forked from TrueCloudLab/certificates
Merge pull request #453 from smallstep/max/csr-san-empty
Allow empty SAN in CSR for validation ...
This commit is contained in:
commit
fc93d60c5d
2 changed files with 18 additions and 2 deletions
|
@ -154,6 +154,9 @@ type dnsNamesValidator []string
|
|||
// Valid checks that certificate request DNS Names match those configured in
|
||||
// the bootstrap (token) flow.
|
||||
func (v dnsNamesValidator) Valid(req *x509.CertificateRequest) error {
|
||||
if len(req.DNSNames) == 0 {
|
||||
return nil
|
||||
}
|
||||
want := make(map[string]bool)
|
||||
for _, s := range v {
|
||||
want[s] = true
|
||||
|
@ -174,6 +177,9 @@ type ipAddressesValidator []net.IP
|
|||
// Valid checks that certificate request IP Addresses match those configured in
|
||||
// the bootstrap (token) flow.
|
||||
func (v ipAddressesValidator) Valid(req *x509.CertificateRequest) error {
|
||||
if len(req.IPAddresses) == 0 {
|
||||
return nil
|
||||
}
|
||||
want := make(map[string]bool)
|
||||
for _, ip := range v {
|
||||
want[ip.String()] = true
|
||||
|
@ -194,6 +200,9 @@ type emailAddressesValidator []string
|
|||
// Valid checks that certificate request IP Addresses match those configured in
|
||||
// the bootstrap (token) flow.
|
||||
func (v emailAddressesValidator) Valid(req *x509.CertificateRequest) error {
|
||||
if len(req.EmailAddresses) == 0 {
|
||||
return nil
|
||||
}
|
||||
want := make(map[string]bool)
|
||||
for _, s := range v {
|
||||
want[s] = true
|
||||
|
@ -214,6 +223,9 @@ type urisValidator []*url.URL
|
|||
// Valid checks that certificate request IP Addresses match those configured in
|
||||
// the bootstrap (token) flow.
|
||||
func (v urisValidator) Valid(req *x509.CertificateRequest) error {
|
||||
if len(req.URIs) == 0 {
|
||||
return nil
|
||||
}
|
||||
want := make(map[string]bool)
|
||||
for _, u := range v {
|
||||
want[u.String()] = true
|
||||
|
|
|
@ -174,14 +174,15 @@ func Test_emailAddressesValidator_Valid(t *testing.T) {
|
|||
{"ok1", []string{"max@smallstep.com"}, args{&x509.CertificateRequest{EmailAddresses: []string{"max@smallstep.com"}}}, false},
|
||||
{"ok2", []string{"max@step.com", "mike@step.com"}, args{&x509.CertificateRequest{EmailAddresses: []string{"max@step.com", "mike@step.com"}}}, false},
|
||||
{"ok3", []string{"max@step.com", "mike@step.com"}, args{&x509.CertificateRequest{EmailAddresses: []string{"mike@step.com", "max@step.com"}}}, false},
|
||||
{"ok3", []string{"max@step.com", "mike@step.com"}, args{&x509.CertificateRequest{}}, false},
|
||||
{"fail1", []string{"max@step.com"}, args{&x509.CertificateRequest{EmailAddresses: []string{"mike@step.com"}}}, true},
|
||||
{"fail2", []string{"mike@step.com"}, args{&x509.CertificateRequest{EmailAddresses: []string{"max@step.com", "mike@step.com"}}}, true},
|
||||
{"fail3", []string{"mike@step.com", "max@step.com"}, args{&x509.CertificateRequest{DNSNames: []string{"mike@step.com", "mex@step.com"}}}, true},
|
||||
{"fail3", []string{"mike@step.com", "max@step.com"}, args{&x509.CertificateRequest{EmailAddresses: []string{"mike@step.com", "mex@step.com"}}}, true},
|
||||
}
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
if err := tt.v.Valid(tt.args.req); (err != nil) != tt.wantErr {
|
||||
t.Errorf("dnsNamesValidator.Valid() error = %v, wantErr %v", err, tt.wantErr)
|
||||
t.Errorf("emailAddressesValidator.Valid() error = %v, wantErr %v", err, tt.wantErr)
|
||||
}
|
||||
})
|
||||
}
|
||||
|
@ -201,6 +202,7 @@ func Test_dnsNamesValidator_Valid(t *testing.T) {
|
|||
{"ok1", []string{"foo.bar.zar"}, args{&x509.CertificateRequest{DNSNames: []string{"foo.bar.zar"}}}, false},
|
||||
{"ok2", []string{"foo.bar.zar", "bar.zar"}, args{&x509.CertificateRequest{DNSNames: []string{"foo.bar.zar", "bar.zar"}}}, false},
|
||||
{"ok3", []string{"foo.bar.zar", "bar.zar"}, args{&x509.CertificateRequest{DNSNames: []string{"bar.zar", "foo.bar.zar"}}}, false},
|
||||
{"ok4", []string{"foo.bar.zar", "bar.zar"}, args{&x509.CertificateRequest{}}, false},
|
||||
{"fail1", []string{"foo.bar.zar"}, args{&x509.CertificateRequest{DNSNames: []string{"bar.zar"}}}, true},
|
||||
{"fail2", []string{"foo.bar.zar"}, args{&x509.CertificateRequest{DNSNames: []string{"bar.zar", "foo.bar.zar"}}}, true},
|
||||
{"fail3", []string{"foo.bar.zar", "bar.zar"}, args{&x509.CertificateRequest{DNSNames: []string{"foo.bar.zar", "zar.bar"}}}, true},
|
||||
|
@ -232,6 +234,7 @@ func Test_ipAddressesValidator_Valid(t *testing.T) {
|
|||
{"ok1", []net.IP{ip1}, args{&x509.CertificateRequest{IPAddresses: []net.IP{ip1}}}, false},
|
||||
{"ok2", []net.IP{ip1, ip2}, args{&x509.CertificateRequest{IPAddresses: []net.IP{ip1, ip2}}}, false},
|
||||
{"ok3", []net.IP{ip1, ip2}, args{&x509.CertificateRequest{IPAddresses: []net.IP{ip2, ip1}}}, false},
|
||||
{"ok4", []net.IP{ip1, ip2}, args{&x509.CertificateRequest{}}, false},
|
||||
{"fail1", []net.IP{ip1}, args{&x509.CertificateRequest{IPAddresses: []net.IP{ip2}}}, true},
|
||||
{"fail2", []net.IP{ip1}, args{&x509.CertificateRequest{IPAddresses: []net.IP{ip2, ip1}}}, true},
|
||||
{"fail3", []net.IP{ip1, ip2}, args{&x509.CertificateRequest{IPAddresses: []net.IP{ip1, ip3}}}, true},
|
||||
|
@ -268,6 +271,7 @@ func Test_urisValidator_Valid(t *testing.T) {
|
|||
{"ok1", []*url.URL{u1}, args{&x509.CertificateRequest{URIs: []*url.URL{u1}}}, false},
|
||||
{"ok2", []*url.URL{u1, u2}, args{&x509.CertificateRequest{URIs: []*url.URL{u2, u1}}}, false},
|
||||
{"ok3", []*url.URL{u2, u1, u3}, args{&x509.CertificateRequest{URIs: []*url.URL{u3, u2, u1}}}, false},
|
||||
{"ok3", []*url.URL{u2, u1, u3}, args{&x509.CertificateRequest{}}, false},
|
||||
{"fail1", []*url.URL{u1}, args{&x509.CertificateRequest{URIs: []*url.URL{u2}}}, true},
|
||||
{"fail2", []*url.URL{u1}, args{&x509.CertificateRequest{URIs: []*url.URL{u2, u1}}}, true},
|
||||
{"fail3", []*url.URL{u1, u2}, args{&x509.CertificateRequest{URIs: []*url.URL{u1, fu}}}, true},
|
||||
|
|
Loading…
Reference in a new issue