Commit c75ee000 authored by Matthew Holt's avatar Matthew Holt

Fix edge case in stapling; do not allow certs without any names

parent 8cdc65ed
...@@ -167,12 +167,28 @@ func makeCertificate(certPEMBlock, keyPEMBlock []byte) (Certificate, error) { ...@@ -167,12 +167,28 @@ func makeCertificate(certPEMBlock, keyPEMBlock []byte) (Certificate, error) {
if len(tlsCert.Certificate) == 0 { if len(tlsCert.Certificate) == 0 {
return cert, errors.New("certificate is empty") return cert, errors.New("certificate is empty")
} }
cert.Certificate = tlsCert
// Parse leaf certificate and extract relevant metadata // Parse leaf certificate, extract relevant metadata, and staple OCSP
leaf, err := x509.ParseCertificate(tlsCert.Certificate[0]) leaf, err := x509.ParseCertificate(tlsCert.Certificate[0])
if err != nil { if err != nil {
return cert, err return cert, err
} }
err = fillCertFromLeaf(&cert, leaf)
if err != nil {
return cert, err
}
err = stapleOCSP(&cert, certPEMBlock)
if err != nil {
log.Printf("[WARNING] Stapling OCSP: %v", err)
}
return cert, nil
}
// fillCertFromLeaf populates cert.Names and cert.NotAfter
// using data in leaf.
func fillCertFromLeaf(cert *Certificate, leaf *x509.Certificate) error {
if leaf.Subject.CommonName != "" { if leaf.Subject.CommonName != "" {
cert.Names = []string{strings.ToLower(leaf.Subject.CommonName)} cert.Names = []string{strings.ToLower(leaf.Subject.CommonName)}
} }
...@@ -181,15 +197,21 @@ func makeCertificate(certPEMBlock, keyPEMBlock []byte) (Certificate, error) { ...@@ -181,15 +197,21 @@ func makeCertificate(certPEMBlock, keyPEMBlock []byte) (Certificate, error) {
cert.Names = append(cert.Names, strings.ToLower(name)) cert.Names = append(cert.Names, strings.ToLower(name))
} }
} }
cert.NotAfter = leaf.NotAfter for _, ip := range leaf.IPAddresses {
cert.Certificate = tlsCert if ipStr := ip.String(); ipStr != leaf.Subject.CommonName {
cert.Names = append(cert.Names, strings.ToLower(ipStr))
err = stapleOCSP(&cert, certPEMBlock)
if err != nil {
log.Printf("[WARNING] Stapling OCSP: %v", err)
} }
}
return cert, nil for _, email := range leaf.EmailAddresses {
if email != leaf.Subject.CommonName {
cert.Names = append(cert.Names, strings.ToLower(email))
}
}
if len(cert.Names) == 0 {
return errors.New("certificate has no names")
}
cert.NotAfter = leaf.NotAfter
return nil
} }
// cacheCertificate adds cert to the in-memory cache. If the cache is // cacheCertificate adds cert to the in-memory cache. If the cache is
......
...@@ -89,7 +89,11 @@ func stapleOCSP(cert *Certificate, pemBundle []byte) error { ...@@ -89,7 +89,11 @@ func stapleOCSP(cert *Certificate, pemBundle []byte) error {
// First try to load OCSP staple from storage and see if // First try to load OCSP staple from storage and see if
// we can still use it. // we can still use it.
// TODO: Use Storage interface instead of disk directly // TODO: Use Storage interface instead of disk directly
ocspFileName := cert.Names[0] + "-" + fastHash(pemBundle) var ocspFileNamePrefix string
if len(cert.Names) > 0 {
ocspFileNamePrefix = cert.Names[0] + "-"
}
ocspFileName := ocspFileNamePrefix + fastHash(pemBundle)
ocspCachePath := filepath.Join(ocspFolder, ocspFileName) ocspCachePath := filepath.Join(ocspFolder, ocspFileName)
cachedOCSP, err := ioutil.ReadFile(ocspCachePath) cachedOCSP, err := ioutil.ReadFile(ocspCachePath)
if err == nil { if err == nil {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment