From 13507efb3557f8b81296885f4b58ccdf0ffc1e9a Mon Sep 17 00:00:00 2001 From: Mariano Cano <mariano@smallstep.com> Date: Mon, 20 Apr 2020 10:43:33 -0700 Subject: [PATCH 1/2] Remove the requirement for CSR to have a common name. Fixes #226 --- authority/provisioner/sign_options.go | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/authority/provisioner/sign_options.go b/authority/provisioner/sign_options.go index 074e4470..92572cde 100644 --- a/authority/provisioner/sign_options.go +++ b/authority/provisioner/sign_options.go @@ -108,9 +108,10 @@ func (v defaultPublicKeyValidator) Valid(req *x509.CertificateRequest) error { type commonNameValidator string // Valid checks that certificate request common name matches the one configured. +// An empty common name is considered valid. func (v commonNameValidator) Valid(req *x509.CertificateRequest) error { if req.Subject.CommonName == "" { - return errors.New("certificate request cannot contain an empty common name") + return nil } if req.Subject.CommonName != string(v) { return errors.Errorf("certificate request does not contain the valid common name; requested common name = %s, token subject = %s", req.Subject.CommonName, v) @@ -118,12 +119,13 @@ func (v commonNameValidator) Valid(req *x509.CertificateRequest) error { return nil } -// commonNameSliceValidator validates thats the common name of a certificate request is present in the slice. +// commonNameSliceValidator validates thats the common name of a certificate +// request is present in the slice. An empty common name is considered valid. type commonNameSliceValidator []string func (v commonNameSliceValidator) Valid(req *x509.CertificateRequest) error { if req.Subject.CommonName == "" { - return errors.New("certificate request cannot contain an empty common name") + return nil } for _, cn := range v { if req.Subject.CommonName == cn { From a2dfa6faa8b51a480551c19cfc7bf36f99105477 Mon Sep 17 00:00:00 2001 From: Mariano Cano <mariano@smallstep.com> Date: Mon, 20 Apr 2020 12:29:23 -0700 Subject: [PATCH 2/2] Fix unit tests. --- authority/provisioner/sign_options_test.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/authority/provisioner/sign_options_test.go b/authority/provisioner/sign_options_test.go index 74c8d1f4..97d34ea8 100644 --- a/authority/provisioner/sign_options_test.go +++ b/authority/provisioner/sign_options_test.go @@ -125,7 +125,7 @@ func Test_commonNameValidator_Valid(t *testing.T) { wantErr bool }{ {"ok", "foo.bar.zar", args{&x509.CertificateRequest{Subject: pkix.Name{CommonName: "foo.bar.zar"}}}, false}, - {"empty", "", args{&x509.CertificateRequest{Subject: pkix.Name{CommonName: ""}}}, true}, + {"empty", "", args{&x509.CertificateRequest{Subject: pkix.Name{CommonName: ""}}}, false}, {"wrong", "foo.bar.zar", args{&x509.CertificateRequest{Subject: pkix.Name{CommonName: "example.com"}}}, true}, } for _, tt := range tests { @@ -149,7 +149,7 @@ func Test_commonNameSliceValidator_Valid(t *testing.T) { }{ {"ok", []string{"foo.bar.zar"}, args{&x509.CertificateRequest{Subject: pkix.Name{CommonName: "foo.bar.zar"}}}, false}, {"ok", []string{"example.com", "foo.bar.zar"}, args{&x509.CertificateRequest{Subject: pkix.Name{CommonName: "foo.bar.zar"}}}, false}, - {"empty", []string{""}, args{&x509.CertificateRequest{Subject: pkix.Name{CommonName: ""}}}, true}, + {"empty", []string{""}, args{&x509.CertificateRequest{Subject: pkix.Name{CommonName: ""}}}, false}, {"wrong", []string{"foo.bar.zar"}, args{&x509.CertificateRequest{Subject: pkix.Name{CommonName: "example.com"}}}, true}, } for _, tt := range tests {