Skip to content

Commit

Permalink
[BENG-34] security/ticket: add CN to SAN
Browse files Browse the repository at this point in the history 
Summary:
Newer versions of Go have deprecated and removed CN and advise:
`x509: certificate relies on legacy Common Name field, use SANs instead`
so follow that advice and add CN to SAN in generic case.

Reviewers: dborcherding, sdunn, bbentson, anguyen, gvitta, pboyapalli, aeiser, O9 ticket-server, smahadevan

Reviewed By: bbentson, aeiser, O9 ticket-server

Subscribers: smahadevan

Differential Revision: https://phabricator.grailbio.com/D66398

fbshipit-source-id: 6609f98
  • Loading branch information
@jcharum
Boran Car authored and jcharum committed Jun 2, 2022
1 parent 2a979ca commit 038b391
Showing 1 changed file with 15 additions and 1 deletion.
16 changes: 15 additions & 1 deletion security/ticket/tls.go
View file
Expand Up @@ -92,6 +92,16 @@ func (b *TlsCertAuthorityBuilder) genTlsCredentials(ctx *TicketContext) (TlsCred
return b.genTlsCredentialsWithKeyUsage(ctx, []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth})
}

func contains(array []string, entry string) bool {
for _, e := range array {
if e == entry {
return true
}
}

return false
}

func (b *TlsCertAuthorityBuilder) genTlsCredentialsWithKeyUsage(ctx *TicketContext, keyUsage []x509.ExtKeyUsage) (TlsCredentials, error) {
empty := TlsCredentials{}

Expand All @@ -108,7 +118,11 @@ func (b *TlsCertAuthorityBuilder) genTlsCredentialsWithKeyUsage(ctx *TicketConte
if commonName == "" {
commonName = ctx.remoteBlessings.String()
}
cert, key, err := authority.IssueWithKeyUsage(commonName, ttl, nil, b.San, keyUsage)
updatedSan := b.San
if !contains(updatedSan, commonName) {
updatedSan = append(updatedSan, commonName)
}
cert, key, err := authority.IssueWithKeyUsage(commonName, ttl, nil, updatedSan, keyUsage)
if err != nil {
return empty, err
}
Expand Down

0 comments on commit 038b391

Please sign in to comment.