From 93f39c64a065d0c5302ed26dc8786a422f8a6e6a Mon Sep 17 00:00:00 2001 From: max furman Date: Mon, 4 Feb 2019 20:02:56 -0800 Subject: [PATCH] backwards compat only when SANS empty --- authority/authorize.go | 21 ++++++--------------- 1 file changed, 6 insertions(+), 15 deletions(-) diff --git a/authority/authorize.go b/authority/authorize.go index b121d265..1dd77c1a 100644 --- a/authority/authorize.go +++ b/authority/authorize.go @@ -120,12 +120,12 @@ func (a *Authority) Authorize(ott string) ([]interface{}, error) { http.StatusUnauthorized, errContext} } - // `step ca token` should generate tokens where the subject is also in the - // sans. It should not be necessary to add to SANS if both certificates and - // cli are up to date. However, for backwards compatibility we will add - // the subject to the SANS if it is missing. - claims.SANS = appendIfMissingString(claims.SANS, claims.Subject) - + // NOTE: This is for backwards compatibility with older versions of cli + // and certificates. Older versions added the token subject as the only SAN + // in a CSR by default. + if len(claims.SANS) == 0 { + claims.SANS = []string{claims.Subject} + } dnsNames, ips := SplitSANS(claims.SANS) if err != nil { return nil, err @@ -170,15 +170,6 @@ func SplitSANS(sans []string) (dnsNames []string, ips []net.IP) { return } -func appendIfMissingString(slice []string, s string) []string { - for _, e := range slice { - if e == s { - return slice - } - } - return append(slice, s) -} - // authorizeRenewal tries to locate the step provisioner extension, and checks // if for the configured provisioner, the renewal is enabled or not. If the // extra extension cannot be found, authorize the renewal by default.