Skip to content

Add initial version of the handshake command #1402

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

Add initial version of the handshake command #1402

wants to merge 4 commits into from

Conversation

maraino
Copy link
Collaborator

@maraino maraino commented Apr 3, 2025

Description

This commit adds the command step certificate handshake. This command performs a handshake and displays details about it.

For example:

$ step certificate handshake smallstep.com
Server Name:  smallstep.com
Version:      TLS 1.3
Cipher Suite: TLS_AES_128_GCM_SHA256
KEM:          X25519
Insecure:     false
Verified:     true

@maraino
Add initial version of the handshake command
8f58775 
This commit adds the command `step certificate handshake`. This command
performs a handshake and displays details about it.
@maraino maraino requested a review from dopey April 3, 2025 01:59
@github-actions github-actions bot added the needs triage Waiting for discussion / prioritization by team label Apr 3, 2025
hslatman
hslatman reviewed Apr 4, 2025
View reviewed changes
command/certificate/handshake.go Outdated
return tlsDialWithFallback(addr, tlsConfig)
}
defer conn.Close()
conn.Handshake()
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can use HandshakeContext, and it would be good to check and return the error.

In a follow up we could implement some additional error handling logic for more informative errors based on some internal code we have. I think it could be nice to put that in tlsutil.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed with 6a13fa3

command/certificate/handshake.go Outdated
Comment on lines 163 to 184
// Print only the list of verified chains
if printChains {
for _, chain := range cs.VerifiedChains {
for _, crt := range chain {
fmt.Print(string(pem.EncodeToMemory(&pem.Block{
Type: "CERTIFICATE",
Bytes: crt.Raw,
})))
}
}
return nil
}

// Print only the peer certificates
if printPeer {
for _, crt := range cs.PeerCertificates {
fmt.Print(string(pem.EncodeToMemory(&pem.Block{
Type: "CERTIFICATE", Bytes: crt.Raw,
})))
}
return nil
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe needs an option to continue down, so that the connection details are shown in addition to these too? Or make that the default, instead of returning early?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure about this. I make them independent commands because a certificate, especially if you include all the intermediates, is quite noisy. I also wanted to pipe those certificates to another command.

Copy link
Member

@hslatman hslatman Apr 16, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's fair, but in practice providing one of the printPeer or printChains options is doing the same as step certificate inspect https://example.com and step certificate inspect https://example.com --bundle, respectively, so if intend to return early to pipe the certs, those commands can be used, incl. JSON format.

If instead execution would continue after printing the details, it would be a bit more like curl -v (with more certificate details, of course). That would be like enabling these options results in a more verbose output, which I think is fair, considering the default is to print just TLS handshake details.

maraino and others added 2 commits April 15, 2025 12:22
@maraino @hslatman
Apply suggestions from code review
5951f95 
Co-authored-by: Herman Slatman <hslatman@users.noreply.github.com>
@maraino
Move handshake command under step tls
6a13fa3
@maraino maraino requested a review from hslatman April 15, 2025 20:51
@hslatman hslatman added this to the v0.28.7 milestone Apr 16, 2025
hslatman
hslatman reviewed Apr 16, 2025
View reviewed changes
utils/utils_test.go
Comment on lines +3 to +8
import (
"strings"
"testing"

"github.com/pkg/errors"
"github.com/stretchr/testify/assert"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
import (
"strings"
"testing"
"github.com/pkg/errors"
"github.com/stretchr/testify/assert"
import (
"errors"
"strings"
"testing"
"github.com/stretchr/testify/assert"

command/tls/tls.go
"github.com/smallstep/cli-utils/command"
)

// Command returns the cli.Command for jwt and related subcommands.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
// Command returns the cli.Command for jwt and related subcommands.
// Command returns the cli.Command for tls and related subcommands.

command/tls/handshake.go
Comment on lines +12 to +18
"github.com/smallstep/cli-utils/errs"
"github.com/smallstep/cli/flags"
"github.com/smallstep/cli/internal/cryptoutil"
"github.com/smallstep/cli/utils"
"github.com/urfave/cli"
"go.step.sm/crypto/pemutil"
"go.step.sm/crypto/x509util"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
"github.com/smallstep/cli-utils/errs"
"github.com/smallstep/cli/flags"
"github.com/smallstep/cli/internal/cryptoutil"
"github.com/smallstep/cli/utils"
"github.com/urfave/cli"
"go.step.sm/crypto/pemutil"
"go.step.sm/crypto/x509util"
"github.com/urfave/cli"
"github.com/smallstep/cli-utils/errs"
"go.step.sm/crypto/pemutil"
"go.step.sm/crypto/x509util"
"github.com/smallstep/cli/flags"
"github.com/smallstep/cli/internal/cryptoutil"
"github.com/smallstep/cli/utils"

@hslatman hslatman mentioned this pull request Apr 24, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hslatman hslatman hslatman left review comments

@dopey dopey Awaiting requested review from dopey

At least 1 approving review is required to merge this pull request.

Assignees

@maraino maraino

Labels
needs triage Waiting for discussion / prioritization by team
Projects
None yet
Milestone
v0.28.7
Development

Successfully merging this pull request may close these issues.
2 participants
@maraino @hslatman