diff --git a/certificates.go b/certificates.go index f92d9b8f..427c3880 100644 --- a/certificates.go +++ b/certificates.go @@ -486,33 +486,26 @@ func fillCertFromLeaf(cert *Certificate, tlsCert tls.Certificate) error { cert.Certificate.Leaf = leaf } - // for convenience, we do want to assemble all the - // subjects on the certificate into one list - if leaf.Subject.CommonName != "" { // TODO: CommonName is deprecated - cert.Names = []string{strings.ToLower(leaf.Subject.CommonName)} - } + // for convenience, we do want to assemble all the subjects on the certificate + // into one list (except for CommonName, which has been deprecated for ~30 years, + // and becomes problematic in several instances, e.g. #356) for _, name := range leaf.DNSNames { - if name != leaf.Subject.CommonName { // TODO: CommonName is deprecated - cert.Names = append(cert.Names, strings.ToLower(name)) - } + cert.Names = append(cert.Names, strings.ToLower(name)) } for _, ip := range leaf.IPAddresses { - if ipStr := ip.String(); ipStr != leaf.Subject.CommonName { // TODO: CommonName is deprecated - cert.Names = append(cert.Names, strings.ToLower(ipStr)) - } + cert.Names = append(cert.Names, strings.ToLower(ip.String())) } for _, email := range leaf.EmailAddresses { - if email != leaf.Subject.CommonName { // TODO: CommonName is deprecated - cert.Names = append(cert.Names, strings.ToLower(email)) - } + cert.Names = append(cert.Names, strings.ToLower(email)) } for _, u := range leaf.URIs { - if u.String() != leaf.Subject.CommonName { // TODO: CommonName is deprecated - cert.Names = append(cert.Names, u.String()) - } + cert.Names = append(cert.Names, u.String()) } if len(cert.Names) == 0 { - return fmt.Errorf("certificate has no names") + if leaf.Subject.CommonName != "" { + return fmt.Errorf("certificate only has CommonName, which is not supported (deprecated in year 2000)") + } + return fmt.Errorf("certificate has no SANs") } cert.hash = hashCertificateChain(cert.Certificate.Certificate) diff --git a/ocsp_test.go b/ocsp_test.go index 4c3df27e..f444e784 100644 --- a/ocsp_test.go +++ b/ocsp_test.go @@ -14,26 +14,26 @@ import ( ) const certWithOCSPServer = `-----BEGIN CERTIFICATE----- -MIIBgjCCASegAwIBAgICIAAwCgYIKoZIzj0EAwIwEjEQMA4GA1UEAxMHVGVzdCBD -QTAeFw0yMzAxMDExMjAwMDBaFw0yMzAyMDExMjAwMDBaMCAxHjAcBgNVBAMTFU9D -U1AgVGVzdCBDZXJ0aWZpY2F0ZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABIoe -I/bjo34qony8LdRJD+Jhuk8/S8YHXRHl6rH9t5VFCFtX8lIPN/Ll1zCrQ2KB3Wlb -fxSgiQyLrCpZyrdhVPSjXzBdMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAU+Eo3 -5sST4LRrwS4dueIdGBZ5d7IwLAYIKwYBBQUHAQEEIDAeMBwGCCsGAQUFBzABhhBv -Y3NwLmV4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDg94xY/+/VepESdvTT -ykCwiWOS2aCpjyryrKpwMKkR0AIhAPc/+ZEz4W10OENxC1t+NUTvS8JbEGOwulkZ -z9yfaLuD +MIIBhDCCASqgAwIBAgICIAAwCgYIKoZIzj0EAwIwEjEQMA4GA1UEAxMHVGVzdCBD +QTAeFw0yMzAxMDExMjAwMDBaFw0yMzAyMDExMjAwMDBaMAAwWTATBgcqhkjOPQIB +BggqhkjOPQMBBwNCAASKHiP246N+KqJ8vC3USQ/iYbpPP0vGB10R5eqx/beVRQhb +V/JSDzfy5dcwq0Nigd1pW38UoIkMi6wqWcq3YVT0o4GBMH8wDAYDVR0TAQH/BAIw +ADAfBgNVHSMEGDAWgBT4SjfmxJPgtGvBLh254h0YFnl3sjAgBgNVHREEGTAXghVP +Q1NQIFRlc3QgQ2VydGlmaWNhdGUwLAYIKwYBBQUHAQEEIDAeMBwGCCsGAQUFBzAB +hhBvY3NwLmV4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIB58v3YIMZT2V63A +yT6Pu/4BPAzYQdwHMt20cr3EH8UvAiEA6HrQYMzhSR20wAFyJhopcRkEaoWkO1ia +lwi/iTExLvc= -----END CERTIFICATE-----` const certWithoutOCSPServer = `-----BEGIN CERTIFICATE----- -MIIBUzCB+aADAgECAgIgADAKBggqhkjOPQQDAjASMRAwDgYDVQQDEwdUZXN0IENB -MB4XDTIzMDEwMTEyMDAwMFoXDTIzMDIwMTEyMDAwMFowIDEeMBwGA1UEAxMVT0NT -UCBUZXN0IENlcnRpZmljYXRlMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEih4j -9uOjfiqifLwt1EkP4mG6Tz9LxgddEeXqsf23lUUIW1fyUg838uXXMKtDYoHdaVt/ -FKCJDIusKlnKt2FU9KMxMC8wDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBT4Sjfm -xJPgtGvBLh254h0YFnl3sjAKBggqhkjOPQQDAgNJADBGAiEA3rWetLGblfSuNZKf -5CpZxhj3A0BjEocEh+2P+nAgIdUCIQDIgptabR1qTLQaF2u0hJsEX2IKuIUvYWH3 -6Lb92+zIHg== +MIIBUzCB+6ADAgECAgIgADAKBggqhkjOPQQDAjASMRAwDgYDVQQDEwdUZXN0IENB +MB4XDTIzMDEwMTEyMDAwMFoXDTIzMDIwMTEyMDAwMFowADBZMBMGByqGSM49AgEG +CCqGSM49AwEHA0IABIoeI/bjo34qony8LdRJD+Jhuk8/S8YHXRHl6rH9t5VFCFtX +8lIPN/Ll1zCrQ2KB3WlbfxSgiQyLrCpZyrdhVPSjUzBRMAwGA1UdEwEB/wQCMAAw +HwYDVR0jBBgwFoAU+Eo35sST4LRrwS4dueIdGBZ5d7IwIAYDVR0RBBkwF4IVT0NT +UCBUZXN0IENlcnRpZmljYXRlMAoGCCqGSM49BAMCA0cAMEQCIED/dOQDxqQuguR+ +MCyJvc5q6umr2kvVZi8/FJnb6Js/AiANZw75cefKnpRALcsRmIRFaN1fL3OQB4On +9ChkZWfqaw== -----END CERTIFICATE-----` // certKey is the private key for both certWithOCSPServer and @@ -47,14 +47,14 @@ AwEHoUQDQgAEih4j9uOjfiqifLwt1EkP4mG6Tz9LxgddEeXqsf23lUUIW1fyUg83 // caCert is the issuing certificate for certWithOCSPServer and // certWithoutOCSPServer. const caCert = `-----BEGIN CERTIFICATE----- -MIIBazCCARGgAwIBAgICEAAwCgYIKoZIzj0EAwIwEjEQMA4GA1UEAxMHVGVzdCBD -QTAeFw0yMzAxMDExMjAwMDBaFw0yMzAyMDExMjAwMDBaMBIxEDAOBgNVBAMTB1Rl -c3QgQ0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASdKexSor/aeazDM57UHhAX -rCkJxUeF2BWf0lZYCRxc3f0GdrEsVvjJW8+/E06eAzDCGSdM/08Nvun1nb6AmAlt -o1cwVTAOBgNVHQ8BAf8EBAMCAQYwEwYDVR0lBAwwCgYIKwYBBQUHAwkwDwYDVR0T -AQH/BAUwAwEB/zAdBgNVHQ4EFgQU+Eo35sST4LRrwS4dueIdGBZ5d7IwCgYIKoZI -zj0EAwIDSAAwRQIgGbA39+kETTB/YMLBFoC2fpZe1cDWfFB7TUdfINUqdH4CIQCR -ByUFC8A+hRNkK5YNH78bgjnKk/88zUQF5ONy4oPGdQ== +MIIBXDCCAQGgAwIBAgICEAAwCgYIKoZIzj0EAwIwADAeFw0yMzAxMDExMjAwMDBa +Fw0yMzAyMDExMjAwMDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASdKexS +or/aeazDM57UHhAXrCkJxUeF2BWf0lZYCRxc3f0GdrEsVvjJW8+/E06eAzDCGSdM +/08Nvun1nb6AmAlto2swaTAOBgNVHQ8BAf8EBAMCAgQwEwYDVR0lBAwwCgYIKwYB +BQUHAwkwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU+Eo35sST4LRrwS4dueId +GBZ5d7IwEgYDVR0RBAswCYIHVGVzdCBDQTAKBggqhkjOPQQDAgNJADBGAiEAg9Dn +GgrOdPS24IB3zTIc0AJN847vtDpQzL5srXMjdSsCIQC2rVnJUrtE4+C3O/xLIEtT +IZ3GS4ii0f9W5zBT/FtkfA== -----END CERTIFICATE-----` const caKey = `-----BEGIN EC PRIVATE KEY-----