Ensure the CA TLS certificate represents IPv6 DNS names as IP in cert

If an IPv6 domain name (i.e. [::1]) is provided manually in the `ca.json`,
this commit will ensure that it's represented as an IP SAN in the TLS
certificate. Before this change, the IPv6 would become a DNS SAN.
This commit is contained in:
Herman Slatman 2022-02-03 14:21:23 +01:00
parent 1fe7362bee
commit e887ccaa07
No known key found for this signature in database
GPG key ID: F4D8A44EA0A75A4F

View file

@ -10,6 +10,7 @@ import (
"encoding/json" "encoding/json"
"encoding/pem" "encoding/pem"
"fmt" "fmt"
"net"
"net/http" "net/http"
"strings" "strings"
"time" "time"
@ -508,8 +509,19 @@ func (a *Authority) GetTLSCertificate() (*tls.Certificate, error) {
return fatal(errors.New("private key is not a crypto.Signer")) return fatal(errors.New("private key is not a crypto.Signer"))
} }
// prepare the sans: IPv6 DNS hostname representations are converted to their IP representation
sans := make([]string, len(a.config.DNSNames))
for i, san := range a.config.DNSNames {
if strings.HasPrefix(san, "[") && strings.HasSuffix(san, "]") {
if ip := net.ParseIP(san[1 : len(san)-1]); ip != nil {
san = ip.String()
}
}
sans[i] = san
}
// Create initial certificate request. // Create initial certificate request.
cr, err := x509util.CreateCertificateRequest("Step Online CA", a.config.DNSNames, signer) cr, err := x509util.CreateCertificateRequest("Step Online CA", sans, signer)
if err != nil { if err != nil {
return fatal(err) return fatal(err)
} }