wip

authority/provisioner/jwk.go

@@ -151,15 +151,16 @@ func (p *JWK) AuthorizeSign(ctx context.Context, token string) ([]SignOption, er
 		claims.SANs = []string{claims.Subject}
 	}
 
-	return append([]SignOption{
+	return []SignOption{
 		// modifiers / withOptions
 		newProvisionerExtensionOption(TypeJWK, p.Name, p.Key.KeyID),
 		profileDefaultDuration(p.claimer.DefaultTLSCertDuration()),
 		// validators
 		commonNameValidator(claims.Subject),
+		defaultSANsValidator(claims.SANs),
 		defaultPublicKeyValidator{},
 		newValidityValidator(p.claimer.MinTLSCertDuration(), p.claimer.MaxTLSCertDuration()),
-	}, sansValidators(claims.SANs)), nil
+	}, nil
 }
 
 // AuthorizeRenew returns an error if the renewal is disabled.

authority/provisioner/sign_options.go

@@ -216,10 +216,20 @@ func (v urisValidator) Valid(req *x509.CertificateRequest) error {
 	return nil
 }
 
-func sansValidators(sans []string) []SignOption {
-	dnsNames, ips, emails, uris := x509util.SplitSANs(sans)
-	return []SignOption{dnsNamesValidator(dnsNames), emailAddressesValidator(emails),
-		ipAddressesValidator(ips), urisValidator(uris)}
+type defaultSANsValidator []string
+
+func (v defaultSANsValidator) Valid(req *x509.CertificateRequest) (err error) {
+	dnsNames, ips, emails, uris := x509util.SplitSANs(v)
+	if err = dnsNamesValidator(dnsNames).Valid(req); err != nil {
+		return
+	} else if err = emailAddressesValidator(emails).Valid(req); err != nil {
+		return
+	} else if err = ipAddressesValidator(ips).Valid(req); err != nil {
+		return
+	} else if err = urisValidator(uris).Valid(req); err != nil {
+		return
+	}
+	return
 }
 
 // ExtraExtensionsEnforcer enforces only those extra extensions that are strictly

authority/provisioner/x5c.go

@@ -193,16 +193,17 @@ func (p *X5C) AuthorizeSign(ctx context.Context, token string) ([]SignOption, er
 		claims.SANs = []string{claims.Subject}
 	}
 
-	return append([]SignOption{
+	return []SignOption{
 		// modifiers / withOptions
 		newProvisionerExtensionOption(TypeX5C, p.Name, ""),
 		profileLimitDuration{p.claimer.DefaultTLSCertDuration(),
 			claims.chains[0][0].NotBefore, claims.chains[0][0].NotAfter},
 		// validators
 		commonNameValidator(claims.Subject),
+		defaultSANsValidator(claims.SANs),
 		defaultPublicKeyValidator{},
 		newValidityValidator(p.claimer.MinTLSCertDuration(), p.claimer.MaxTLSCertDuration()),
-	}, sansValidators(claims.SANs)), nil
+	}, nil
 }
 
 // AuthorizeRenew returns an error if the renewal is disabled.

authority/tls.go

@@ -64,7 +64,7 @@ func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts provisioner.Opti
 		opts            = []interface{}{errs.WithKeyVal("csr", csr), errs.WithKeyVal("signOptions", signOpts)}
 		mods            = []x509util.WithOption{withDefaultASN1DN(a.config.AuthorityConfig.Template)}
 		certValidators  = []provisioner.CertificateValidator{}
-		forcedModifiers = []provisioner.CertificateEnforcer{}
+		forcedModifiers = []provisioner.CertificateEnforcer{provisioner.ExtraExtensionsEnforcer{}}
 	)
 
 	// Set backdate with the configured value
@@ -104,7 +104,7 @@ func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts provisioner.Opti
 	}
 
 	// Certificate modifiers after validation
-	for _, m := range append(forcedModifiers, provisioner.ExtraExtensionsEnforcer{}) {
+	for _, m := range forcedModifiers {
 		if err := m.Enforce(leaf.Subject()); err != nil {
 			return nil, errs.Wrap(http.StatusUnauthorized, err, "authority.Sign", opts...)
 		}