Add --certificate flag to step ssh fingerprint command

With the changes from smallstep/crypto#207, the default behavior of `step ssh fingerprint` changes to be like the behavior of `ssh-add` (and similar tools). When a fingerprint is determined for an SSH certificate, the fingerprint will only include the bytes of the public key. With the `--certificate` flag, a user can create a fingerprint for the entire SSH certificate contents.
smallstep · Apr 12, 2023 · 25beed9 · 25beed9
1 parent f8b04b1
commit 25beed9
Show file tree

Hide file tree

Showing 4 changed files with 75 additions and 39 deletions.
diff --git a/command/ssh/fingerprint.go b/command/ssh/fingerprint.go
@@ -26,17 +26,25 @@ certificate.
 
 ## EXAMPLES
 
-Print the fingerprint for a certificate:
+Print the fingerprint for the public key in 
+an SSH certificate:
 '''
 $ step ssh fingerprint id_ecdsa-cert.pub
 '''
 
 Print the fingerprint for an SSH public key:
 '''
 $ step ssh fingerprint id_ecdsa.pub
+'''
+
+Print the fingerprint for the full contents of 
+an SSH certificate:
+'''
+$ step ssh fingerprint id_ecdsa-cert.pub --certificate
 '''`,
 		Flags: []cli.Flag{
 			flags.FingerprintFormatFlag("base64-raw"),
+			flags.FingerprintCertificateModeFlag(),
 		},
 	}
 }
@@ -51,6 +59,8 @@ func fingerprint(ctx *cli.Context) error {
 		return err
 	}
 
+	certificateMode := ctx.Bool("certificate")
+
 	name := ctx.Args().First()
 	if name == "" {
 		name = "-"
@@ -61,10 +71,16 @@ func fingerprint(ctx *cli.Context) error {
 		return err
 	}
 
-	s, err := sshutil.FormatFingerprint(b, format)
+	var fingerprint string
+	if certificateMode {
+		fingerprint, err = sshutil.FormatCertificateFingerprint(b, format)
+	} else {
+		fingerprint, err = sshutil.FormatFingerprint(b, format)
+	}
 	if err != nil {
 		return err
 	}
-	fmt.Println(s)
+
+	fmt.Println(fingerprint)
 	return nil
 }
diff --git a/flags/flags.go b/flags/flags.go
@@ -460,6 +460,17 @@ func FingerprintFormatFlag(defaultFmt string) cli.StringFlag {
 	}
 }
 
+// FingerprintCertificateModeFlag returns a flag for configuring the fingerprinting
+// mode. The default behavior is to fingerprint just the public key if an SSH certificate
+// is being fingerprinted. By providing `--certificate`, the certificate bytes will
+// be included in calculating the fingerprint, resulting in a different one.
+func FingerprintCertificateModeFlag() cli.BoolFlag {
+	return cli.BoolFlag{
+		Name:  "certificate",
+		Usage: `Include SSH certificate bytes in fingerprint`,
+	}
+}
+
 // ParseFingerprintFormat gets the fingerprint encoding from the format flag.
 func ParseFingerprintFormat(format string) (fingerprint.Encoding, error) {
 	switch strings.ToLower(strings.TrimSpace(format)) {

diff --git a/go.mod b/go.mod
@@ -14,8 +14,6 @@ require (
 	github.com/manifoldco/promptui v0.9.0
 	github.com/pkg/errors v0.9.1
 	github.com/pquerna/otp v1.4.0
-	github.com/samfoo/ansi v0.0.0-20160124022901-b6bd2ded7189
-	github.com/shurcooL/sanitized_anchor_name v1.0.0
 	github.com/slackhq/nebula v1.6.1
 	github.com/smallstep/assert v0.0.0-20200723003110-82e2b9b3b262
 	github.com/smallstep/certificates v0.24.0-rc.2
@@ -27,10 +25,9 @@ require (
 	github.com/urfave/cli v1.22.12
 	go.mozilla.org/pkcs7 v0.0.0-20210826202110-33d05740a352
 	go.step.sm/cli-utils v0.7.5
-	go.step.sm/crypto v0.28.1-0.20230404230013-4e7c14d93fcc
+	go.step.sm/crypto v0.29.2
 	go.step.sm/linkedca v0.19.0
 	golang.org/x/crypto v0.8.0
-	golang.org/x/net v0.9.0
 	golang.org/x/sys v0.7.0
 	golang.org/x/term v0.7.0
 	google.golang.org/protobuf v1.30.0
@@ -40,16 +37,16 @@ require (
 
 require (
 	cloud.google.com/go v0.110.0 // indirect
-	cloud.google.com/go/compute v1.18.0 // indirect
+	cloud.google.com/go/compute v1.19.0 // indirect
 	cloud.google.com/go/compute/metadata v0.2.3 // indirect
-	cloud.google.com/go/iam v0.12.0 // indirect
+	cloud.google.com/go/iam v0.13.0 // indirect
 	cloud.google.com/go/longrunning v0.4.1 // indirect
 	cloud.google.com/go/security v1.13.0 // indirect
 	filippo.io/edwards25519 v1.0.0 // indirect
 	github.com/AndreasBriese/bbloom v0.0.0-20190825152654-46b345b51c96 // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.4.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.5.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.2.2 // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/internal v1.2.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/internal v1.3.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/keyvault/azkeys v0.9.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/keyvault/internal v0.7.0 // indirect
 	github.com/AzureAD/microsoft-authentication-library-for-go v0.9.0 // indirect
@@ -79,12 +76,13 @@ require (
 	github.com/golang-jwt/jwt/v4 v4.5.0 // indirect
 	github.com/golang/glog v1.0.0 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
-	github.com/golang/protobuf v1.5.2 // indirect
+	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/golang/snappy v0.0.4 // indirect
 	github.com/google/btree v1.1.2 // indirect
 	github.com/google/certificate-transparency-go v1.1.4 // indirect
-	github.com/google/go-tpm-tools v0.3.10 // indirect
+	github.com/google/go-tpm-tools v0.3.11 // indirect
 	github.com/google/go-tspi v0.3.0 // indirect
+	github.com/google/s2a-go v0.1.0 // indirect
 	github.com/googleapis/enterprise-certificate-proxy v0.2.3 // indirect
 	github.com/googleapis/gax-go/v2 v2.8.0 // indirect
 	github.com/huandu/xstrings v1.4.0 // indirect
@@ -115,6 +113,7 @@ require (
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/schollz/jsonstore v1.1.0 // indirect
 	github.com/shopspring/decimal v1.3.1 // indirect
+	github.com/shurcooL/sanitized_anchor_name v1.0.0 // indirect
 	github.com/sirupsen/logrus v1.9.0 // indirect
 	github.com/smallstep/nosql v0.6.0 // indirect
 	github.com/spf13/cast v1.5.0 // indirect
@@ -123,12 +122,13 @@ require (
 	go.etcd.io/bbolt v1.3.7 // indirect
 	go.opencensus.io v0.24.0 // indirect
 	golang.org/x/mod v0.8.0 // indirect
-	golang.org/x/oauth2 v0.6.0 // indirect
+	golang.org/x/net v0.9.0 // indirect
+	golang.org/x/oauth2 v0.7.0 // indirect
 	golang.org/x/text v0.9.0 // indirect
 	golang.org/x/tools v0.6.0 // indirect
-	google.golang.org/api v0.114.0 // indirect
+	google.golang.org/api v0.117.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/genproto v0.0.0-20230306155012-7f2fa6fef1f4 // indirect
+	google.golang.org/genproto v0.0.0-20230403163135-c38d8f061ccd // indirect
 	google.golang.org/grpc v1.54.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	howett.net/plist v1.0.0 // indirect