From 322200b7dbce1f8779d0bc6bb2221128275e8ca3 Mon Sep 17 00:00:00 2001
From: Oleksandr Kovalchuk <anxolerd@outlook.com>
Date: Sun, 17 May 2020 20:23:13 +0300
Subject: [PATCH] Implement modifier to set CommonName

Implement modifier which sets CommonName to the certificate if
CommonName is empty and forceCN is set in the config. Replace previous
implementation introduced in 0218018cee90ae5e450b6bf8b12a3622abc09056
with new modifier.

Closes https://github.com/smallstep/certificates/issues/259
Ref: https://github.com/smallstep/certificates/pull/260#issuecomment-628961322
---
 acme/order.go                         |  7 -------
 authority/provisioner/acme.go         |  1 +
 authority/provisioner/sign_options.go | 26 ++++++++++++++++++++++++++
 3 files changed, 27 insertions(+), 7 deletions(-)

diff --git a/acme/order.go b/acme/order.go
index ba0f3104..27e030e9 100644
--- a/acme/order.go
+++ b/acme/order.go
@@ -262,13 +262,6 @@ func (o *order) finalize(db nosql.DB, csr *x509.CertificateRequest, auth SignAut
 	if csr.Subject.CommonName != "" {
 		csr.DNSNames = append(csr.DNSNames, csr.Subject.CommonName)
 	}
-
-	// Generate Subject CommonName for supporting `conservative` systems
-	// which does not accept certificates with empty subject
-	if csr.Subject.CommonName == "" && p.(*provisioner.ACME).ForceCN {
-		csr.Subject.CommonName = csr.DNSNames[0]
-	}
-
 	csr.DNSNames = uniqueLowerNames(csr.DNSNames)
 	orderNames := make([]string, len(o.Identifiers))
 	for i, n := range o.Identifiers {
diff --git a/authority/provisioner/acme.go b/authority/provisioner/acme.go
index abeedaf1..95115e6d 100644
--- a/authority/provisioner/acme.go
+++ b/authority/provisioner/acme.go
@@ -68,6 +68,7 @@ func (p *ACME) AuthorizeSign(ctx context.Context, token string) ([]SignOption, e
 	return []SignOption{
 		// modifiers / withOptions
 		newProvisionerExtensionOption(TypeACME, p.Name, ""),
+		newForceCNOption(p.ForceCN),
 		profileDefaultDuration(p.claimer.DefaultTLSCertDuration()),
 		// validators
 		defaultPublicKeyValidator{},
diff --git a/authority/provisioner/sign_options.go b/authority/provisioner/sign_options.go
index 92572cde..1d88131e 100644
--- a/authority/provisioner/sign_options.go
+++ b/authority/provisioner/sign_options.go
@@ -316,6 +316,32 @@ type stepProvisionerASN1 struct {
 	KeyValuePairs []string `asn1:"optional,omitempty"`
 }
 
+type forceCNOption struct {
+	ForceCN bool
+}
+
+func newForceCNOption(forceCN bool) *forceCNOption {
+	return &forceCNOption{forceCN}
+}
+
+func (o *forceCNOption) Option(Options) x509util.WithOption {
+	return func(p x509util.Profile) error {
+		if !o.ForceCN {
+			// Forcing CN is disabled, do nothing to certificate
+			return nil
+		}
+		crt := p.Subject()
+		if crt.Subject.CommonName == "" {
+			if len(crt.DNSNames) > 0 {
+				crt.Subject.CommonName = crt.DNSNames[0]
+			} else {
+				return errors.New("Cannot force CN, DNSNames is empty")
+			}
+		}
+		return nil
+	}
+}
+
 type provisionerExtensionOption struct {
 	Type          int
 	Name          string