From a3e2b4a552d054cdc8b951a4275635d9be3410c4 Mon Sep 17 00:00:00 2001
From: Mariano Cano <mariano@smallstep.com>
Date: Wed, 20 Mar 2019 17:36:45 -0700
Subject: [PATCH] Move certificate check to the right place.

---
 authority/tls.go | 24 +++++++++++-------------
 1 file changed, 11 insertions(+), 13 deletions(-)

diff --git a/authority/tls.go b/authority/tls.go
index 64e218e8..64bd7ebe 100644
--- a/authority/tls.go
+++ b/authority/tls.go
@@ -59,6 +59,7 @@ func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts provisioner.Opti
 		errContext     = context{"csr": csr, "signOptions": signOpts}
 		mods           = []x509util.WithOption{withDefaultASN1DN(a.config.AuthorityConfig.Template)}
 		certValidators = []provisioner.CertificateValidator{}
+		issIdentity    = a.intermediateIdentity
 	)
 	for _, op := range extraOpts {
 		switch k := op.(type) {
@@ -76,18 +77,22 @@ func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts provisioner.Opti
 		}
 	}
 
-	stepCSR, err := x509.ParseCertificateRequest(csr.Raw)
-	if err != nil {
-		return nil, nil, &apiError{errors.Wrap(err, "sign: error converting x509 csr to stepx509 csr"),
-			http.StatusInternalServerError, errContext}
+	if err := csr.CheckSignature(); err != nil {
+		return nil, nil, &apiError{errors.Wrap(err, "sign: invalid certificate request"),
+			http.StatusBadRequest, errContext}
 	}
 
-	issIdentity := a.intermediateIdentity
-	leaf, err := x509util.NewLeafProfileWithCSR(stepCSR, issIdentity.Crt, issIdentity.Key, mods...)
+	leaf, err := x509util.NewLeafProfileWithCSR(csr, issIdentity.Crt, issIdentity.Key, mods...)
 	if err != nil {
 		return nil, nil, &apiError{errors.Wrapf(err, "sign"), http.StatusInternalServerError, errContext}
 	}
 
+	for _, v := range certValidators {
+		if err := v.Valid(leaf.Subject()); err != nil {
+			return nil, nil, &apiError{errors.Wrap(err, "sign"), http.StatusUnauthorized, errContext}
+		}
+	}
+
 	crtBytes, err := leaf.CreateCertificate()
 	if err != nil {
 		return nil, nil, &apiError{errors.Wrap(err, "sign: error creating new leaf certificate"),
@@ -100,13 +105,6 @@ func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts provisioner.Opti
 			http.StatusInternalServerError, errContext}
 	}
 
-	// FIXME: This should be before creating the certificate.
-	for _, v := range certValidators {
-		if err := v.Valid(serverCert); err != nil {
-			return nil, nil, &apiError{errors.Wrap(err, "sign"), http.StatusUnauthorized, errContext}
-		}
-	}
-
 	caCert, err := x509.ParseCertificate(issIdentity.Crt.Raw)
 	if err != nil {
 		return nil, nil, &apiError{errors.Wrap(err, "sign: error parsing intermediate certificate"),