Fix edge case in stapling; do not allow certs without any names

2024-11-26 02:09:47 +08:00 · 2016-08-19 13:42:48 -06:00 · 2016-08-19 13:42:48 -06:00 · c75ee0000e
commit c75ee0000e
parent 8cdc65edd2
2 changed files with 36 additions and 10 deletions
--- a/caddytls/certificates.go
+++ b/caddytls/certificates.go
@ -167,12 +167,28 @@ func makeCertificate(certPEMBlock, keyPEMBlock []byte) (Certificate, error) {
 	if len(tlsCert.Certificate) == 0 {
 		return cert, errors.New("certificate is empty")
 	}
 	cert.Certificate = tlsCert
-	// Parse leaf certificate and extract relevant metadata
+	// Parse leaf certificate, extract relevant metadata, and staple OCSP
 	leaf, err := x509.ParseCertificate(tlsCert.Certificate[0])
 	if err != nil {
 		return cert, err
 	}
 	err = fillCertFromLeaf(&cert, leaf)
 	if err != nil {
 		return cert, err
 	}
 	err = stapleOCSP(&cert, certPEMBlock)
 	if err != nil {
 		log.Printf("[WARNING] Stapling OCSP: %v", err)
 	}
 	return cert, nil
 }
 // fillCertFromLeaf populates cert.Names and cert.NotAfter
 // using data in leaf.
 func fillCertFromLeaf(cert *Certificate, leaf *x509.Certificate) error {
 	if leaf.Subject.CommonName != "" {
 		cert.Names = []string{strings.ToLower(leaf.Subject.CommonName)}
 	}
@ -181,15 +197,21 @@ func makeCertificate(certPEMBlock, keyPEMBlock []byte) (Certificate, error) {
 			cert.Names = append(cert.Names, strings.ToLower(name))
 		}
 	}
-	cert.NotAfter = leaf.NotAfter
+	for _, ip := range leaf.IPAddresses {
-	cert.Certificate = tlsCert
+		if ipStr := ip.String(); ipStr != leaf.Subject.CommonName {
-
+			cert.Names = append(cert.Names, strings.ToLower(ipStr))
-	err = stapleOCSP(&cert, certPEMBlock)
+		}
 	if err != nil {
 		log.Printf("[WARNING] Stapling OCSP: %v", err)
 	}
-
+	for _, email := range leaf.EmailAddresses {
-	return cert, nil
+		if email != leaf.Subject.CommonName {
 			cert.Names = append(cert.Names, strings.ToLower(email))
 		}
 	}
 	if len(cert.Names) == 0 {
 		return errors.New("certificate has no names")
 	}
 	cert.NotAfter = leaf.NotAfter
 	return nil
 }
 // cacheCertificate adds cert to the in-memory cache. If the cache is
--- a/caddytls/crypto.go
+++ b/caddytls/crypto.go
@ -89,7 +89,11 @@ func stapleOCSP(cert *Certificate, pemBundle []byte) error {
 	// First try to load OCSP staple from storage and see if
 	// we can still use it.
 	// TODO: Use Storage interface instead of disk directly
-	ocspFileName := cert.Names[0] + "-" + fastHash(pemBundle)
+	var ocspFileNamePrefix string
 	if len(cert.Names) > 0 {
 		ocspFileNamePrefix = cert.Names[0] + "-"
 	}
 	ocspFileName := ocspFileNamePrefix + fastHash(pemBundle)
 	ocspCachePath := filepath.Join(ocspFolder, ocspFileName)
 	cachedOCSP, err := ioutil.ReadFile(ocspCachePath)
 	if err == nil {