From 038b391629c6e7970c95d6a8520a2dad47200ec8 Mon Sep 17 00:00:00 2001
From: Boran Car <bcar@grailbio.com>
Date: Mon, 25 Oct 2021 19:25:16 +0000
Subject: [PATCH] [BENG-34] security/ticket: add CN to SAN

Summary:
Newer versions of Go have deprecated and removed CN and advise:
`x509: certificate relies on legacy Common Name field, use SANs instead`
so follow that advice and add CN to SAN in generic case.

Reviewers: dborcherding, sdunn, bbentson, anguyen, gvitta, pboyapalli, aeiser, O9 ticket-server, smahadevan

Reviewed By: bbentson, aeiser, O9 ticket-server

Subscribers: smahadevan

Differential Revision: https://phabricator.grailbio.com/D66398

fbshipit-source-id: 6609f98
---
 security/ticket/tls.go | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/security/ticket/tls.go b/security/ticket/tls.go
index 1d4e0ed8..027b0980 100644
--- a/security/ticket/tls.go
+++ b/security/ticket/tls.go
@@ -92,6 +92,16 @@ func (b *TlsCertAuthorityBuilder) genTlsCredentials(ctx *TicketContext) (TlsCred
 	return b.genTlsCredentialsWithKeyUsage(ctx, []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth})
 }
 
+func contains(array []string, entry string) bool {
+	for _, e := range array {
+		if e == entry {
+			return true
+		}
+	}
+
+	return false
+}
+
 func (b *TlsCertAuthorityBuilder) genTlsCredentialsWithKeyUsage(ctx *TicketContext, keyUsage []x509.ExtKeyUsage) (TlsCredentials, error) {
 	empty := TlsCredentials{}
 
@@ -108,7 +118,11 @@ func (b *TlsCertAuthorityBuilder) genTlsCredentialsWithKeyUsage(ctx *TicketConte
 	if commonName == "" {
 		commonName = ctx.remoteBlessings.String()
 	}
-	cert, key, err := authority.IssueWithKeyUsage(commonName, ttl, nil, b.San, keyUsage)
+	updatedSan := b.San
+	if !contains(updatedSan, commonName) {
+		updatedSan = append(updatedSan, commonName)
+	}
+	cert, key, err := authority.IssueWithKeyUsage(commonName, ttl, nil, updatedSan, keyUsage)
 	if err != nil {
 		return empty, err
 	}