fix a bug when there is no SANs specified

chenzhiwei · Aug 27, 2021 · a748aaa · a748aaa
1 parent 89f1a52
commit a748aaa
Show file tree

Hide file tree

Showing 4 changed files with 43 additions and 12 deletions.
diff --git a/pkg/cert/common.go b/pkg/cert/common.go
@@ -101,7 +101,7 @@ func NewCertInfo(duration time.Duration, sub, san, usage, extUsage string, isCA
 	}
 
 	certInfo.Duration = duration
-	certInfo.DNSNames, certInfo.IPAddrs = getDNSNamesAndIPAddrs(san)
+	certInfo.DNSNames, certInfo.IPAddrs = getDNSNamesAndIPAddrs(san, subject.CommonName)
 
 	return certInfo, nil
 }
@@ -311,7 +311,7 @@ func getExtKeyUsage(usage string) ([]x509.ExtKeyUsage, error) {
 	return extKeyUsages, nil
 }
 
-func getDNSNamesAndIPAddrs(s string) ([]string, []net.IP) {
+func getDNSNamesAndIPAddrs(s, cn string) ([]string, []net.IP) {
 	var dnsNames []string
 	var ips []net.IP
 
@@ -336,6 +336,14 @@ func getDNSNamesAndIPAddrs(s string) ([]string, []net.IP) {
 		}
 	}
 
+	if len(dnsNames) == 0 && len(ips) == 0 {
+		if ip := net.ParseIP(cn); ip != nil {
+			ips = append(ips, ip)
+		} else {
+			dnsNames = append(dnsNames, strings.ToLower(cn))
+		}
+	}
+
 	return dnsNames, ips
 }
 

diff --git a/pkg/cert/common_test.go b/pkg/cert/common_test.go
@@ -72,6 +72,39 @@ func TestNewCertInfo(t *testing.T) {
 				ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
 			},
 		},
+		{
+			subject:  " CN= Root-CA/ C = / ST = Beijing  / L= Haidian/ O = Root Inc /O=Union Inc ",
+			usage:    "cRLSign  , keyCertSign  ",
+			extUsage: " clientAuth  ,serverAuth  ",
+			expect: &CertInfo{
+				Subject: &pkix.Name{
+					CommonName:   "Root-CA",
+					Province:     []string{"Beijing"},
+					Locality:     []string{"Haidian"},
+					Organization: []string{"Root Inc", "Union Inc"},
+				},
+				DNSNames:    []string{"root-ca"},
+				KeyUsage:    x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment | x509.KeyUsageCertSign | x509.KeyUsageCRLSign,
+				ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
+			},
+		},
+		{
+			subject:  " CN= 192.168.122.10/ C = / ST = Beijing  / L= Haidian/ O = Root Inc /O=Union Inc ",
+			usage:    "cRLSign  , keyCertSign  ",
+			extUsage: " clientAuth  ,serverAuth  ",
+			expect: &CertInfo{
+				Subject: &pkix.Name{
+					CommonName:   "192.168.122.10",
+					Province:     []string{"Beijing"},
+					Locality:     []string{"Haidian"},
+					Organization: []string{"Root Inc", "Union Inc"},
+				},
+				DNSNames:    nil, // either nil or remove this assignment
+				IPAddrs:     []net.IP{net.IPv4(192, 168, 122, 10)},
+				KeyUsage:    x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment | x509.KeyUsageCertSign | x509.KeyUsageCRLSign,
+				ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
+			},
+		},
 	}
 
 	for _, test := range tests {

diff --git a/pkg/cert/generate.go b/pkg/cert/generate.go
@@ -6,7 +6,6 @@ import (
 	"crypto/rsa"
 	"crypto/x509"
 	"encoding/pem"
-	"strings"
 	"time"
 )
 
@@ -30,10 +29,6 @@ func NewCACertKey(certInfo *CertInfo, rsaKeySize int) ([]byte, []byte, error) {
 		IPAddresses:           certInfo.IPAddrs,
 	}
 
-	if len(template.DNSNames) == 0 {
-		template.DNSNames = []string{strings.ToLower(certInfo.Subject.CommonName)}
-	}
-
 	certDERBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, key.Public(), key)
 	if err != nil {
 		return nil, nil, err

diff --git a/pkg/cert/sign.go b/pkg/cert/sign.go
@@ -6,7 +6,6 @@ import (
 	"crypto/rsa"
 	"crypto/x509"
 	"encoding/pem"
-	"strings"
 	"time"
 )
 
@@ -30,10 +29,6 @@ func NewSignedCertKey(caCert *x509.Certificate, caKey interface{}, certInfo *Cer
 		IPAddresses:           certInfo.IPAddrs,
 	}
 
-	if len(template.DNSNames) == 0 {
-		template.DNSNames = []string{strings.ToLower(certInfo.Subject.CommonName)}
-	}
-
 	certDERBytes, err := x509.CreateCertificate(rand.Reader, &template, caCert, key.Public(), caKey)
 	if err != nil {
 		return nil, nil, err