From e0ba802f8033c46df66f4728819866f1757c54b9 Mon Sep 17 00:00:00 2001 From: Oliver Gould Date: Wed, 3 Apr 2019 13:54:50 -0700 Subject: [PATCH] proxy-identity: Set a CommonName on CSRs (#2626) Some CA's (like AWS) require a CN be set on the CSR. This change modifies proxy-identity to set the identity name as the CSR's CommonName. Fixes #2622 --- pkg/identity/service.go | 7 +++++-- proxy-identity/main.go | 8 ++++++-- 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/pkg/identity/service.go b/pkg/identity/service.go index 8176864d6..cda8bf9c5 100644 --- a/pkg/identity/service.go +++ b/pkg/identity/service.go @@ -160,9 +160,12 @@ func checkCSR(csr *x509.CertificateRequest, identity string) error { return fmt.Errorf("CSR name does not match requested identity: csr=%s; req=%s", csr.DNSNames[0], identity) } - if csr.Subject.CommonName != "" { - return errors.New("CommonName must be empty") + switch csr.Subject.CommonName { + case "", identity: + default: + return fmt.Errorf("invalid CommonName: %s", csr.Subject.CommonName) } + if len(csr.EmailAddresses) > 0 { return errors.New("cannot validate email addresses") } diff --git a/proxy-identity/main.go b/proxy-identity/main.go index f254f51bc..cdc59ca05 100644 --- a/proxy-identity/main.go +++ b/proxy-identity/main.go @@ -4,6 +4,7 @@ import ( "crypto/ecdsa" "crypto/rand" "crypto/x509" + "crypto/x509/pkix" "errors" "flag" "fmt" @@ -120,12 +121,15 @@ func generateAndStoreKey(p string) (key *ecdsa.PrivateKey, err error) { } func generateAndStoreCSR(p, id string, key *ecdsa.PrivateKey) ([]byte, error) { + // TODO do proper DNS name validation. if id == "" { return nil, errors.New("a non-empty identity is required") } - // TODO do proper DNS name validation. - csr := x509.CertificateRequest{DNSNames: []string{id}} + csr := x509.CertificateRequest{ + Subject: pkix.Name{CommonName: id}, + DNSNames: []string{id}, + } csrb, err := x509.CreateCertificateRequest(rand.Reader, &csr, key) if err != nil { return nil, fmt.Errorf("failed to create CSR: %s", err)