Disallow email address and URLs in the CSR

Before this commit `step` would allow email addresses and URLs
in the CSR. This doesn't fit nicely with the rest of ACME, in which
identifiers need to be authorized before a certificate is issued.

acme/order.go

@@ -200,6 +200,10 @@ func (o *Order) sans(csr *x509.CertificateRequest) ([]x509util.SubjectAlternativ
 
 	var sans []x509util.SubjectAlternativeName
 
+	if len(csr.EmailAddresses) > 0 || len(csr.URIs) > 0 {
+		return sans, NewError(ErrorBadCSRType, "Only DNS names and IP addresses are allowed")
+	}
+
 	// order the DNS names and IP addresses, so that they can be compared against the canonicalized CSR
 	orderNames := make([]string, numberOfIdentifierType(DNS, o.Identifiers))
 	orderIPs := make([]net.IP, numberOfIdentifierType(IP, o.Identifiers))

acme/order_test.go

@@ -6,6 +6,7 @@ import (
 	"crypto/x509/pkix"
 	"encoding/json"
 	"net"
+	"net/url"
 	"reflect"
 	"testing"
 	"time"
@@ -1280,6 +1281,39 @@ func TestOrder_sans(t *testing.T) {
 			},
 			err: nil,
 		},
+		{
+			name: "fail/invalid-alternative-name-email",
+			fields: fields{
+				Identifiers: []Identifier{},
+			},
+			csr: &x509.CertificateRequest{
+				Subject: pkix.Name{
+					CommonName: "foo.internal",
+				},
+				EmailAddresses: []string{"test@example.com"},
+			},
+			want: []x509util.SubjectAlternativeName{},
+			err:  NewError(ErrorBadCSRType, "Only DNS names and IP addresses are allowed"),
+		},
+		{
+			name: "fail/invalid-alternative-name-uri",
+			fields: fields{
+				Identifiers: []Identifier{},
+			},
+			csr: &x509.CertificateRequest{
+				Subject: pkix.Name{
+					CommonName: "foo.internal",
+				},
+				URIs: []*url.URL{
+					{
+						Scheme: "https://",
+						Host:   "smallstep.com",
+					},
+				},
+			},
+			want: []x509util.SubjectAlternativeName{},
+			err:  NewError(ErrorBadCSRType, "Only DNS names and IP addresses are allowed"),
+		},
 		{
 			name: "fail/error-names-length-mismatch",
 			fields: fields{