From a2543a2fde2fafa4bc663e0058e59915967e8034 Mon Sep 17 00:00:00 2001 From: Ludovic Fernandez Date: Sun, 1 Jul 2018 01:06:46 +0200 Subject: [PATCH] Don't trust identifiers order. (#589) ACME draft Section 7.4 "Applying for Certificate Issuance" https://tools.ietf.org/html/draft-ietf-acme-acme-12#section-7.4 says: Clients SHOULD NOT make any assumptions about the sort order of "identifiers" or "authorizations" elements in the returned order object. --- acme/client.go | 21 +++++++++++++++------ acme/crypto.go | 4 +--- 2 files changed, 16 insertions(+), 9 deletions(-) diff --git a/acme/client.go b/acme/client.go index 1f8f942f..52b0c630 100644 --- a/acme/client.go +++ b/acme/client.go @@ -662,9 +662,18 @@ func (c *Client) requestCertificateForOrder(order orderResource, bundle bool, pr // determine certificate name(s) based on the authorization resources commonName := order.Domains[0] - var san []string + + // ACME draft Section 7.4 "Applying for Certificate Issuance" + // https://tools.ietf.org/html/draft-ietf-acme-acme-12#section-7.4 + // says: + // Clients SHOULD NOT make any assumptions about the sort order of + // "identifiers" or "authorizations" elements in the returned order + // object. + san := []string{commonName} for _, auth := range order.Identifiers { - san = append(san, auth.Value) + if auth.Value != commonName { + san = append(san, auth.Value) + } } // TODO: should the CSR be customizable? @@ -681,13 +690,13 @@ func (c *Client) requestCertificateForCsr(order orderResource, bundle bool, csr csrString := base64.RawURLEncoding.EncodeToString(csr) var retOrder orderMessage - _, error := postJSON(c.jws, order.Finalize, csrMessage{Csr: csrString}, &retOrder) - if error != nil { - return nil, error + _, err := postJSON(c.jws, order.Finalize, csrMessage{Csr: csrString}, &retOrder) + if err != nil { + return nil, err } if retOrder.Status == "invalid" { - return nil, error + return nil, err } certRes := CertificateResource{ diff --git a/acme/crypto.go b/acme/crypto.go index 35712ab9..f5ebbf08 100644 --- a/acme/crypto.go +++ b/acme/crypto.go @@ -215,9 +215,7 @@ func generatePrivateKey(keyType KeyType) (crypto.PrivateKey, error) { func generateCsr(privateKey crypto.PrivateKey, domain string, san []string, mustStaple bool) ([]byte, error) { template := x509.CertificateRequest{ - Subject: pkix.Name{ - CommonName: domain, - }, + Subject: pkix.Name{CommonName: domain}, } if len(san) > 0 {