cli icon indicating copy to clipboard operation
cli copied to clipboard
verified publisher icon smallstep

`step certificate inspect` does not show email name constraints

Open mmalone opened this issue 4 years ago • 2 comments

The step certificate inspect subcommand should show name constraints on email addresses (and IP addresses, etc).

To reproduce:

step certificate inspect <(echo -n "-----BEGIN CERTIFICATE-----
MIICHTCCAcKgAwIBAgIRANlG/mm0rKf4MhTHA45Kvb0wCgYIKoZIzj0EAwIwIzEh
MB8GA1UEAxMYU2lnU3RvcmUgSW50ZXJtZWRpYXRlIENBMB4XDTIxMDMxMjIxMDIy
N1oXDTIxMDMxMzIxMDMyN1owFDESMBAGA1UEAxMJbG9jYWxob3N0MFkwEwYHKoZI
zj0CAQYIKoZIzj0DAQcDQgAEAiMw/w6VINFQmam0Atm7JHQ680jLq1iDXzZNKdfo
8zKgEeS4XaCntC+mxe9Nzy81d2e1F+iENsn8HEro+rKr8KOB5TCB4jAOBgNVHQ8B
Af8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUsfFJuCagijCZ
odvnxy1NoEZUWiYwHwYDVR0jBBgwFoAUoNyVB4Gc2bHH1l6dYvtpTRvfRGwwFAYD
VR0RBA0wC4IJbG9jYWxob3N0MDYGA1UdHgEB/wQsMCqgKDALgglsb2NhbGhvc3Qw
DIIKLmxvY2FsaG9zdDALgQlsb2NhbGhvc3QwLgYMKwYBBAGCpGTGKEABBB4wHAIB
BgQVc2lnc3RvcmUtaW50ZXJtZWRpYXRlBAAwCgYIKoZIzj0EAwIDSQAwRgIhAOsz
6L+nVg2/VzZPYhy/fjMn94sHJ2OPiqdMY1hkiVYVAiEA/P3BAt395hCQK8wr7wja
69cO7ZYggXEE4BYFmH+J6NU=
-----END CERTIFICATE-----")

This cert has an email name constraint that is not being displayed. You can see it if you inspect using openssl:

openssl x509 -text -noout -in <(echo -n "-----BEGIN CERTIFICATE-----
MIICHTCCAcKgAwIBAgIRANlG/mm0rKf4MhTHA45Kvb0wCgYIKoZIzj0EAwIwIzEh
MB8GA1UEAxMYU2lnU3RvcmUgSW50ZXJtZWRpYXRlIENBMB4XDTIxMDMxMjIxMDIy
N1oXDTIxMDMxMzIxMDMyN1owFDESMBAGA1UEAxMJbG9jYWxob3N0MFkwEwYHKoZI
zj0CAQYIKoZIzj0DAQcDQgAEAiMw/w6VINFQmam0Atm7JHQ680jLq1iDXzZNKdfo
8zKgEeS4XaCntC+mxe9Nzy81d2e1F+iENsn8HEro+rKr8KOB5TCB4jAOBgNVHQ8B
Af8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUsfFJuCagijCZ
odvnxy1NoEZUWiYwHwYDVR0jBBgwFoAUoNyVB4Gc2bHH1l6dYvtpTRvfRGwwFAYD
VR0RBA0wC4IJbG9jYWxob3N0MDYGA1UdHgEB/wQsMCqgKDALgglsb2NhbGhvc3Qw
DIIKLmxvY2FsaG9zdDALgQlsb2NhbGhvc3QwLgYMKwYBBAGCpGTGKEABBB4wHAIB
BgQVc2lnc3RvcmUtaW50ZXJtZWRpYXRlBAAwCgYIKoZIzj0EAwIDSQAwRgIhAOsz
6L+nVg2/VzZPYhy/fjMn94sHJ2OPiqdMY1hkiVYVAiEA/P3BAt395hCQK8wr7wja
69cO7ZYggXEE4BYFmH+J6NU=
-----END CERTIFICATE-----")

mmalone avatar Mar 12 '21 21:03 mmalone

Not only permitted email constraints, but we need to display permitted and excluded DNSs, email addresses, IP ranges, and URIs.

maraino avatar Mar 12 '21 22:03 maraino

@tommy-56 see mariano's comment above. Long as we're here, let's do all of these ^.

dopey avatar Jul 09 '21 00:07 dopey