forked from TrueCloudLab/lego
Don't trust identifiers order. (#589)
ACME draft Section 7.4 "Applying for Certificate Issuance" https://tools.ietf.org/html/draft-ietf-acme-acme-12#section-7.4 says: Clients SHOULD NOT make any assumptions about the sort order of "identifiers" or "authorizations" elements in the returned order object.
This commit is contained in:
parent
94e14328ab
commit
a2543a2fde
2 changed files with 16 additions and 9 deletions
|
@ -662,9 +662,18 @@ func (c *Client) requestCertificateForOrder(order orderResource, bundle bool, pr
|
||||||
|
|
||||||
// determine certificate name(s) based on the authorization resources
|
// determine certificate name(s) based on the authorization resources
|
||||||
commonName := order.Domains[0]
|
commonName := order.Domains[0]
|
||||||
var san []string
|
|
||||||
|
// ACME draft Section 7.4 "Applying for Certificate Issuance"
|
||||||
|
// https://tools.ietf.org/html/draft-ietf-acme-acme-12#section-7.4
|
||||||
|
// says:
|
||||||
|
// Clients SHOULD NOT make any assumptions about the sort order of
|
||||||
|
// "identifiers" or "authorizations" elements in the returned order
|
||||||
|
// object.
|
||||||
|
san := []string{commonName}
|
||||||
for _, auth := range order.Identifiers {
|
for _, auth := range order.Identifiers {
|
||||||
san = append(san, auth.Value)
|
if auth.Value != commonName {
|
||||||
|
san = append(san, auth.Value)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// TODO: should the CSR be customizable?
|
// TODO: should the CSR be customizable?
|
||||||
|
@ -681,13 +690,13 @@ func (c *Client) requestCertificateForCsr(order orderResource, bundle bool, csr
|
||||||
|
|
||||||
csrString := base64.RawURLEncoding.EncodeToString(csr)
|
csrString := base64.RawURLEncoding.EncodeToString(csr)
|
||||||
var retOrder orderMessage
|
var retOrder orderMessage
|
||||||
_, error := postJSON(c.jws, order.Finalize, csrMessage{Csr: csrString}, &retOrder)
|
_, err := postJSON(c.jws, order.Finalize, csrMessage{Csr: csrString}, &retOrder)
|
||||||
if error != nil {
|
if err != nil {
|
||||||
return nil, error
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
if retOrder.Status == "invalid" {
|
if retOrder.Status == "invalid" {
|
||||||
return nil, error
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
certRes := CertificateResource{
|
certRes := CertificateResource{
|
||||||
|
|
|
@ -215,9 +215,7 @@ func generatePrivateKey(keyType KeyType) (crypto.PrivateKey, error) {
|
||||||
|
|
||||||
func generateCsr(privateKey crypto.PrivateKey, domain string, san []string, mustStaple bool) ([]byte, error) {
|
func generateCsr(privateKey crypto.PrivateKey, domain string, san []string, mustStaple bool) ([]byte, error) {
|
||||||
template := x509.CertificateRequest{
|
template := x509.CertificateRequest{
|
||||||
Subject: pkix.Name{
|
Subject: pkix.Name{CommonName: domain},
|
||||||
CommonName: domain,
|
|
||||||
},
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if len(san) > 0 {
|
if len(san) > 0 {
|
||||||
|
|
Loading…
Reference in a new issue