Implement modifier to set CommonName

Implement modifier which sets CommonName to the certificate if CommonName is empty and forceCN is set in the config. Replace previous implementation introduced in 0218018cee with new modifier. Closes https://github.com/smallstep/certificates/issues/259 Ref: https://github.com/smallstep/certificates/pull/260#issuecomment-628961322
2020-05-17 20:23:13 +03:00 · 2020-05-17 20:23:13 +03:00 · 322200b7db
commit 322200b7db
parent 0218018cee
3 changed files with 27 additions and 7 deletions
--- a/acme/order.go
+++ b/acme/order.go
@ -262,13 +262,6 @@ func (o *order) finalize(db nosql.DB, csr *x509.CertificateRequest, auth SignAut
 	if csr.Subject.CommonName != "" {
 		csr.DNSNames = append(csr.DNSNames, csr.Subject.CommonName)
 	}
-
-	// Generate Subject CommonName for supporting `conservative` systems
-	// which does not accept certificates with empty subject
-	if csr.Subject.CommonName == "" && p.(*provisioner.ACME).ForceCN {
-		csr.Subject.CommonName = csr.DNSNames[0]
-	}
-
 	csr.DNSNames = uniqueLowerNames(csr.DNSNames)
 	orderNames := make([]string, len(o.Identifiers))
 	for i, n := range o.Identifiers {
--- a/authority/provisioner/acme.go
+++ b/authority/provisioner/acme.go
@ -68,6 +68,7 @@ func (p *ACME) AuthorizeSign(ctx context.Context, token string) ([]SignOption, e
 	return []SignOption{
 		// modifiers / withOptions
 		newProvisionerExtensionOption(TypeACME, p.Name, ""),
+		newForceCNOption(p.ForceCN),
 		profileDefaultDuration(p.claimer.DefaultTLSCertDuration()),
 		// validators
 		defaultPublicKeyValidator{},
--- a/authority/provisioner/sign_options.go
+++ b/authority/provisioner/sign_options.go
@ -316,6 +316,32 @@ type stepProvisionerASN1 struct {
 	KeyValuePairs []string `asn1:"optional,omitempty"`
 }

+type forceCNOption struct {
+	ForceCN bool
+}
+
+func newForceCNOption(forceCN bool) *forceCNOption {
+	return &forceCNOption{forceCN}
+}
+
+func (o *forceCNOption) Option(Options) x509util.WithOption {
+	return func(p x509util.Profile) error {
+		if !o.ForceCN {
+			// Forcing CN is disabled, do nothing to certificate
+			return nil
+		}
+		crt := p.Subject()
+		if crt.Subject.CommonName == "" {
+			if len(crt.DNSNames) > 0 {
+				crt.Subject.CommonName = crt.DNSNames[0]
+			} else {
+				return errors.New("Cannot force CN, DNSNames is empty")
+			}
+		}
+		return nil
+	}
+}
+
 type provisionerExtensionOption struct {
 	Type          int
 	Name          string