SonicOS Public Key Authentication
sovap
Newbie ✭
Is the current documentation for Public Key Authentication correct? The provided curl bash example is not working for me. Testing against a TZ470 running SonicOS 7.0.1-5119-R4713. I have the SonicOS API enabled, Public Key authentication enabled, PKCS#1 v2.0 OAEP selected with SHA256 for both the hash and mask method. I also tried to create a client in Ruby with the same results. I've successfully connected with Digest Auth and Basic Auth, but I'd prefer to use a Public Key if possible.
I've tried manually in a command window with:
USER="admin" PASSWORD="password" ADDR="192.168.168.168" curl -k -i -s -X POST https://$ADDR/api/sonicos/auth | grep 'WWW-Authenticate: SNWL-PK-AUTH' | sed -e 's/^.*key="/-----BEGIN PUBLIC KEY-----\n/' -e 's/"/\n-----END PUBLIC KEY-----/' >pk.pem CIPHER=$(echo -n $PASSWORD | openssl pkeyutl -encrypt -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256 -pkeyopt rsa_mgf1_md:sha256 -pubin -inkey pk.pem | base64 -w 0) curl -k -i -s -H "Authorization: SNWL-PK-AUTH user='$USER', data='$CIPHER'" -X POST https://$ADDR/api/sonicos/auth
But no matter what I try I am getting the following:
HTTP/1.0 400 Bad Request Server: SonicWALL Expires: -1 Cache-Control: no-cache Content-type: application/json; charset=UTF-8 X-Content-Type-Options: nosniff { "status": { "success": false, "info": [ { "level": "error", "code": "E_INVALID_API_CALL", "message": "Unauthorized." } ] } }
Category: Developer Hub
0
Comments
Hello,
I may have a solution for you. Try this: 'Authorization: SNWL-PK-AUTH user="'$USER'", data="'$CIPHER'"' instead.
Line from your post:
curl -k -i -s -H "Authorization: SNWL-PK-AUTH user="'$USER'", data='$CIPHER'" -X POST https://$ADDR/api/sonicos/auth
I modified the line to this:
curl -k -i -s -H 'Authorization: SNWL-PK-AUTH user="'$USER'", data="'$CIPHER'"' -X POST https://$ADDR/api/sonicos/auth
Hope this helps!
I uploaded a couple of example scripts (Bash and Python) here:
Thank you! Changing the quotes made the bash work, though I swear I had tried that way before as that is how it is in the docs that I originally copied and pasted. I can't explain it, but my ruby code is now also working without change. I have rebooted the device since I last tried so maybe it was bugged out. Or maybe in testing I wasn't actually grabbing a new public key before each auth attempt. I'm not sure, but it is working now.