Check IPAddresses and EmailAddresses in Certificate.MatchesCSR

core/objects.go

@@ -12,6 +12,7 @@ import (
 	"encoding/json"
 	"fmt"
 	jose "github.com/letsencrypt/boulder/Godeps/_workspace/src/github.com/square/go-jose"
+	"net"
 	"path/filepath"
 	"sort"
 	"strings"
@@ -89,6 +90,22 @@ func cmpExtKeyUsageSlice(a, b []x509.ExtKeyUsage) bool {
 	return true
 }
 
+func cmpIPSlice(a, b []net.IP) bool {
+	if len(a) != len(b) {
+		return false
+	}
+	testMap := make(map[string]bool, len(a))
+	for i := range a {
+		testMap[a[i].String()] = true
+	}
+	for i := range b {
+		if !testMap[b[i].String()] {
+			return false
+		}
+	}
+	return true
+}
+
 // An AcmeIdentifier encodes an identifier that can
 // be validated by ACME.  The protocol allows for different
 // types of identifier to be supported (DNS names, IP
@@ -442,6 +459,14 @@ func (cert Certificate) MatchesCSR(csr *x509.CertificateRequest, earliestExpiry
 		err = InternalServerError("Generated certificate DNSNames don't match CSR DNSNames")
 		return
 	}
+	if !cmpIPSlice(parsedCertificate.IPAddresses, csr.IPAddresses) {
+		err = InternalServerError("Generated certificate IPAddresses don't match CSR IPAddresses")
+		return
+	}
+	if !cmpStrSlice(parsedCertificate.EmailAddresses, csr.EmailAddresses) {
+		err = InternalServerError("Generated certificate EmailAddresses don't match CSR EmailAddresses")
+		return
+	}
 	if len(parsedCertificate.Subject.Country) > 0 || len(parsedCertificate.Subject.Organization) > 0 ||
 		len(parsedCertificate.Subject.OrganizationalUnit) > 0 || len(parsedCertificate.Subject.Locality) > 0 ||
 		len(parsedCertificate.Subject.Province) > 0 || len(parsedCertificate.Subject.StreetAddress) > 0 ||