"].downcase]

Metadata

Metadata

Assignees

Labels

bugSomething isn't working

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions