Remove CommonName support in leaf certs (fix #356)

certificates.go

@@ -486,33 +486,26 @@ func fillCertFromLeaf(cert *Certificate, tlsCert tls.Certificate) error {
 		cert.Certificate.Leaf = leaf
 	}
 
-	// for convenience, we do want to assemble all the
-	// subjects on the certificate into one list
-	if leaf.Subject.CommonName != "" { // TODO: CommonName is deprecated
-		cert.Names = []string{strings.ToLower(leaf.Subject.CommonName)}
-	}
+	// for convenience, we do want to assemble all the subjects on the certificate
+	// into one list (except for CommonName, which has been deprecated for ~30 years,
+	// and becomes problematic in several instances, e.g. #356)
 	for _, name := range leaf.DNSNames {
-		if name != leaf.Subject.CommonName { // TODO: CommonName is deprecated
-			cert.Names = append(cert.Names, strings.ToLower(name))
-		}
+		cert.Names = append(cert.Names, strings.ToLower(name))
 	}
 	for _, ip := range leaf.IPAddresses {
-		if ipStr := ip.String(); ipStr != leaf.Subject.CommonName { // TODO: CommonName is deprecated
-			cert.Names = append(cert.Names, strings.ToLower(ipStr))
-		}
+		cert.Names = append(cert.Names, strings.ToLower(ip.String()))
 	}
 	for _, email := range leaf.EmailAddresses {
-		if email != leaf.Subject.CommonName { // TODO: CommonName is deprecated
-			cert.Names = append(cert.Names, strings.ToLower(email))
-		}
+		cert.Names = append(cert.Names, strings.ToLower(email))
 	}
 	for _, u := range leaf.URIs {
-		if u.String() != leaf.Subject.CommonName { // TODO: CommonName is deprecated
-			cert.Names = append(cert.Names, u.String())
-		}
+		cert.Names = append(cert.Names, u.String())
 	}
 	if len(cert.Names) == 0 {
-		return fmt.Errorf("certificate has no names")
+		if leaf.Subject.CommonName != "" {
+			return fmt.Errorf("certificate only has CommonName, which is not supported (deprecated in year 2000)")
+		}
+		return fmt.Errorf("certificate has no SANs")
 	}
 
 	cert.hash = hashCertificateChain(cert.Certificate.Certificate)

ocsp_test.go

@@ -14,26 +14,26 @@ import (
 )
 
 const certWithOCSPServer = `-----BEGIN CERTIFICATE-----
-MIIBgjCCASegAwIBAgICIAAwCgYIKoZIzj0EAwIwEjEQMA4GA1UEAxMHVGVzdCBD
-QTAeFw0yMzAxMDExMjAwMDBaFw0yMzAyMDExMjAwMDBaMCAxHjAcBgNVBAMTFU9D
-U1AgVGVzdCBDZXJ0aWZpY2F0ZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABIoe
-I/bjo34qony8LdRJD+Jhuk8/S8YHXRHl6rH9t5VFCFtX8lIPN/Ll1zCrQ2KB3Wlb
-fxSgiQyLrCpZyrdhVPSjXzBdMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAU+Eo3
-5sST4LRrwS4dueIdGBZ5d7IwLAYIKwYBBQUHAQEEIDAeMBwGCCsGAQUFBzABhhBv
-Y3NwLmV4YW1wbGUuY29tMAoGCCqGSM49BAMCA0kAMEYCIQDg94xY/+/VepESdvTT
-ykCwiWOS2aCpjyryrKpwMKkR0AIhAPc/+ZEz4W10OENxC1t+NUTvS8JbEGOwulkZ
-z9yfaLuD
+MIIBhDCCASqgAwIBAgICIAAwCgYIKoZIzj0EAwIwEjEQMA4GA1UEAxMHVGVzdCBD
+QTAeFw0yMzAxMDExMjAwMDBaFw0yMzAyMDExMjAwMDBaMAAwWTATBgcqhkjOPQIB
+BggqhkjOPQMBBwNCAASKHiP246N+KqJ8vC3USQ/iYbpPP0vGB10R5eqx/beVRQhb
+V/JSDzfy5dcwq0Nigd1pW38UoIkMi6wqWcq3YVT0o4GBMH8wDAYDVR0TAQH/BAIw
+ADAfBgNVHSMEGDAWgBT4SjfmxJPgtGvBLh254h0YFnl3sjAgBgNVHREEGTAXghVP
+Q1NQIFRlc3QgQ2VydGlmaWNhdGUwLAYIKwYBBQUHAQEEIDAeMBwGCCsGAQUFBzAB
+hhBvY3NwLmV4YW1wbGUuY29tMAoGCCqGSM49BAMCA0gAMEUCIB58v3YIMZT2V63A
+yT6Pu/4BPAzYQdwHMt20cr3EH8UvAiEA6HrQYMzhSR20wAFyJhopcRkEaoWkO1ia
+lwi/iTExLvc=
 -----END CERTIFICATE-----`
 
 const certWithoutOCSPServer = `-----BEGIN CERTIFICATE-----
-MIIBUzCB+aADAgECAgIgADAKBggqhkjOPQQDAjASMRAwDgYDVQQDEwdUZXN0IENB
-MB4XDTIzMDEwMTEyMDAwMFoXDTIzMDIwMTEyMDAwMFowIDEeMBwGA1UEAxMVT0NT
-UCBUZXN0IENlcnRpZmljYXRlMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEih4j
-9uOjfiqifLwt1EkP4mG6Tz9LxgddEeXqsf23lUUIW1fyUg838uXXMKtDYoHdaVt/
-FKCJDIusKlnKt2FU9KMxMC8wDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBT4Sjfm
-xJPgtGvBLh254h0YFnl3sjAKBggqhkjOPQQDAgNJADBGAiEA3rWetLGblfSuNZKf
-5CpZxhj3A0BjEocEh+2P+nAgIdUCIQDIgptabR1qTLQaF2u0hJsEX2IKuIUvYWH3
-6Lb92+zIHg==
+MIIBUzCB+6ADAgECAgIgADAKBggqhkjOPQQDAjASMRAwDgYDVQQDEwdUZXN0IENB
+MB4XDTIzMDEwMTEyMDAwMFoXDTIzMDIwMTEyMDAwMFowADBZMBMGByqGSM49AgEG
+CCqGSM49AwEHA0IABIoeI/bjo34qony8LdRJD+Jhuk8/S8YHXRHl6rH9t5VFCFtX
+8lIPN/Ll1zCrQ2KB3WlbfxSgiQyLrCpZyrdhVPSjUzBRMAwGA1UdEwEB/wQCMAAw
+HwYDVR0jBBgwFoAU+Eo35sST4LRrwS4dueIdGBZ5d7IwIAYDVR0RBBkwF4IVT0NT
+UCBUZXN0IENlcnRpZmljYXRlMAoGCCqGSM49BAMCA0cAMEQCIED/dOQDxqQuguR+
+MCyJvc5q6umr2kvVZi8/FJnb6Js/AiANZw75cefKnpRALcsRmIRFaN1fL3OQB4On
+9ChkZWfqaw==
 -----END CERTIFICATE-----`
 
 // certKey is the private key for both certWithOCSPServer and
@@ -47,14 +47,14 @@ AwEHoUQDQgAEih4j9uOjfiqifLwt1EkP4mG6Tz9LxgddEeXqsf23lUUIW1fyUg83
 // caCert is the issuing certificate for certWithOCSPServer and
 // certWithoutOCSPServer.
 const caCert = `-----BEGIN CERTIFICATE-----
-MIIBazCCARGgAwIBAgICEAAwCgYIKoZIzj0EAwIwEjEQMA4GA1UEAxMHVGVzdCBD
-QTAeFw0yMzAxMDExMjAwMDBaFw0yMzAyMDExMjAwMDBaMBIxEDAOBgNVBAMTB1Rl
-c3QgQ0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASdKexSor/aeazDM57UHhAX
-rCkJxUeF2BWf0lZYCRxc3f0GdrEsVvjJW8+/E06eAzDCGSdM/08Nvun1nb6AmAlt
-o1cwVTAOBgNVHQ8BAf8EBAMCAQYwEwYDVR0lBAwwCgYIKwYBBQUHAwkwDwYDVR0T
-AQH/BAUwAwEB/zAdBgNVHQ4EFgQU+Eo35sST4LRrwS4dueIdGBZ5d7IwCgYIKoZI
-zj0EAwIDSAAwRQIgGbA39+kETTB/YMLBFoC2fpZe1cDWfFB7TUdfINUqdH4CIQCR
-ByUFC8A+hRNkK5YNH78bgjnKk/88zUQF5ONy4oPGdQ==
+MIIBXDCCAQGgAwIBAgICEAAwCgYIKoZIzj0EAwIwADAeFw0yMzAxMDExMjAwMDBa
+Fw0yMzAyMDExMjAwMDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASdKexS
+or/aeazDM57UHhAXrCkJxUeF2BWf0lZYCRxc3f0GdrEsVvjJW8+/E06eAzDCGSdM
+/08Nvun1nb6AmAlto2swaTAOBgNVHQ8BAf8EBAMCAgQwEwYDVR0lBAwwCgYIKwYB
+BQUHAwkwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU+Eo35sST4LRrwS4dueId
+GBZ5d7IwEgYDVR0RBAswCYIHVGVzdCBDQTAKBggqhkjOPQQDAgNJADBGAiEAg9Dn
+GgrOdPS24IB3zTIc0AJN847vtDpQzL5srXMjdSsCIQC2rVnJUrtE4+C3O/xLIEtT
+IZ3GS4ii0f9W5zBT/FtkfA==
 -----END CERTIFICATE-----`
 
 const caKey = `-----BEGIN EC PRIVATE KEY-----