Document (and fix) certificate sign via API

project-chip · Dec 13, 2024 · 9c854e6 · 9c854e6
1 parent 89110fc
commit 9c854e6
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 3 deletions.
diff --git a/src/tools/push_av_server/README.md b/src/tools/push_av_server/README.md
@@ -36,4 +36,15 @@ $ curl -XGET --cacert ~/.pavstest/certs/server/root.pem https://localhost:1234/s
 # Get detailed information about the uploaded media file.
 # This correspond to the ffprobe tool output
 $ curl --cacert ~/.pavstest/certs/server/root.pem -XGET 'https://localhost:1234/probe/1/cmaf/example/video-720p.cmfv'
+
+# You can also use the web server to sign certificates if given a CSR.
+# First create a key and csr for your device:
+$ openssl req -new -newkey rsa:2048 -nodes -keyout client.key -out client.csr -subj "/CN=test"
+
+# When sending the CSR over JSON we need to have the newline characters be the literal \n.
+$ sed '$!G' client.csr | paste -sd '\\n' - > client.curl.csr
+
+# Then sign it with the server
+$ curl --cacert ~/.pavstest/certs/server/root.pem -XPOST 'https://localhost:1234/certs/my-device/sign' -d "{\"csr\":\"$(cat client.curl.csr)\"}" --header "content-type: application/json"
+
 ```
diff --git a/src/tools/push_av_server/server.py b/src/tools/push_av_server/server.py
@@ -248,7 +248,7 @@ def _save_cert(
         turn make it very unsecure.
         """
         cert_path = self.directory / f"{name}.pem"
-        key_path = self.directory / f"{name}.key"
+        key_path = self.directory / f"{name}.key" if key else None
 
         if key:
             with open(key_path, "wb") as f:
@@ -344,7 +344,7 @@ def gen_cert(self, dns: str, csr: str, override=False, duration: datetime.timede
         Generate a certificate signed by this CA hierarchy using the provided CSR.
         Returns the path to the key, cert, and whether it was reused or not.
         """
-        signing_request = x509.load_pem_x509_csr(csr)
+        signing_request = x509.load_pem_x509_csr(csr.encode('utf-8'))
         signing_request.public_key()
 
         # If we don't always override, first check if an existing keypair already exists
@@ -356,7 +356,7 @@ def gen_cert(self, dns: str, csr: str, override=False, duration: datetime.timede
                 return (key_path, cert_path, True)
 
         # Sign certificate
-        cert = self._sign_cert(dns, csr.public_key(), duration)
+        cert = self._sign_cert(dns, signing_request.public_key(), duration)
 
         # Save that information to disk
         (key_path, cert_bundle_path) = self._save_cert(