1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
|
package certificate
import (
"encoding/json"
"encoding/pem"
"io/ioutil"
"os"
"github.com/pkg/errors"
"github.com/smallstep/cli/errs"
"github.com/smallstep/cli/flags"
zx509 "github.com/smallstep/zcrypto/x509"
"github.com/smallstep/zlint"
"github.com/urfave/cli"
)
func lintCommand() cli.Command {
return cli.Command{
Name: "lint",
Action: cli.ActionFunc(lintAction),
Usage: `lint certificate details`,
UsageText: `**step certificate lint** <crt_file> [**--roots**=<root-bundle>]
[**--servername**=<servername>]`,
Description: `**step certificate lint** checks a certificate for common
errors and outputs the result in JSON format.
## POSITIONAL ARGUMENTS
<crt_file>
: Path to a certificate or certificate signing request (CSR) to lint.
## EXIT CODES
This command returns 0 on success and \>0 if any error occurs.
## EXAMPLES
'''
$ step certificate lint ./certificate.crt
'''
Lint a remote certificate (using the default root certificate bundle to verify the server):
'''
$ step certificate lint https://smallstep.com
'''
Lint a remote certificate using a custom root certificate to verify the server:
'''
$ step certificate lint https://smallstep.com --roots ./certificate.crt
'''
Lint a remote certificate using a custom list of root certificates to verify the server:
'''
$ step certificate lint https://smallstep.com \
--roots "./certificate.crt,./certificate2.crt,/certificate3.crt"
'''
Lint a remote certificate using a custom directory of root certificates to verify the server:
'''
$ step certificate lint https://smallstep.com --roots "./path/to/certificates/"
'''
`,
Flags: []cli.Flag{
cli.StringFlag{
Name: "roots",
Usage: `Root certificate(s) that will be used to verify the
authenticity of the remote server.
: <roots> is a case-sensitive string and may be one of:
**file**
: Relative or full path to a file. All certificates in the file will be used for path validation.
**list of files**
: Comma-separated list of relative or full file paths. Every PEM encoded certificate from each file will be used for path validation.
**directory**
: Relative or full path to a directory. Every PEM encoded certificate from each file in the directory will be used for path validation.`,
},
cli.BoolFlag{
Name: "insecure",
Usage: `Use an insecure client to retrieve a remote peer certificate. Useful for
debugging invalid certificates remotely.`,
},
flags.ServerName,
},
}
}
func lintAction(ctx *cli.Context) error {
if err := errs.NumberOfArguments(ctx, 1); err != nil {
return err
}
var (
crtFile = ctx.Args().Get(0)
roots = ctx.String("roots")
serverName = ctx.String("servername")
insecure = ctx.Bool("insecure")
block *pem.Block
)
if addr, isURL, err := trimURL(crtFile); err != nil {
return err
} else if isURL {
peerCertificates, err := getPeerCertificates(addr, serverName, roots, insecure)
if err != nil {
return err
}
crt := peerCertificates[0]
block = &pem.Block{
Type: "CERTIFICATE",
Bytes: crt.Raw,
}
} else {
crtBytes, err := ioutil.ReadFile(crtFile)
if err != nil {
return errs.FileError(err, crtFile)
}
block, _ = pem.Decode(crtBytes)
if block == nil {
return errors.Errorf("could not parse certificate file '%s'", crtFile)
}
}
zcrt, err := zx509.ParseCertificate(block.Bytes)
if err != nil {
return errors.WithStack(err)
}
zlintResult := zlint.LintCertificate(zcrt)
b, err := json.MarshalIndent(struct {
*zlint.ResultSet
}{zlintResult}, "", " ")
if err != nil {
return errors.WithStack(err)
}
os.Stdout.Write(b)
return nil
}
|
