Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: Device attestation validation returns 500 for invalid CBOR payload #1902

Closed
basovnik opened this issue Jun 26, 2024 · 1 comment · Fixed by #1913
Closed

[Bug]: Device attestation validation returns 500 for invalid CBOR payload #1902

basovnik opened this issue Jun 26, 2024 · 1 comment · Fixed by #1913
Assignees
@hslatman
Labels
bug needs triage Waiting for discussion / prioritization by team
Milestone
v0.27.0

Comments

@basovnik
Copy link

basovnik commented Jun 26, 2024
edited
Loading

Steps to Reproduce

  • Fake reproducer: Configure empty JSON in the payload part of the JWK for /acme/acme/challenge/... HTTP call.
  • Real reproducer: Try to generate device certificate using device attestation on MacOS 15 Beta with INTEL processor with profile configuration attribute HardwareBound=false (link).

Your Environment

  • OS - MacOS 15 Beta
  • step-ca Version - v0.26.2
  • INTEL processor
  • HardwareBound=false

Expected Behavior

The server should return a client error -> status 400.

Actual Behavior

The server returns internal error -> status 500.

Unexpected error: error validating challenge: error unmarshalling CBOR: EOF
Log message:

ERRO[6548] duration=33.057877ms duration-ns=33057877 error="error validating challenge: error unmarshalling CBOR: EOF" fields.time="2024-06-26T11:16:32+02:00" method=POST name=ca nonce=eHpuMGRaMlpMa3BoU0JUcDJwWnZSeVprRE44QmJ3Y1c path=/acme/acme/challenge/6zzEABv1oqdHExiAETjjR0RHVnD4hwVP/P9STwds3QRTt5CQhMCjU3ij4Uxs5cN6W protocol=HTTP/1.1 referer= remote-address=127.0.0.1 request-id=2dfcf8a3-c285-4fd0-80d5-9efc05688c82 response="{\"type\":\"urn:ietf:params:acme:error:serverInternal\",\"detail\":\"The server experienced an internal error\"}" size=105 status=500 user-agent="Apache-HttpClient/4.5.13 (Java/17.0.4)" user-id=

Additional Context

No response

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).
@basovnik basovnik added bug needs triage Waiting for discussion / prioritization by team labels Jun 26, 2024
@hslatman hslatman self-assigned this Jul 2, 2024
@hslatman hslatman mentioned this issue Jul 5, 2024
Merged
@hslatman hslatman added this to the v0.26.3 milestone Jul 5, 2024
@hslatman
Copy link
Member

hslatman commented Jul 5, 2024

Hi @basovnik, thank you for opening the issue. I have opened a PR with a fix: #1913. Could you give it a try?

The behavior for this error slightly changed to not immediately return the error, but for it to be stored with the challenge object. That way the client should be able to tell that the challenge isn't solved, and should not be retried, as the CA is not going to accept the retry with the same (empty, or wrong) attestation object in the request.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@hslatman hslatman

Labels
bug needs triage Waiting for discussion / prioritization by team
Projects
None yet
Milestone
v0.27.0
Development

Successfully merging a pull request may close this issue.

Fix HTTP internal server error when bad attestation object is provided smallstep/certificates
2 participants
@basovnik @hslatman