Allow to disable smallstep extensions using the cli

This commit adds the flag --disable-smallstep-extensions to "step ca provisioner" commands. A provisioner created with this flag will have the claim DisableSmallstepExtensions set to true and certificates created using that provisioner will not have the smallstep provisioner extension. Related to smallstep/certificates#620
smallstep · Jul 21, 2023 · 4784a1c · 4784a1c
1 parent 9345996
commit 4784a1c
Show file tree

Hide file tree

Showing 5 changed files with 19 additions and 9 deletions.
diff --git a/command/ca/provisioner/add.go b/command/ca/provisioner/add.go
@@ -167,6 +167,7 @@ SCEP
 			sshHostDefaultDurFlag,
 			disableRenewalFlag,
 			allowRenewalAfterExpiryFlag,
+			disableSmallstepExtensionsFlag,
 			//enableX509Flag,
 			enableSSHFlag,
 
@@ -360,8 +361,9 @@ func addAction(ctx *cli.Context) (err error) {
 			HostDurations: &linkedca.Durations{},
 			Enabled:       !(ctx.IsSet("ssh") && !ctx.Bool("ssh")),
 		},
-		DisableRenewal:          ctx.Bool("disable-renewal"),
-		AllowRenewalAfterExpiry: ctx.Bool("allow-renewal-after-expiry"),
+		DisableRenewal:             ctx.Bool("disable-renewal"),
+		AllowRenewalAfterExpiry:    ctx.Bool("allow-renewal-after-expiry"),
+		DisableSmallstepExtensions: ctx.Bool("disable-smallstep-extensions"),
 	}
 
 	if ctx.IsSet("x509-min-dur") {

diff --git a/command/ca/provisioner/provisioner.go b/command/ca/provisioner/provisioner.go
@@ -248,6 +248,10 @@ unit suffix, such as "300ms", "-1.5h" or "2h45m". Valid time units are "ns",
 		Name:  "allow-renewal-after-expiry",
 		Usage: `Allow renewals for expired certificates generated by this provisioner.`,
 	}
+	disableSmallstepExtensionsFlag = cli.BoolFlag{
+		Name:  "disable-smallstep-extensions",
+		Usage: `Disable the Smallstep extension for all certificates generated by this provisioner.`,
+	}
 	//enableX509Flag = cli.BoolFlag{
 	//	Name:  "x509",
 	//	Usage: `Enable provisioning of x509 certificates.`,

diff --git a/command/ca/provisioner/update.go b/command/ca/provisioner/update.go
@@ -166,6 +166,7 @@ SCEP
 			sshHostDefaultDurFlag,
 			disableRenewalFlag,
 			allowRenewalAfterExpiryFlag,
+			disableSmallstepExtensionsFlag,
 			//enableX509Flag,
 			enableSSHFlag,
 
@@ -404,8 +405,11 @@ func updateClaims(ctx *cli.Context, p *linkedca.Provisioner) {
 	if ctx.IsSet("allow-renewal-after-expiry") {
 		p.Claims.AllowRenewalAfterExpiry = ctx.Bool("allow-renewal-after-expiry")
 	}
-	claims := p.Claims
+	if ctx.IsSet("disable-smallstep-extensions") {
+		p.Claims.DisableSmallstepExtensions = ctx.Bool("disable-smallstep-extensions")
+	}
 
+	claims := p.Claims
 	if claims.X509 == nil {
 		claims.X509 = &linkedca.X509Claims{}
 	}

diff --git a/go.mod b/go.mod
@@ -26,7 +26,7 @@ require (
 	go.mozilla.org/pkcs7 v0.0.0-20210826202110-33d05740a352
 	go.step.sm/cli-utils v0.7.6
 	go.step.sm/crypto v0.32.3
-	go.step.sm/linkedca v0.19.1
+	go.step.sm/linkedca v0.20.0
 	golang.org/x/crypto v0.11.0
 	golang.org/x/sys v0.10.0
 	golang.org/x/term v0.10.0
@@ -132,7 +132,7 @@ require (
 	google.golang.org/genproto v0.0.0-20230530153820-e85fd2cbaebc // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20230530153820-e85fd2cbaebc // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20230629202037-9506855d4529 // indirect
-	google.golang.org/grpc v1.56.1 // indirect
+	google.golang.org/grpc v1.56.2 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	howett.net/plist v1.0.0 // indirect
 	k8s.io/klog/v2 v2.90.0 // indirect

diff --git a/go.sum b/go.sum
@@ -1060,8 +1060,8 @@ go.step.sm/cli-utils v0.7.6 h1:YkpLVrepmy2c5+eaz/wduiGxlgrRx3YdAStE37if25g=
 go.step.sm/cli-utils v0.7.6/go.mod h1:j+FxFZ2gbWkAJl0eded/rksuxmNqWpmyxbkXcukGJaY=
 go.step.sm/crypto v0.32.3 h1:lKR5MuIy2ZGorMKc5S7FI/32E4r0E0vJoC9vJvwQiwI=
 go.step.sm/crypto v0.32.3/go.mod h1:A009Gtqx80nTz/9DreRMflMGgaSWTuhK8En6XycK9yA=
-go.step.sm/linkedca v0.19.1 h1:uY0ByT/uB3FCQ8zIo9mU7MWG7HKf5sDXNEBeN94MuP8=
-go.step.sm/linkedca v0.19.1/go.mod h1:vPV2ad3LFQJmV7XWt87VlnJSs6UOqgsbVGVWe3veEmI=
+go.step.sm/linkedca v0.20.0 h1:bH41rvyDm3nSSJ5xgGsKUZOpzJcq5x2zacMIeqtq9oI=
+go.step.sm/linkedca v0.20.0/go.mod h1:eybHw6ZTpuFmkUQnTBRWM2SPIGaP0VbYeo1bupfPT70=
 go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
 go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
 go.uber.org/atomic v1.5.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ=
@@ -1602,8 +1602,8 @@ google.golang.org/grpc v1.39.0/go.mod h1:PImNr+rS9TWYb2O4/emRugxiyHZ5JyHW5F+RPnD
 google.golang.org/grpc v1.39.1/go.mod h1:PImNr+rS9TWYb2O4/emRugxiyHZ5JyHW5F+RPnDzfrE=
 google.golang.org/grpc v1.40.0/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34=
 google.golang.org/grpc v1.45.0/go.mod h1:lN7owxKUQEqMfSyQikvvk5tf/6zMPsrK+ONuO11+0rQ=
-google.golang.org/grpc v1.56.1 h1:z0dNfjIl0VpaZ9iSVjA6daGatAYwPGstTjt5vkRMFkQ=
-google.golang.org/grpc v1.56.1/go.mod h1:I9bI3vqKfayGqPUAwGdOSu7kt6oIJLixfffKrpXqQ9s=
+google.golang.org/grpc v1.56.2 h1:fVRFRnXvU+x6C4IlHZewvJOVHoOv1TUuQyoRsYnB4bI=
+google.golang.org/grpc v1.56.2/go.mod h1:I9bI3vqKfayGqPUAwGdOSu7kt6oIJLixfffKrpXqQ9s=
 google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=