Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Output secret (cert) serial number in hex, not int #43765

Closed
peterj opened this issue Mar 3, 2023 · 4 comments
Closed

Output secret (cert) serial number in hex, not int #43765

peterj opened this issue Mar 3, 2023 · 4 comments
Labels
area/user experience

Comments

@peterj
Copy link
Member

peterj commented Mar 3, 2023
edited by istio-policy-bot

Bug Description

istioctl outputs the cert serial numbers as ints. Example:

$ istioctl pc secret deploy/httpbin
RESOURCE NAME     TYPE           STATUS     VALID CERT     SERIAL NUMBER                               NOT AFTER                NOT BEFORE
ROOTCA            CA             ACTIVE     true           189528483449735573061036961712154224034     2033-02-28T22:52:30Z     2023-03-03T22:52:30Z

Since the actual cert shows the serial number in hex (e.g. 8e:95:db:b0:4f:26:a3:9b:33:25:2a:a8:51:32:25:a2) it would make sense to show it in a similar format in istioctl, unless there's a reason why %d (not %x) is used when writing out the value.

Version

$ istioctl version
client version: 1.18-alpha.eadc06845f1811964f06d6d7876b477c5840ffb2
control plane version: 1.18-alpha.eadc06845f1811964f06d6d7876b477c5840ffb2
data plane version: 1.18-alpha.eadc06845f1811964f06d6d7876b477c5840ffb2 (2 proxies)

❯  kubectl version
WARNING: This version information is deprecated and will be replaced with the output from kubectl version --short.  Use --output=yaml|json to get the full version.
Client Version: version.Info{Major:"1", Minor:"26", GitVersion:"v1.26.0", GitCommit:"b46a3f887ca979b1a5d14fd39cb1af43e7e5d12d", GitTreeState:"clean", BuildDate:"2022-12-08T19:51:43Z", GoVersion:"go1.19.4", Compiler:"gc", Platform:"darwin/arm64"}
Kustomize Version: v4.5.7
Server Version: version.Info{Major:"1", Minor:"25", GitVersion:"v1.25.3", GitCommit:"434bfd82814af038ad94d62ebe59b133fcb50506", GitTreeState:"clean", BuildDate:"2022-10-25T19:38:29Z", GoVersion:"go1.19.2", Compiler:"gc", Platform:"linux/arm64"}

Additional Information

No response
@hanxiaop
Copy link
Member

hanxiaop commented Mar 6, 2023

I think it makes sense to revise to the hex value. However, tools like OpenSSL use both formats, and we may need to convert the format only when the number is large enough?

@peterj
Copy link
Member Author

peterj commented Mar 7, 2023

In my scenario I used openssl x509 -in some-cert.pem -text -noout and that one only shows the serial # in hex, so it would make it so much easier to compare if istioctl shows in hex as well.

I can prepare a quick PR that changes the bigint into hex( it's a %d to %x change, unless we want to incorporate : as well)

@hanxiaop
Copy link
Member

hanxiaop commented Mar 8, 2023

Yes, I think revising to hex is great. By the way, I've double-checked with short serial numbers, which will be displayed in a format like 123456 (hex number). As a result, I think only showing hex is fine.

@peterj peterj mentioned this issue Mar 8, 2023
Merged
@hanxiaop
Copy link
Member

This has been resolved by #43828

@GregHanson GregHanson mentioned this issue Mar 14, 2023
Merged
10 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/user experience
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@peterj @hanxiaop @istio-policy-bot