diff --git a/authority/provisioner/jwk.go b/authority/provisioner/jwk.go index 2d2d577e..24630ad3 100644 --- a/authority/provisioner/jwk.go +++ b/authority/provisioner/jwk.go @@ -151,15 +151,16 @@ func (p *JWK) AuthorizeSign(ctx context.Context, token string) ([]SignOption, er claims.SANs = []string{claims.Subject} } - return append([]SignOption{ + return []SignOption{ // modifiers / withOptions newProvisionerExtensionOption(TypeJWK, p.Name, p.Key.KeyID), profileDefaultDuration(p.claimer.DefaultTLSCertDuration()), // validators commonNameValidator(claims.Subject), + defaultSANsValidator(claims.SANs), defaultPublicKeyValidator{}, newValidityValidator(p.claimer.MinTLSCertDuration(), p.claimer.MaxTLSCertDuration()), - }, sansValidators(claims.SANs)), nil + }, nil } // AuthorizeRenew returns an error if the renewal is disabled. diff --git a/authority/provisioner/sign_options.go b/authority/provisioner/sign_options.go index d8ac3ab0..fd82470d 100644 --- a/authority/provisioner/sign_options.go +++ b/authority/provisioner/sign_options.go @@ -216,10 +216,20 @@ func (v urisValidator) Valid(req *x509.CertificateRequest) error { return nil } -func sansValidators(sans []string) []SignOption { - dnsNames, ips, emails, uris := x509util.SplitSANs(sans) - return []SignOption{dnsNamesValidator(dnsNames), emailAddressesValidator(emails), - ipAddressesValidator(ips), urisValidator(uris)} +type defaultSANsValidator []string + +func (v defaultSANsValidator) Valid(req *x509.CertificateRequest) (err error) { + dnsNames, ips, emails, uris := x509util.SplitSANs(v) + if err = dnsNamesValidator(dnsNames).Valid(req); err != nil { + return + } else if err = emailAddressesValidator(emails).Valid(req); err != nil { + return + } else if err = ipAddressesValidator(ips).Valid(req); err != nil { + return + } else if err = urisValidator(uris).Valid(req); err != nil { + return + } + return } // ExtraExtensionsEnforcer enforces only those extra extensions that are strictly diff --git a/authority/provisioner/x5c.go b/authority/provisioner/x5c.go index b8a32206..6f7d0a5f 100644 --- a/authority/provisioner/x5c.go +++ b/authority/provisioner/x5c.go @@ -193,16 +193,17 @@ func (p *X5C) AuthorizeSign(ctx context.Context, token string) ([]SignOption, er claims.SANs = []string{claims.Subject} } - return append([]SignOption{ + return []SignOption{ // modifiers / withOptions newProvisionerExtensionOption(TypeX5C, p.Name, ""), profileLimitDuration{p.claimer.DefaultTLSCertDuration(), claims.chains[0][0].NotBefore, claims.chains[0][0].NotAfter}, // validators commonNameValidator(claims.Subject), + defaultSANsValidator(claims.SANs), defaultPublicKeyValidator{}, newValidityValidator(p.claimer.MinTLSCertDuration(), p.claimer.MaxTLSCertDuration()), - }, sansValidators(claims.SANs)), nil + }, nil } // AuthorizeRenew returns an error if the renewal is disabled. diff --git a/authority/tls.go b/authority/tls.go index ebe25911..551b7e15 100644 --- a/authority/tls.go +++ b/authority/tls.go @@ -64,7 +64,7 @@ func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts provisioner.Opti opts = []interface{}{errs.WithKeyVal("csr", csr), errs.WithKeyVal("signOptions", signOpts)} mods = []x509util.WithOption{withDefaultASN1DN(a.config.AuthorityConfig.Template)} certValidators = []provisioner.CertificateValidator{} - forcedModifiers = []provisioner.CertificateEnforcer{} + forcedModifiers = []provisioner.CertificateEnforcer{provisioner.ExtraExtensionsEnforcer{}} ) // Set backdate with the configured value @@ -104,7 +104,7 @@ func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts provisioner.Opti } // Certificate modifiers after validation - for _, m := range append(forcedModifiers, provisioner.ExtraExtensionsEnforcer{}) { + for _, m := range forcedModifiers { if err := m.Enforce(leaf.Subject()); err != nil { return nil, errs.Wrap(http.StatusUnauthorized, err, "authority.Sign", opts...) }