Don't trust identifiers order. (#589)

ACME draft Section 7.4 "Applying for Certificate Issuance"
https://tools.ietf.org/html/draft-ietf-acme-acme-12#section-7.4
says:
	Clients SHOULD NOT make any assumptions about the sort order of
	"identifiers" or "authorizations" elements in the returned order
	object.
This commit is contained in:
Ludovic Fernandez 2018-07-01 01:06:46 +02:00 committed by GitHub
parent 94e14328ab
commit a2543a2fde
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 16 additions and 9 deletions

View file

@ -662,9 +662,18 @@ func (c *Client) requestCertificateForOrder(order orderResource, bundle bool, pr
// determine certificate name(s) based on the authorization resources // determine certificate name(s) based on the authorization resources
commonName := order.Domains[0] commonName := order.Domains[0]
var san []string
// ACME draft Section 7.4 "Applying for Certificate Issuance"
// https://tools.ietf.org/html/draft-ietf-acme-acme-12#section-7.4
// says:
// Clients SHOULD NOT make any assumptions about the sort order of
// "identifiers" or "authorizations" elements in the returned order
// object.
san := []string{commonName}
for _, auth := range order.Identifiers { for _, auth := range order.Identifiers {
san = append(san, auth.Value) if auth.Value != commonName {
san = append(san, auth.Value)
}
} }
// TODO: should the CSR be customizable? // TODO: should the CSR be customizable?
@ -681,13 +690,13 @@ func (c *Client) requestCertificateForCsr(order orderResource, bundle bool, csr
csrString := base64.RawURLEncoding.EncodeToString(csr) csrString := base64.RawURLEncoding.EncodeToString(csr)
var retOrder orderMessage var retOrder orderMessage
_, error := postJSON(c.jws, order.Finalize, csrMessage{Csr: csrString}, &retOrder) _, err := postJSON(c.jws, order.Finalize, csrMessage{Csr: csrString}, &retOrder)
if error != nil { if err != nil {
return nil, error return nil, err
} }
if retOrder.Status == "invalid" { if retOrder.Status == "invalid" {
return nil, error return nil, err
} }
certRes := CertificateResource{ certRes := CertificateResource{

View file

@ -215,9 +215,7 @@ func generatePrivateKey(keyType KeyType) (crypto.PrivateKey, error) {
func generateCsr(privateKey crypto.PrivateKey, domain string, san []string, mustStaple bool) ([]byte, error) { func generateCsr(privateKey crypto.PrivateKey, domain string, san []string, mustStaple bool) ([]byte, error) {
template := x509.CertificateRequest{ template := x509.CertificateRequest{
Subject: pkix.Name{ Subject: pkix.Name{CommonName: domain},
CommonName: domain,
},
} }
if len(san) > 0 { if len(san) > 0 {