Merge branch 'master' into update-changelog-20231127

Author: dopey

cmd/step/main.go

@@ -150,13 +150,13 @@ func panicHandler() {
 			fmt.Fprintf(os.Stderr, "%s\n", step.Version())
 			fmt.Fprintf(os.Stderr, "Release Date: %s\n\n", step.ReleaseDate())
 			panic(r)
-		} else {
-			fmt.Fprintln(os.Stderr, "Something unexpected happened.")
-			fmt.Fprintln(os.Stderr, "If you want to help us debug the problem, please run:")
-			fmt.Fprintf(os.Stderr, "STEPDEBUG=1 %s\n", strings.Join(os.Args, " "))
-			fmt.Fprintln(os.Stderr, "and send the output to [email protected]")
-			os.Exit(2)
 		}
+
+		fmt.Fprintln(os.Stderr, "Something unexpected happened.")
+		fmt.Fprintln(os.Stderr, "If you want to help us debug the problem, please run:")
+		fmt.Fprintf(os.Stderr, "STEPDEBUG=1 %s\n", strings.Join(os.Args, " "))
+		fmt.Fprintln(os.Stderr, "and send the output to [email protected]")
+		os.Exit(2)
 	}
 }
 

command/certificate/create.go

@@ -41,14 +41,15 @@ func createCommand() cli.Command {
 		Action: command.ActionFunc(createAction),
 		Usage:  "create a certificate or certificate signing request",
 		UsageText: `**step certificate create** <subject> <crt-file> <key-file>
-[**--kms**=<uri>] [**--csr**] [**--profile**=<profile>]
-[**--template**=<file>] [**--set**=<key=value>] [**--set-file**=<file>]
-[**--not-before**=<duration>] [**--not-after**=<duration>]
-[**--password-file**=<file>] [**--ca**=<issuer-cert>] 
-[**--ca-key**=<issuer-key>] [**--ca-password-file**=<file>]
-[**--ca-kms**=<uri>] [**--san**=<SAN>] [**--bundle**] [**--key**=<file>]
 [**--kty**=<type>] [**--curve**=<curve>] [**--size**=<size>]
-[**--skip-csr-signature**] [**--no-password**] [**--insecure**]`,
+[**--csr**] [**--profile**=<profile>] [**--template**=<file>]
+[**--set**=<key=value>] [**--set-file**=<file>]
+[**--not-before**=<duration>] [**--not-after**=<duration>] [**--san**=<SAN>]
+[**--ca**=<issuer-cert>] [**--ca-kms**=<uri>]
+[**--ca-key**=<issuer-key>] [**--ca-password-file**=<file>]
+[**--kms**=<uri>] [**--key**=<file>] [**--password-file**=<file>]
+[**--bundle**] [**--skip-csr-signature**]
+[**--no-password**] [**--subtle**] [**--insecure**]`,
 		Description: `**step certificate create** generates a certificate or a
 certificate signing request (CSR) that can be signed later using 'step
 certificate sign' (or some other tool) to produce a certificate.
@@ -347,35 +348,37 @@ $ step certificate create \
   --profile intermediate-ca \
   --ca-kms 'pkcs11:module-path=/usr/local/lib/softhsm/libsofthsm2.so;token=smallstep?pin-value=password'
   --ca root_ca.crt --ca-key 'pkcs11:id=4000' \
-  --kms 'pkcs11:module-path=/usr/local/lib/softhsm/libsofthsm2.so;token=smallstep?pin-value=password' \ 
+  --kms 'pkcs11:module-path=/usr/local/lib/softhsm/libsofthsm2.so;token=smallstep?pin-value=password' \
   --key 'pkcs11:id=4001' \
   'My KMS Intermediate' intermediate_ca.crt
 '''
 
 Create an intermediate certificate for an RSA decryption key in Google Cloud KMS, signed by a root stored on disk, using <step-kms-plugin>:
 '''
 $ step certificate create \
-  --profile intermediate-ca \ 
-  --ca root_ca.crt --ca-key root_ca_key \ 
-  --kms cloudkms: \ 
+  --profile intermediate-ca \
+  --ca root_ca.crt --ca-key root_ca_key \
+  --kms cloudkms: \
   --key 'projects/myProjectID/locations/global/keyRings/myKeyRing/cryptoKeys/myKey/cryptoKeyVersions/1' \
   --skip-csr-signature \
-  'My RSA Intermediate' intermediate_rsa_ca.crt 
+  'My RSA Intermediate' intermediate_rsa_ca.crt
 '''
 
 Create an intermediate certificate for an RSA signing key in Google Cloud KMS, signed by a root stored in an HSM, using <step-kms-plugin>:
 '''
 $ step certificate create \
-  --profile intermediate-ca \ 
+  --profile intermediate-ca \
   --ca-kms 'pkcs11:module-path=/usr/local/lib/softhsm/libsofthsm2.so;token=smallstep?pin-value=password' \
-  --ca root_ca.crt --ca-key 'pkcs11:id=4000' \ 
-  --kms cloudkms: \ 
+  --ca root_ca.crt --ca-key 'pkcs11:id=4000' \
+  --kms cloudkms: \
   --key 'projects/myProjectID/locations/global/keyRings/myKeyRing/cryptoKeys/myKey/cryptoKeyVersions/1' \
-  'My RSA Intermediate' intermediate_rsa_ca.crt 
+  'My RSA Intermediate' intermediate_rsa_ca.crt
 '''
 `,
 		Flags: []cli.Flag{
-			flags.KMSUri,
+			flags.KTY,
+			flags.Size,
+			flags.Curve,
 			cli.BoolFlag{
 				Name:  "csr",
 				Usage: `Generate a certificate signing request (CSR) instead of a certificate.`,
@@ -407,14 +410,34 @@ $ step certificate create \
 			flags.TemplateSet,
 			flags.TemplateSetFile,
 			cli.StringFlag{
-				Name: "password-file",
-				Usage: `The path to the <file> containing the password to
-encrypt the new private key or decrypt the user submitted private key.`,
+				Name: "not-before",
+				Usage: `The <time|duration> set in the NotBefore property of the certificate. If a
+<time> is used it is expected to be in RFC 3339 format. If a <duration> is
+used, it is a sequence of decimal numbers, each with optional fraction and a
+unit suffix, such as "300ms", "-1.5h" or "2h45m". Valid time units are "ns",
+"us" (or "µs"), "ms", "s", "m", "h".`,
+			},
+			cli.StringFlag{
+				Name: "not-after",
+				Usage: `The <time|duration> set in the NotAfter property of the certificate. If a
+<time> is used it is expected to be in RFC 3339 format. If a <duration> is
+used, it is a sequence of decimal numbers, each with optional fraction and a
+unit suffix, such as "300ms", "-1.5h" or "2h45m". Valid time units are "ns",
+"us" (or "µs"), "ms", "s", "m", "h".`,
+			},
+			cli.StringSliceFlag{
+				Name: "san",
+				Usage: `Add DNS or IP Address Subjective Alternative Names (SANs). Use the '--san'
+flag multiple times to configure multiple SANs.`,
 			},
 			cli.StringFlag{
 				Name:  "ca",
 				Usage: `The certificate authority used to issue the new certificate (PEM file).`,
 			},
+			cli.StringFlag{
+				Name:  "ca-kms",
+				Usage: "The <uri> to configure the KMS used for signing the certificate",
+			},
 			cli.StringFlag{
 				Name:  "ca-key",
 				Usage: `The certificate authority private key used to sign the new certificate (PEM file).`,
@@ -424,59 +447,34 @@ encrypt the new private key or decrypt the user submitted private key.`,
 				Usage: `The path to the <file> containing the password to
 decrypt the CA private key.`,
 			},
+			flags.KMSUri,
 			cli.StringFlag{
 				Name:  "key",
 				Usage: "The <file> of the private key to use instead of creating a new one (PEM file).",
 			},
+			cli.StringFlag{
+				Name: "password-file",
+				Usage: `The path to the <file> containing the password to
+encrypt the new private key or decrypt the user submitted private key.`,
+			},
 			cli.BoolFlag{
 				Name: "no-password",
 				Usage: `Do not ask for a password to encrypt the private key.
 Sensitive key material will be written to disk unencrypted. This is not
 recommended. Requires **--insecure** flag.`,
-			},
-			cli.StringFlag{
-				Name: "not-before",
-				Usage: `The <time|duration> set in the NotBefore property of the certificate. If a
-<time> is used it is expected to be in RFC 3339 format. If a <duration> is
-used, it is a sequence of decimal numbers, each with optional fraction and a
-unit suffix, such as "300ms", "-1.5h" or "2h45m". Valid time units are "ns",
-"us" (or "µs"), "ms", "s", "m", "h".`,
-			},
-			cli.StringFlag{
-				Name: "not-after",
-				Usage: `The <time|duration> set in the NotAfter property of the certificate. If a
-<time> is used it is expected to be in RFC 3339 format. If a <duration> is
-used, it is a sequence of decimal numbers, each with optional fraction and a
-unit suffix, such as "300ms", "-1.5h" or "2h45m". Valid time units are "ns",
-"us" (or "µs"), "ms", "s", "m", "h".`,
-			},
-			cli.StringSliceFlag{
-				Name: "san",
-				Usage: `Add DNS or IP Address Subjective Alternative Names (SANs). Use the '--san'
-flag multiple times to configure multiple SANs.`,
 			},
 			cli.BoolFlag{
 				Name: "bundle",
 				Usage: `Bundle the new leaf certificate with the signing certificate. This flag requires
 the **--ca** flag.`,
 			},
-			flags.KTY,
-			flags.Size,
-			flags.Curve,
-			flags.Force,
-			flags.Subtle,
-			cli.BoolFlag{
-				Name:   "insecure",
-				Hidden: true,
-			},
-			cli.StringFlag{
-				Name:  "ca-kms",
-				Usage: "The <uri> to configure the KMS used for signing the certificate",
-			},
 			cli.BoolFlag{
 				Name:  "skip-csr-signature",
-				Usage: "Skip creating and signing a CSR",
+				Usage: "Skip creating and signing a CSR.",
 			},
+			flags.Force,
+			flags.Subtle,
+			flags.InsecureHidden,
 		},
 	}
 }

command/certificate/p12.go

@@ -1,7 +1,6 @@
 package certificate
 
 import (
-	"crypto/rand"
 	"crypto/x509"
 	"fmt"
 
@@ -23,7 +22,8 @@ func p12Command() cli.Command {
 		Action: command.ActionFunc(p12Action),
 		Usage:  `package a certificate and keys into a .p12 file`,
 		UsageText: `step certificate p12 <p12-path> [<crt-path>] [<key-path>]
-[**--ca**=<file>] [**--password-file**=<file>]`,
+[**--ca**=<file>] [**--password-file**=<file>] [**--legacy**]
+[**--force**] [**--no-password**] [**--insecure**]`,
 		Description: `**step certificate p12** creates a .p12 (PFX / PKCS12)
 file containing certificates and keys. This can then be used to import
 into Windows / Firefox / Java applications.
@@ -56,7 +56,15 @@ Package a certificate and private key with an empty password:
 
 '''
 $ step certificate p12 --no-password --insecure foo.p12 foo.crt foo.key
-'''`,
+'''
+
+Package a certificate and private key using a legacy encoder,
+
+'''
+$ step certificate p12 --legacy foo.p12 foo.crt foo.key
+'''
+
+`,
 		Flags: []cli.Flag{
 			cli.StringSliceFlag{
 				Name: "ca",
@@ -69,6 +77,10 @@ multiple CAs or intermediates.`,
 				Usage: `The path to the <file> containing the password to encrypt the .p12 file.`,
 			},
 			flags.NoPassword,
+			cli.BoolFlag{
+				Name:  "legacy",
+				Usage: "Encodes PKCS#12 files using the algorithms that were traditionally used, PBE+SHA1+RC2 for certificates and PBE+SHA1+3DES for keys.",
+			},
 			flags.Force,
 			flags.Insecure,
 		},
@@ -86,6 +98,11 @@ func p12Action(ctx *cli.Context) error {
 	caFiles := ctx.StringSlice("ca")
 	hasKeyAndCert := crtFile != "" && keyFile != ""
 
+	encoder := pkcs12.Modern
+	if ctx.Bool("legacy") {
+		encoder = pkcs12.LegacyRC2
+	}
+
 	// If either key or cert are provided, both must be provided
 	if !hasKeyAndCert && (crtFile != "" || keyFile != "") {
 		return errs.MissingArguments(ctx, "key_file")
@@ -150,7 +167,7 @@ func p12Action(ctx *cli.Context) error {
 		// Any remaining certs will be intermediates for the server
 		x509CAs = append(x509CAs, x509CertBundle[1:]...)
 
-		pkcs12Data, err = pkcs12.Encode(rand.Reader, key, x509Cert, x509CAs, password)
+		pkcs12Data, err = encoder.Encode(key, x509Cert, x509CAs, password)
 		if err != nil {
 			return errs.Wrap(err, "failed to encode PKCS12 data")
 		}
@@ -163,7 +180,7 @@ func p12Action(ctx *cli.Context) error {
 				FriendlyName: fmt.Sprintf("%s - %s", cert.Subject.String(), x509util.Fingerprint(cert)),
 			})
 		}
-		pkcs12Data, err = pkcs12.EncodeTrustStoreEntries(rand.Reader, certsWithFriendlyNames, password)
+		pkcs12Data, err = encoder.EncodeTrustStoreEntries(certsWithFriendlyNames, password)
 		if err != nil {
 			return errs.Wrap(err, "failed to encode PKCS12 data")
 		}

command/crypto/hash/hash.go

@@ -18,6 +18,7 @@ import (
 	"strings"
 
 	"github.com/pkg/errors"
+	"github.com/smallstep/cli/flags"
 	"github.com/urfave/cli"
 	"go.step.sm/cli-utils/errs"
 )
@@ -127,10 +128,7 @@ For examples, see **step help crypto hash**.
 		:  MD5 produces a 128-bit hash value
 `,
 			},
-			cli.BoolFlag{
-				Name:   "insecure",
-				Hidden: true,
-			},
+			flags.InsecureHidden,
 		},
 	}
 }
@@ -187,10 +185,7 @@ For examples, see **step help crypto hash**.
 		:  MD5 produces a 128-bit hash value
 `,
 			},
-			cli.BoolFlag{
-				Name:   "insecure",
-				Hidden: true,
-			},
+			flags.InsecureHidden,
 		},
 	}
 }

command/crypto/jwe/encrypt.go

@@ -5,6 +5,7 @@ import (
 	"os"
 
 	"github.com/pkg/errors"
+	"github.com/smallstep/cli/flags"
 	"github.com/smallstep/cli/utils"
 	"github.com/urfave/cli"
 	"go.step.sm/cli-utils/errs"
@@ -147,10 +148,7 @@ applications where more than one JWE payload type may be present. This
 parameter is ignored by JWE implementations, but may be processed by
 applications that use JWE.`,
 			},
-			cli.BoolFlag{
-				Name:   "subtle",
-				Hidden: true,
-			},
+			flags.SubtleHidden,
 		},
 	}
 }

command/crypto/jwk/create.go

@@ -377,9 +377,9 @@ existing <pem-file> instead of creating a new key.`,
 			},
 			flags.PasswordFile,
 			flags.NoPassword,
+			flags.Force,
 			flags.Subtle,
 			flags.Insecure,
-			flags.Force,
 		},
 	}
 }

command/crypto/jws/inspect.go

@@ -8,6 +8,7 @@ import (
 	"strings"
 
 	"github.com/pkg/errors"
+	"github.com/smallstep/cli/flags"
 	"github.com/smallstep/cli/utils"
 	"github.com/urfave/cli"
 	"go.step.sm/cli-utils/errs"
@@ -32,10 +33,7 @@ For examples, see **step help crypto jws**.`,
 				Usage: `Displays the header, payload and signature as a JSON object. The payload will
 be encoded using Base64.`,
 			},
-			cli.BoolFlag{
-				Name:   "insecure",
-				Hidden: true,
-			},
+			flags.InsecureHidden,
 		},
 	}
 }

command/crypto/jws/sign.go

@@ -150,17 +150,14 @@ string. When used with '--jwk' the <kid> value must match the **"kid"** member
 of the JWK. When used with **--jwks** (a JWK Set) the <kid> value must match
 the **"kid"** member of one of the JWKs in the JWK Set.`,
 			},
-			cli.BoolFlag{
-				Name:   "subtle",
-				Hidden: true,
-			},
 			cli.BoolFlag{
 				Name:   "no-kid",
 				Hidden: true,
 			},
 			flags.PasswordFile,
 			flags.X5cCert,
 			flags.X5tCert,
+			flags.SubtleHidden,
 		},
 	}
 }