mbiryukova/certificates
1
0
Fork 0
forked from TrueCloudLab/certificates
Code Pull requests Activity

SANS backwards compat when token missing sujbect SAN

Browse source
This commit is contained in:
max furman 2019-02-01 12:18:10 -06:00
parent e6e8443f3c
commit fe8c8614b2
1 changed files with 15 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
authority/authorize.go
View file

@ -120,6 +120,12 @@ func (a *Authority) Authorize(ott string) ([]interface{}, error) {
http.StatusUnauthorized, errContext} http.StatusUnauthorized, errContext}
} }
// `step ca token` should generate tokens where the subject is also in the
// sans. It should not be necessary to add to SANS if both certificates and
// cli are up to date. However, for backwards compatibility we will add
// the subject to the SANS if it is missing.
claims.SANS = appendIfMissingString(claims.SANS, claims.Subject)
dnsNames, ips := SplitSANS(claims.SANS) dnsNames, ips := SplitSANS(claims.SANS)
if err != nil { if err != nil {
return nil, err return nil, err
@ -164,6 +170,15 @@ func SplitSANS(sans []string) (dnsNames []string, ips []net.IP) {
return return
} }
func appendIfMissingString(slice []string, s string) []string {
for _, e := range slice {
if e == s {
return slice
}
}
return append(slice, s)
}
// authorizeRenewal tries to locate the step provisioner extension, and checks // authorizeRenewal tries to locate the step provisioner extension, and checks
// if for the configured provisioner, the renewal is enabled or not. If the // if for the configured provisioner, the renewal is enabled or not. If the
// extra extension cannot be found, authorize the renewal by default. // extra extension cannot be found, authorize the renewal by default.