[Bug]: Template errors are silently ignored

[olix0r]

Steps to Reproduce

Create a template with a subtle error:

{
    "subject": {{ toJson .Subject }}},
    "issuer": {{ toJson .Subject }},
    "keyUsage": ["certSign"],
    "basicConstraints": {"isCA": true, "maxPathLen": 0},
    "nameConstraints": {
        "critical": true,
        "permittedDNSDomains": ["example.com"]
    }
}

(The subject has an extra trailing })

Create a certificate with the template:

:; step certificate create test /tmp/bad.crt /tmp/bad.key \ 
        --template bad.tpl --not-after 1h --no-password --insecure
Your certificate has been saved in /tmp/bad.crt.
Your private key has been saved in /tmp/bad.key.

The template was silently ignored:

:; step certificate inspect /tmp/bad.crt 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 251513735637553810605278444559500255861 (0xbd37c892ba9c07148be812a4d13b2275)
    Signature Algorithm: ECDSA-SHA256
        Issuer: CN=test
        Validity
            Not Before: Aug 23 20:15:15 2022 UTC
            Not After : Aug 23 21:15:15 2022 UTC
        Subject: CN=test
        Subject Public Key Info:
            Public Key Algorithm: ECDSA
                Public-Key: (256 bit)
                X:
                    ad:58:12:f9:7c:ab:fd:06:b1:1f:53:ab:c0:c0:f2:
                    68:b3:56:6c:17:69:31:59:d4:65:c0:4e:75:33:47:
                    de:8d
                Y:
                    1d:45:c2:26:f9:a3:61:0c:5f:80:9d:c7:db:9c:ae:
                    60:74:99:d3:af:b1:ae:6f:77:53:bb:aa:a7:16:e0:
                    e3:96
                Curve: P-256
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                3A:9B:8F:68:A6:00:3A:E8:35:B7:3E:13:2C:98:33:1D:2F:6F:57:34
    Signature Algorithm: ECDSA-SHA256
         30:45:02:20:4c:31:c2:50:77:5b:c6:a8:d6:fb:08:33:ac:ef:
         9d:a8:c5:00:6b:96:5b:99:0d:b3:ab:53:27:c8:fe:ba:d5:c1:
         02:21:00:ad:b6:ed:ab:6c:4a:a7:d9:6b:f1:87:0f:2e:ff:ee:
         6d:2b:54:7b:5a:bd:dd:47:72:e8:6e:6b:67:1d:d5:84:93

Your Environment

Smallstep CLI/0.21.0 (linux/amd64)
Release Date: 2022-07-06T22:23:54Z

Expected Behavior

The certificate create command should fail with an error.

Actual Behavior

A certificate is created without the templated configuration.

Additional Context

Best case: it's difficult to debug what's going on.

Worst case: important constraints are missing in created certificates.

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

[hslatman]

Hey @olix0r,

Thank you for reporting this! Coincidentally, I worked on some improvements for validating templates in the CA API today. I'll have a stab at applying the same validation to the CLI.

[maraino]

@hslatman Your validation was released with v0.22.0, can we consider this fixed?

[hslatman]

@maraino No, not yet. In this case step certificate create is used, so I need to add the validation to this flow too. It may be possible to improve the validation compared to the CA validation, as there's more data available when creating the certificate, and thus we may be able to catch more errors.