-
Notifications
You must be signed in to change notification settings - Fork 71
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add flag to view the first cert only, including for json and pem #256
Conversation
30185ad
to
fe7df75
Compare
README.md
Outdated
@@ -61,6 +61,7 @@ Commands: | |||
-p, --password=PASSWORD Password for PKCS12/JCEKS key stores (reads from TTY if missing). | |||
-m, --pem Write output as PEM blocks instead of human-readable format. | |||
-j, --json Write output as machine-readable JSON format. | |||
-l, --leaf Only display the first certificate. This flag can be paired with --json. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would expect a leaf
flag to print the leaf, regardless of the formatting of the certificate. (Ex. if for some reason, the file is formatted intermediate -> leaf). Maybe we could rename the flag?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That is a good point. We could rename the flag to --first
or something like that.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
On the other hand, can we assume that the leaf comes before any intermediates or roots in a cert chain? Since it looks like that is the convention.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's from TLS: https://datatracker.ietf.org/doc/html/rfc8446#section-4.4.2 (this was the same in earlier versions, too).
The sender's certificate MUST come in the first
CertificateEntry in the list. Each following certificate SHOULD
directly certify the one immediately preceding it. Because
certificate validation requires that trust anchors be distributed
independently, a certificate that specifies a trust anchor MAY be
omitted from the chain, provided that supported peers are known to
possess any omitted certificates.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
But I think first
is a reasonable name for the flag. In the connect
case, the first cert is guaranteed to be the leaf, but in the dump
case, it's not (e.g. what if we're dumping a trust bundle and only want the first cert for some reason). So first
is probably more accurate.
9f04ce2
to
5a206ec
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
PR looks good. You'll have to merge in my changes in #259, and then you won't need any of the change in cli_test.go.
(Note that it's not safe to change the expected test output, since then it would break on versions of Go earlier than 1.17.7)
Thanks, I'll merge #259 first and get rid of my cli_test.go changes. |
5a206ec
to
d985571
Compare
added dump-pkcs12-chain-to-pem.t to contrast with dump-pkcs12-chain-to-pem-first-only and show that multiple pem blocks are dumped without the --first flag.t
45fcb4a
to
328db64
Compare
This is a reworking of https://github.com/square/certigo/pull/209/files so that only the first cert is viewed with the --leaf flag, but this also works with the --json flag.
I realized that handling pem would be more complicated and might require some refactoring so I didn't include it this time. Would be willing to open a separate PR for it.