support p12 extraction in format command

Author: 6293

command/certificate/format.go

@@ -4,6 +4,8 @@ import (
 	"bytes"
 	"crypto/x509"
 	"encoding/pem"
+	"fmt"
+	"github.com/smallstep/cli/crypto/pemutil"
 	"os"
 
 	"github.com/pkg/errors"
@@ -13,23 +15,28 @@ import (
 	"github.com/smallstep/cli/ui"
 	"github.com/smallstep/cli/utils"
 	"github.com/urfave/cli"
+
+	"software.sslmate.com/src/go-pkcs12"
 )
 
 func formatCommand() cli.Command {
 	return cli.Command{
-		Name:      "format",
-		Action:    command.ActionFunc(formatAction),
-		Usage:     `reformat certificate`,
-		UsageText: `**step certificate format** <crt_file> [**--out**=<file>]`,
+		Name:   "format",
+		Action: command.ActionFunc(formatAction),
+		Usage:  `reformat certificate`,
+		UsageText: `**step certificate format** <src_file> [**--crt**=<file>] [**--key**=<file>]
+[**--ca**=<file>] [**--out**=<file>]`,
 		Description: `**step certificate format** prints the certificate or CSR in a different format.
 
-Only 2 formats are currently supported; PEM and ASN.1 DER. This tool will convert
+If either PEM or ASN.1 DER is provided as a positional argument, this tool will convert
 a certificate or CSR in one format to the other.
 
+If PFX / PKCS12 file is provided, it extracts a certificate and private key from the input.
+
 ## POSITIONAL ARGUMENTS
 
-<crt_file>
-:  Path to a certificate or CSR file.
+<src_file>
+:  Path to a certificate or CSR file, or .p12 file when you specify --crt/--ca option.
 
 ## EXIT CODES
 
@@ -51,12 +58,64 @@ Convert PEM format to DER and write to disk:
 '''
 $ step certificate format foo.pem --out foo.der
 '''
+
+Convert a .p12 file to a certificate and private key:
+
+'''
+$ step certificate format foo.p12 --out foo.crt --out-key foo.key
+'''
+
+Convert a .p12 file to a certificate, private key and intermediate certificates:
+
+'''
+$ step certificate format foo.p12 --out foo.crt --out-key foo.key --out-ca intermediate.crt
+'''
+
+Convert a certificate and private key to a .p12 file:
+
+'''
+$ step certificate format foo.crt --out foo.p12 --key foo.key
+'''
+
+Convert a certificate, a private key, and intermediate certificates to a .p12 file:
+
+'''
+$ step certificate format foo.crt --out foo.p12 --key foo.key --ca intermediate.crt
+'''
 `,
 		Flags: []cli.Flag{
+			cli.StringFlag{
+				Name:  "format",
+				Usage: `Target format.`,
+			},
+			cli.StringFlag{
+				Name:  "key",
+				Usage: `The path to the <file> containing a private key to add to the .p12 file.`,
+			},
+			cli.StringSliceFlag{
+				Name: "ca",
+				Usage: `The path to the <file> containing a CA or intermediate certificate to
+add to the .p12 file. Use the '--ca' flag multiple times to add
+multiple CAs or intermediates.`,
+			},
 			cli.StringFlag{
 				Name:  "out",
 				Usage: `Path to write the reformatted result.`,
 			},
+			cli.StringFlag{
+				Name:  "out-key",
+				Usage: `Path to write the private key which is extracted from p12 file.`,
+			},
+			cli.StringFlag{
+				Name:  "out-ca",
+				Usage: `Path to write the intermediate certificates which are extracted from p12 file.`,
+			},
+			cli.StringFlag{
+				Name:  "password-file",
+				Usage: `The path to the <file> containing the password to encrypt/decrypt the .p12 file.`,
+			},
+			flags.NoPassword,
+			flags.Insecure,
 			flags.Force,
 		},
 	}
@@ -67,15 +126,51 @@ func formatAction(ctx *cli.Context) error {
 		return err
 	}
 
-	var (
-		out = ctx.String("out")
-		ob  []byte
-	)
+	sourceFile := ctx.Args().First()
+	format := ctx.String("format")
+	key := ctx.String("key")
+	ca := ctx.StringSlice("ca")
+	out := ctx.String("out")
+	outKey := ctx.String("out-key")
+	outCA := ctx.String("out-ca")
+	passwordFile := ctx.String("password-file")
+	noPassword := ctx.Bool("no-password")
+	insecure := ctx.Bool("insecure")
 
-	var crtFile string
-	if ctx.NArg() == 1 {
-		crtFile = ctx.Args().First()
-	} else {
+	if passwordFile != "" && noPassword {
+		return errs.IncompatibleFlagWithFlag(ctx, "no-password", "password-file")
+	}
+
+	switch {
+	// Format P12 to pem/der
+	// We can default source format to p12 if --out-key or --out-ca are passed
+	case format == "pem" || format == "der" || outKey != "":
+		if err := fromP12(sourceFile, out, outKey, outCA, passwordFile, noPassword); err != nil {
+			return err
+		}
+		// Format PEM to P12
+		// We can default target format to p12 if --key or --ca are passed
+	case format == "p12" || key != "" || len(ca) != 0:
+		if noPassword && !insecure {
+			return errs.RequiredInsecureFlag(ctx, "no-password")
+		}
+		if err := ToP12(out, sourceFile, key, ca, passwordFile, noPassword, insecure); err != nil {
+			return err
+		}
+	case format == "":
+		if err := interconvertPemAndDer(sourceFile, out); err != nil {
+			return err
+		}
+	default:
+		return errors.Errorf("unrecognized argument: --format %s", format)
+	}
+	return nil
+}
+
+func interconvertPemAndDer(crtFile, out string) error {
+	var ob []byte
+
+	if crtFile == "" {
 		crtFile = "-"
 	}
 
@@ -151,3 +246,82 @@ func decodeCertificatePem(b []byte) ([]byte, error) {
 
 	return nil, errors.Errorf("error decoding certificate: invalid PEM block")
 }
+
+func fromP12(p12File, crtFile, keyFile, caFile, passwordFile string, noPassword bool) error {
+	var err error
+	var password string
+	if passwordFile != "" {
+		password, err = utils.ReadStringPasswordFromFile(passwordFile)
+		if err != nil {
+			return err
+		}
+	}
+
+	if password == "" && !noPassword {
+		pass, err := ui.PromptPassword("Please enter a password to decrypt the .p12 file")
+		if err != nil {
+			return errs.Wrap(err, "error reading password")
+		}
+		password = string(pass)
+	}
+
+	p12Data, err := utils.ReadFile(p12File)
+	if err != nil {
+		return errs.Wrap(err, "error reading file %s", p12File)
+	}
+
+	key, crt, ca, err := pkcs12.DecodeChain(p12Data, password)
+	if err != nil {
+		return errs.Wrap(err, "failed to decode PKCS12 data")
+	}
+
+	if err := write(crtFile, fmt.Sprintf("Your certificate has been saved in %s.\n", crtFile), crt); err != nil {
+		return err
+	}
+
+	if err := writeCerts(caFile, fmt.Sprintf("Your CA certificates have been saved in %s.\n", caFile), ca); err != nil {
+		return err
+	}
+
+	if err := write(keyFile, fmt.Sprintf("Your private key has been saved in %s.\n", keyFile), key); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func writeCerts(filename, msg string, certs []*x509.Certificate) error {
+	var data []byte
+	for _, cert := range certs {
+		pemblk, err := pemutil.Serialize(cert)
+		if err != nil {
+			return err
+		}
+		data = append(data, pem.EncodeToMemory(pemblk)...)
+	}
+	if filename == "" {
+		os.Stdout.Write(data)
+	} else {
+		if err := utils.WriteFile(filename, data, 0600); err != nil {
+			return err
+		}
+		ui.Printf(msg)
+	}
+	return nil
+}
+
+func write(filename, msg string, in interface{}) error {
+	if filename != "" {
+		if _, err := pemutil.Serialize(in, pemutil.ToFile(filename, 0600)); err != nil {
+			return err
+		}
+		ui.Printf(msg)
+	} else {
+		pemblk, err := pemutil.Serialize(in)
+		if err != nil {
+			return err
+		}
+		pem.Encode(os.Stdout, pemblk)
+	}
+	return nil
+}

command/certificate/p12.go

@@ -3,6 +3,7 @@ package certificate
 import (
 	"crypto/rand"
 	"crypto/x509"
+	"os"
 
 	"github.com/pkg/errors"
 	"github.com/smallstep/cli/command"
@@ -85,6 +86,10 @@ func p12Action(ctx *cli.Context) error {
 	caFiles := ctx.StringSlice("ca")
 	hasKeyAndCert := crtFile != "" && keyFile != ""
 
+	passwordFile := ctx.String("password-file")
+	noPassword := ctx.Bool("no-password")
+	insecure := ctx.Bool("insecure")
+
 	// If either key or cert are provided, both must be provided
 	if !hasKeyAndCert && (crtFile != "" || keyFile != "") {
 		return errs.MissingArguments(ctx, "key_file")
@@ -97,13 +102,20 @@ func p12Action(ctx *cli.Context) error {
 
 	// Validate flags
 	switch {
-	case ctx.String("password-file") != "" && ctx.Bool("no-password"):
+	case passwordFile != "" && noPassword:
 		return errs.IncompatibleFlagWithFlag(ctx, "no-password", "password-file")
-	case ctx.Bool("no-password") && !ctx.Bool("insecure"):
+	case noPassword && !insecure:
 		return errs.RequiredInsecureFlag(ctx, "no-password")
 	}
 
-	x509CAs := []*x509.Certificate{}
+	if err := ToP12(p12File, crtFile, keyFile, caFiles, passwordFile, noPassword, insecure); err != nil {
+		return err
+	}
+	return nil
+}
+
+func ToP12(p12File, crtFile, keyFile string, caFiles []string, passwordFile string, noPassword, insecure bool) error {
+	var x509CAs []*x509.Certificate
 	for _, caFile := range caFiles {
 		x509Bundle, err := pemutil.ReadCertificateBundle(caFile)
 		if err != nil {
@@ -114,8 +126,8 @@ func p12Action(ctx *cli.Context) error {
 
 	var err error
 	var password string
-	if !ctx.Bool("no-password") {
-		if passwordFile := ctx.String("password-file"); passwordFile != "" {
+	if !noPassword {
+		if passwordFile != "" {
 			password, err = utils.ReadStringPasswordFromFile(passwordFile)
 			if err != nil {
 				return err
@@ -132,7 +144,7 @@ func p12Action(ctx *cli.Context) error {
 	}
 
 	var pkcs12Data []byte
-	if hasKeyAndCert {
+	if crtFile != "" && keyFile != "" {
 		// If we have a key and certificate, we're making an identity store
 		x509CertBundle, err := pemutil.ReadCertificateBundle(crtFile)
 		if err != nil {
@@ -146,7 +158,7 @@ func p12Action(ctx *cli.Context) error {
 
 		// The first certificate in the bundle will be our server cert
 		x509Cert := x509CertBundle[0]
-		// Any remaning certs will be intermediates for the server
+		// Any remaining certs will be intermediates for the server
 		x509CAs = append(x509CAs, x509CertBundle[1:]...)
 
 		pkcs12Data, err = pkcs12.Encode(rand.Reader, key, x509Cert, x509CAs, password)
@@ -161,10 +173,16 @@ func p12Action(ctx *cli.Context) error {
 		}
 	}
 
-	if err := utils.WriteFile(p12File, pkcs12Data, 0600); err != nil {
-		return err
+	if p12File != "" {
+		if err := utils.WriteFile(p12File, pkcs12Data, 0600); err != nil {
+			return err
+		}
+		ui.Printf("Your .p12 bundle has been saved as %s.\n", p12File)
+	} else {
+		if _, err := os.Stdout.Write(pkcs12Data); err != nil {
+			return err
+		}
 	}
 
-	ui.Printf("Your .p12 bundle has been saved as %s.\n", p12File)
 	return nil
 }

integration/certificate_format_test.go

@@ -0,0 +1,172 @@
+//go:build integration
+
+package integration
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/smallstep/assert"
+	"github.com/smallstep/cli/crypto/pemutil"
+	"github.com/smallstep/cli/utils"
+)
+
+func TestCertificateFormat(t *testing.T) {
+	setup()
+	t.Run("validate cert and key extraction from p12", func(t *testing.T) {
+        _, err := NewCLICommand().
+			setCommand(fmt.Sprintf("../bin/step certificate format %s", temp("foo.p12"))).
+			setFlag("out", temp("foo_out0.crt")).
+			setFlag("out-key", temp("foo_out0.key")).
+			setFlag("out-ca", temp("intermediate-ca_out0.crt")).
+			setFlag("no-password", "").
+			run()
+		assert.Nil(t, err)
+
+		foo_crt, _ := pemutil.ReadCertificate(temp("foo.crt"))
+		foo_crt_out, _ := pemutil.ReadCertificate(temp("foo_out0.crt"))
+		assert.Equals(t, foo_crt, foo_crt_out)
+
+		foo_key, _ := utils.ReadFile(temp("foo.key"))
+		foo_out_key, _ := utils.ReadFile(temp("foo_out0.key"))
+		assert.Equals(t, foo_key, foo_out_key)
+
+		foo_ca, _ := pemutil.ReadCertificate(temp("intermediate-ca_out0.crt"))
+		foo_ca_out, _ := pemutil.ReadCertificate(temp("intermediate-ca_out0.crt"))
+		assert.Equals(t, foo_ca, foo_ca_out)
+	})
+
+	t.Run("validate cert and key packaging to p12", func(t *testing.T) {
+		_, err := NewCLICommand().
+			setCommand(fmt.Sprintf("../bin/step certificate format %s", temp("foo.crt"))).
+			setFlag("out", temp("foo_format.p12")).
+			setFlag("key", temp("foo.key")).
+			setFlag("ca", temp("intermediate-ca.crt")).
+			setFlag("no-password", "").
+			setFlag("insecure", "").
+			run()
+		assert.Nil(t, err)
+
+		_, err = NewCLICommand().
+			setCommand(fmt.Sprintf("../bin/step certificate format %s", temp("foo_format.p12"))).
+			setFlag("out", temp("foo_out1.crt")).
+			setFlag("out-key", temp("foo_out1.key")).
+			setFlag("out-ca", temp("intermediate-ca_out1.crt")).
+			setFlag("no-password", "").
+			run()
+
+		assert.Nil(t, err)
+
+		foo_crt, _ := pemutil.ReadCertificate(temp("foo.crt"))
+		foo_crt_out, _ := pemutil.ReadCertificate(temp("foo_out1.crt"))
+		assert.Equals(t, foo_crt, foo_crt_out)
+
+		foo_key, _ := utils.ReadFile(temp("foo.key"))
+		foo_out_key, _ := utils.ReadFile(temp("foo_out1.key"))
+		assert.Equals(t, foo_key, foo_out_key)
+
+		foo_ca, _ := pemutil.ReadCertificate(temp("intermediate-ca.crt"))
+		foo_ca_out, _ := pemutil.ReadCertificate(temp("intermediate-ca_out1.crt"))
+		assert.Equals(t, foo_ca, foo_ca_out)
+	})
+
+	t.Run("validate stdout output", func(t *testing.T) {
+        output, err := NewCLICommand().
+			setCommand(fmt.Sprintf("../bin/step certificate format %s", temp("foo.p12"))).
+			setFlag("no-password", "").
+			setFlag("format", "pem").
+			setFlag("out-key", temp("temp.key")).
+			setFlag("out-ca", temp("temp.pem")).
+			run()
+
+		assert.Nil(t, err)
+
+		foo_crt, _ := pemutil.ReadCertificate(temp("foo.crt"))
+		foo_crt_out, _ := pemutil.Parse([]byte(output.stdout))
+		assert.Equals(t, foo_crt, foo_crt_out)
+	})
+
+	t.Run("compare der format", func(t *testing.T) {
+		_, err := NewCLICommand().
+			setCommand(fmt.Sprintf("../bin/step certificate format")).
+			setArguments(temp("foo.crt")).
+			setFlag("out", temp("foo.der")).
+			run()
+		assert.Nil(t, err)
+
+
+		_, err = NewCLICommand().
+			setCommand(fmt.Sprintf("../bin/step certificate format %s", temp("foo.p12"))).
+			setFlag("no-password", "").
+			setFlag("out", temp("foo_cmp.der")).
+			setFlag("format", "der").
+			run()
+
+		assert.Nil(t, err)
+
+		foo_crt, _ := pemutil.ReadCertificate(temp("foo.der"))
+		foo_crt_out, _ := pemutil.ReadCertificate(temp("foo_cmp.der"))
+		assert.Equals(t, foo_crt, foo_crt_out)
+	})
+
+	t.Run("validate interconversion between PEM and DER", func(t *testing.T) {
+		_, err := NewCLICommand().
+			setCommand(fmt.Sprintf("../bin/step certificate format")).
+			setArguments(temp("foo.crt")).
+			setFlag("out", temp("foo_inter.der")).
+			run()
+		assert.Nil(t, err)
+
+		_, err = NewCLICommand().
+			setCommand(fmt.Sprintf("../bin/step certificate format")).
+			setArguments(temp("foo_inter.der")).
+			setFlag("out", temp("foo_inter.crt")).
+			run()
+		assert.Nil(t, err)
+
+		assert.Nil(t, err)
+
+		foo_crt, _ := pemutil.ReadCertificate(temp("foo.crt"))
+		foo_crt_out, _ := pemutil.ReadCertificate(temp("foo_inter.crt"))
+		assert.Equals(t, foo_crt, foo_crt_out)
+	})
+
+}
+
+func setup() {
+	NewCLICommand().
+		setCommand(fmt.Sprintf("../bin/step certificate create root-ca %s %s", temp("root-ca.crt"), temp("root-ca.key"))).
+		setFlag("profile", "root-ca").
+		setFlag("no-password", "").
+		setFlag("insecure", "").
+		run()
+
+	NewCLICommand().
+		setCommand(fmt.Sprintf("../bin/step certificate create intermediate-ca %s %s", temp("intermediate-ca.crt"), temp("intermediate-ca.key"))).
+		setFlag("profile", "intermediate-ca").
+		setFlag("ca", temp("root-ca.crt")).
+		setFlag("ca-key", temp("root-ca.key")).
+		setFlag("no-password", "").
+		setFlag("insecure", "").
+		run()
+
+	NewCLICommand().
+		setCommand(fmt.Sprintf("../bin/step certificate create foo %s %s", temp("foo.crt"), temp("foo.key"))).
+		setFlag("profile", "leaf").
+		setFlag("ca", temp("intermediate-ca.crt")).
+		setFlag("ca-key", temp("intermediate-ca.key")).
+		setFlag("no-password", "").
+		setFlag("insecure", "").
+		run()
+
+	NewCLICommand().
+		setCommand(fmt.Sprintf("../bin/step certificate p12 %s %s %s", temp("foo.p12"), temp("foo.crt"), temp("foo.key"))).
+		setFlag("ca", temp("intermediate-ca.crt")).
+		setFlag("no-password", "").
+		setFlag("insecure", "").
+		run()
+}
+
+func temp(filename string) string {
+	return fmt.Sprintf("%s/%s", TempDirectory, filename)
+}