Ensure the CA TLS certificate represents IPv6 DNS names as IP in cert

If an IPv6 domain name (i.e. [::1]) is provided manually in the `ca.json`, this commit will ensure that it's represented as an IP SAN in the TLS certificate. Before this change, the IPv6 would become a DNS SAN.
2022-02-03 14:21:23 +01:00 · 2022-02-03 14:21:23 +01:00 · e887ccaa07
commit e887ccaa07
parent 1fe7362bee
1 changed files with 13 additions and 1 deletions
--- a/authority/tls.go
+++ b/authority/tls.go
@ -10,6 +10,7 @@ import (
 	"encoding/json"
 	"encoding/pem"
 	"fmt"
+	"net"
 	"net/http"
 	"strings"
 	"time"
@ -508,8 +509,19 @@ func (a *Authority) GetTLSCertificate() (*tls.Certificate, error) {
 		return fatal(errors.New("private key is not a crypto.Signer"))
 	}

+	// prepare the sans: IPv6 DNS hostname representations are converted to their IP representation
+	sans := make([]string, len(a.config.DNSNames))
+	for i, san := range a.config.DNSNames {
+		if strings.HasPrefix(san, "[") && strings.HasSuffix(san, "]") {
+			if ip := net.ParseIP(san[1 : len(san)-1]); ip != nil {
+				san = ip.String()
+			}
+		}
+		sans[i] = san
+	}
+
 	// Create initial certificate request.
-	cr, err := x509util.CreateCertificateRequest("Step Online CA", a.config.DNSNames, signer)
+	cr, err := x509util.CreateCertificateRequest("Step Online CA", sans, signer)
 	if err != nil {
 		return fatal(err)
 	}