File: fingerprint.go

package info (click to toggle)
golang-github-smallstep-cli 0.15.16%2Bds-3
  • links: PTS, VCS
  • area: main
  • in suites: bookworm
  • size: 4,404 kB
  • sloc: sh: 512; makefile: 99
file content (149 lines) | stat: -rw-r--r-- 4,327 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
 
package certificate

import (
	"crypto/x509"
	"fmt"
	"strings"

	"github.com/pkg/errors"
	"github.com/smallstep/cli/crypto/pemutil"
	"github.com/smallstep/cli/crypto/x509util"
	"github.com/smallstep/cli/errs"
	"github.com/smallstep/cli/flags"
	"github.com/urfave/cli"
)

func fingerprintCommand() cli.Command {
	return cli.Command{
		Name:   "fingerprint",
		Action: cli.ActionFunc(fingerprintAction),
		Usage:  "print the fingerprint of a certificate",
		UsageText: `**step certificate fingerprint** <crt-file>
[**--bundle**] [**--roots**=<root-bundle>] [**--servername**=<servername>] [**--format**=<format>]`,
		Description: `**step certificate fingerprint** reads a certificate and prints to STDOUT the
certificate SHA256 of the raw certificate.

If <crt-file> contains multiple certificates (i.e., it is a certificate
"bundle") the fingerprint of the first certificate in the bundle will be
printed. Pass the --bundle option to print all fingerprints in the order in
which they appear in the bundle.

## POSITIONAL ARGUMENTS

<crt-file>
:  A certificate PEM file, usually the root certificate.

## EXAMPLES

Get the fingerprint for a root certificate:
'''
$ step certificate fingerprint /path/to/root_ca.crt
0d7d3834cf187726cf331c40a31aa7ef6b29ba4df601416c9788f6ee01058cf3
'''

Get the fingerprint for a remote certificate:
'''
$ step certificate fingerprint https://smallstep.com
e2c4f12edfc1816cc610755d32e6f45d5678ba21ecda1693bb5b246e3c48c03d
'''

Get the fingerprints for a remote certificate with its intemediate:
'''
$ step certificate fingerprint --bundle https://smallstep.com
e2c4f12edfc1816cc610755d32e6f45d5678ba21ecda1693bb5b246e3c48c03d
25847d668eb4f04fdd40b12b6b0740c567da7d024308eb6c2c96fe41d9de218d
'''`,
		Flags: []cli.Flag{
			cli.StringFlag{
				Name: "roots",
				Usage: `Root certificate(s) that will be used to verify the
authenticity of the remote server.

: <roots> is a case-sensitive string and may be one of:

    **file**
	:  Relative or full path to a file. All certificates in the file will be used for path validation.

    **list of files**
	:  Comma-separated list of relative or full file paths. Every PEM encoded certificate from each file will be used for path validation.

    **directory**
	:  Relative or full path to a directory. Every PEM encoded certificate from each file in the directory will be used for path validation.`,
			},
			cli.BoolFlag{
				Name:  `bundle`,
				Usage: `Print all fingerprints in the order in which they appear in the bundle.`,
			},
			cli.BoolFlag{
				Name: "insecure",
				Usage: `Use an insecure client to retrieve a remote peer certificate. Useful for
debugging invalid certificates remotely.`,
			},
			flags.ServerName,
			cli.StringFlag{
				Name:  "format",
				Usage: `The <format> of the fingerprint, it must be "hex", "base64" or "base64-url".`,
			},
		},
	}
}

func fingerprintAction(ctx *cli.Context) error {
	if err := errs.NumberOfArguments(ctx, 1); err != nil {
		return err
	}

	var (
		certs      []*x509.Certificate
		serverName = ctx.String("servername")
		roots      = ctx.String("roots")
		bundle     = ctx.Bool("bundle")
		insecure   = ctx.Bool("insecure")
		crtFile    = ctx.Args().First()
		format     = ctx.String("format")
	)

	encoding, err := getFingerprintFormat(format)
	if err != nil {
		return err
	}

	if addr, isURL, err := trimURL(crtFile); err != nil {
		return err
	} else if isURL {
		certs, err = getPeerCertificates(addr, serverName, roots, insecure)
		if err != nil {
			return err
		}
	} else {
		certs, err = pemutil.ReadCertificateBundle(crtFile)
		if err != nil {
			return err
		}
	}

	if !bundle {
		certs = certs[:1]
	}

	for i, crt := range certs {
		if bundle {
			fmt.Printf("%d: %s\n", i, x509util.EncodedFingerprint(crt, encoding))
		} else {
			fmt.Println(x509util.EncodedFingerprint(crt, encoding))
		}
	}
	return nil
}

func getFingerprintFormat(format string) (x509util.FingerprintEncoding, error) {
	switch strings.ToLower(strings.TrimSpace(format)) {
	case "hex", "":
		return x509util.HexFingerprint, nil
	case "base64":
		return x509util.Base64Fingerprint, nil
	case "base64url", "base64-url":
		return x509util.Base64UrlFingerprint, nil
	}
	return x509util.HexFingerprint, errors.Errorf("error parsing fingerprint format: '%s' is not a valid certificate fingerprint format", format)
}