Add flag to view the first cert only, including for json and pem #256
Conversation
isemaya-square
requested review from
a team,
jdtw,
stfinney and
eknapp-square
|
|
isemaya-square
changed the title
isemaya-square
force-pushed
the
isemaya/add-leaf-flag-first-cert
branch
2 times, most recently
from
30185ad
to
fe7df75
Compare
README.md
Outdated
| @@ -61,6 +61,7 @@ Commands: | |||
| -p, --password=PASSWORD Password for PKCS12/JCEKS key stores (reads from TTY if missing). | |||
| -m, --pem Write output as PEM blocks instead of human-readable format. | |||
| -j, --json Write output as machine-readable JSON format. | |||
| -l, --leaf Only display the first certificate. This flag can be paired with --json. | |||
There was a problem hiding this comment.
I would expect a leaf flag to print the leaf, regardless of the formatting of the certificate. (Ex. if for some reason, the file is formatted intermediate -> leaf). Maybe we could rename the flag?
There was a problem hiding this comment.
That is a good point. We could rename the flag to --first or something like that.
There was a problem hiding this comment.
On the other hand, can we assume that the leaf comes before any intermediates or roots in a cert chain? Since it looks like that is the convention.
There was a problem hiding this comment.
It's from TLS: https://datatracker.ietf.org/doc/html/rfc8446#section-4.4.2 (this was the same in earlier versions, too).
The sender's certificate MUST come in the first
CertificateEntry in the list. Each following certificate SHOULD
directly certify the one immediately preceding it. Because
certificate validation requires that trust anchors be distributed
independently, a certificate that specifies a trust anchor MAY be
omitted from the chain, provided that supported peers are known to
possess any omitted certificates.
There was a problem hiding this comment.
But I think first is a reasonable name for the flag. In the connect case, the first cert is guaranteed to be the leaf, but in the dump case, it's not (e.g. what if we're dumping a trust bundle and only want the first cert for some reason). So first is probably more accurate.
isemaya-square
changed the title
isemaya-square
force-pushed
the
isemaya/add-leaf-flag-first-cert
branch
2 times, most recently
from
9f04ce2
to
5a206ec
Compare
There was a problem hiding this comment.
PR looks good. You'll have to merge in my changes in #259, and then you won't need any of the change in cli_test.go.
(Note that it's not safe to change the expected test output, since then it would break on versions of Go earlier than 1.17.7)
Thanks, I'll merge #259 first and get rid of my cli_test.go changes. |
isemaya-square
force-pushed
the
isemaya/add-leaf-flag-first-cert
branch
from
5a206ec
to
d985571
Compare
added dump-pkcs12-chain-to-pem.t to contrast with dump-pkcs12-chain-to-pem-first-only and show that multiple pem blocks are dumped without the --first flag.t
isemaya-square
force-pushed
the
isemaya/add-leaf-flag-first-cert
branch
from
45fcb4a
to
328db64
Compare
This is a reworking of https://github.com/square/certigo/pull/209/files so that only the first cert is viewed with the --leaf flag, but this also works with the --json flag.
I realized that handling pem would be more complicated and might require some refactoring so I didn't include it this time. Would be willing to open a separate PR for it.