tctl auth should use binary output mode for binary outputs.

[programmerq]

Expected behavior:

Windows tctl.exe:

• tctl.exe auth crl outputs a binary DER formatted CRL.
• tctl.exe auth export --type windows outputs a binary DER formatted certificate.

Mac/Linux tctl:

• tctl auth crl outputs the binary DER with no trailing \n appended.
• tctl auth export --type windows (and any other --type that is binary) has no trailing \n.

Current behavior:

In Windows PowerShell, the output is marked as text output instead of binary output. This leads to PowerShell treating the pipe like a text stream, which leads to mangled output.

PS C:\Users\jeff> tctl.exe auth crl --type host | openssl crl -inform DER
Could not read CRL from <stdin>
Unable to load CRL
PS C:\Users\jeff> tctl.exe auth crl --type host > auth.crl
PS C:\Users\jeff> openssl crl -inform DER -in auth.crl
Could not read CRL from auth.crl
BC7F0000:error:1608010C:STORE routines:ossl_store_handle_load_result:unsupported:crypto\store\store_result.c:151:
BC7F0000:error:1E08010C:DECODER routines:OSSL_DECODER_from_bio:unsupported:crypto\encode_decode\decoder_lib.c:101:No supported data to decode.  Input type: DER, Input structure: CertificateList
BC7F0000:error:1608010C:STORE routines:ossl_store_handle_load_result:unsupported:crypto\store\store_result.c:151:
BC7F0000:error:1608010C:STORE routines:ossl_store_handle_load_result:unsupported:crypto\store\store_result.c:151:
BC7F0000:error:1E08010C:DECODER routines:OSSL_DECODER_from_bio:unsupported:crypto\encode_decode\decoder_lib.c:101:No supported data to decode.  Input type: DER, Input structure: CertificateList
BC7F0000:error:1608010C:STORE routines:ossl_store_handle_load_result:unsupported:crypto\store\store_result.c:151:
BC7F0000:error:1608010C:STORE routines:ossl_store_handle_load_result:unsupported:crypto\store\store_result.c:151:
BC7F0000:error:1E08010C:DECODER routines:OSSL_DECODER_from_bio:unsupported:crypto\encode_decode\decoder_lib.c:101:No supported data to decode.  Input type: DER, Input structure: CertificateList
Unable to load CRL

I looked at the source code, and saw that tctl is outputting the binary DER using fmt.Println(string()). This also makes it append \n on linux/mac systems. Perhaps there's a way for windows binaries to detect a PowerShell environment and produce output it expects? At the very least, the tctl binary could support writing directly to a file instead of stdout.

https://github.com/gravitational/teleport/blob/v17.2.7/tool/tctl/common/auth_command.go#L494-L509

The tctl auth export command also needs a similar adjustment for cases where it outputs binary format CAs.

PS C:\Users\jeff> tctl.exe auth export --type windows | openssl x509 -inform DER -noout -text
Could not read certificate from <stdin>
A8160000:error:1E08010C:DECODER routines:OSSL_DECODER_from_bio:unsupported:crypto\encode_decode\decoder_lib.c:101:No supported data to decode.  Input type: DER, Input structure: Certificate
A8160000:error:1608010C:STORE routines:ossl_store_handle_load_result:unsupported:crypto\store\store_result.c:151:
A8160000:error:1608010C:STORE routines:ossl_store_handle_load_result:unsupported:crypto\store\store_result.c:151:
A8160000:error:1E08010C:DECODER routines:OSSL_DECODER_from_bio:unsupported:crypto\encode_decode\decoder_lib.c:101:No supported data to decode.  Input type: DER, Input structure: Certificate
A8160000:error:1608010C:STORE routines:ossl_store_handle_load_result:unsupported:crypto\store\store_result.c:151:
A8160000:error:1608010C:STORE routines:ossl_store_handle_load_result:unsupported:crypto\store\store_result.c:151:
A8160000:error:1E08010C:DECODER routines:OSSL_DECODER_from_bio:unsupported:crypto\encode_decode\decoder_lib.c:101:No supported data to decode.  Input type: DER, Input structure: Certificate
Unable to load certificate

https://github.com/gravitational/teleport/blob/v17.2.7/tool/tctl/common/auth_command.go#L280

Bug details:

• Teleport version 17.x (tested with 17.1.1 and 17.2.6)
• Recreation steps
• Debug logs