From a748aaab1cad724717cb73a4e0a8e2f349ea154f Mon Sep 17 00:00:00 2001 From: Chen Zhiwei Date: Fri, 27 Aug 2021 19:49:34 +0800 Subject: [PATCH] fix a bug when there is no SANs specified --- pkg/cert/common.go | 12 ++++++++++-- pkg/cert/common_test.go | 33 +++++++++++++++++++++++++++++++++ pkg/cert/generate.go | 5 ----- pkg/cert/sign.go | 5 ----- 4 files changed, 43 insertions(+), 12 deletions(-) diff --git a/pkg/cert/common.go b/pkg/cert/common.go index 56f8772..5b7a28a 100644 --- a/pkg/cert/common.go +++ b/pkg/cert/common.go @@ -101,7 +101,7 @@ func NewCertInfo(duration time.Duration, sub, san, usage, extUsage string, isCA } certInfo.Duration = duration - certInfo.DNSNames, certInfo.IPAddrs = getDNSNamesAndIPAddrs(san) + certInfo.DNSNames, certInfo.IPAddrs = getDNSNamesAndIPAddrs(san, subject.CommonName) return certInfo, nil } @@ -311,7 +311,7 @@ func getExtKeyUsage(usage string) ([]x509.ExtKeyUsage, error) { return extKeyUsages, nil } -func getDNSNamesAndIPAddrs(s string) ([]string, []net.IP) { +func getDNSNamesAndIPAddrs(s, cn string) ([]string, []net.IP) { var dnsNames []string var ips []net.IP @@ -336,6 +336,14 @@ func getDNSNamesAndIPAddrs(s string) ([]string, []net.IP) { } } + if len(dnsNames) == 0 && len(ips) == 0 { + if ip := net.ParseIP(cn); ip != nil { + ips = append(ips, ip) + } else { + dnsNames = append(dnsNames, strings.ToLower(cn)) + } + } + return dnsNames, ips } diff --git a/pkg/cert/common_test.go b/pkg/cert/common_test.go index ffbb8c0..e8156da 100644 --- a/pkg/cert/common_test.go +++ b/pkg/cert/common_test.go @@ -72,6 +72,39 @@ func TestNewCertInfo(t *testing.T) { ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth}, }, }, + { + subject: " CN= Root-CA/ C = / ST = Beijing / L= Haidian/ O = Root Inc /O=Union Inc ", + usage: "cRLSign , keyCertSign ", + extUsage: " clientAuth ,serverAuth ", + expect: &CertInfo{ + Subject: &pkix.Name{ + CommonName: "Root-CA", + Province: []string{"Beijing"}, + Locality: []string{"Haidian"}, + Organization: []string{"Root Inc", "Union Inc"}, + }, + DNSNames: []string{"root-ca"}, + KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment | x509.KeyUsageCertSign | x509.KeyUsageCRLSign, + ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth}, + }, + }, + { + subject: " CN= 192.168.122.10/ C = / ST = Beijing / L= Haidian/ O = Root Inc /O=Union Inc ", + usage: "cRLSign , keyCertSign ", + extUsage: " clientAuth ,serverAuth ", + expect: &CertInfo{ + Subject: &pkix.Name{ + CommonName: "192.168.122.10", + Province: []string{"Beijing"}, + Locality: []string{"Haidian"}, + Organization: []string{"Root Inc", "Union Inc"}, + }, + DNSNames: nil, // either nil or remove this assignment + IPAddrs: []net.IP{net.IPv4(192, 168, 122, 10)}, + KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment | x509.KeyUsageCertSign | x509.KeyUsageCRLSign, + ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth}, + }, + }, } for _, test := range tests { diff --git a/pkg/cert/generate.go b/pkg/cert/generate.go index 6c2d99f..f765aae 100644 --- a/pkg/cert/generate.go +++ b/pkg/cert/generate.go @@ -6,7 +6,6 @@ import ( "crypto/rsa" "crypto/x509" "encoding/pem" - "strings" "time" ) @@ -30,10 +29,6 @@ func NewCACertKey(certInfo *CertInfo, rsaKeySize int) ([]byte, []byte, error) { IPAddresses: certInfo.IPAddrs, } - if len(template.DNSNames) == 0 { - template.DNSNames = []string{strings.ToLower(certInfo.Subject.CommonName)} - } - certDERBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, key.Public(), key) if err != nil { return nil, nil, err diff --git a/pkg/cert/sign.go b/pkg/cert/sign.go index b8dcb3a..1d98e9e 100644 --- a/pkg/cert/sign.go +++ b/pkg/cert/sign.go @@ -6,7 +6,6 @@ import ( "crypto/rsa" "crypto/x509" "encoding/pem" - "strings" "time" ) @@ -30,10 +29,6 @@ func NewSignedCertKey(caCert *x509.Certificate, caKey interface{}, certInfo *Cer IPAddresses: certInfo.IPAddrs, } - if len(template.DNSNames) == 0 { - template.DNSNames = []string{strings.ToLower(certInfo.Subject.CommonName)} - } - certDERBytes, err := x509.CreateCertificate(rand.Reader, &template, caCert, key.Public(), caKey) if err != nil { return nil, nil, err