|
5 | 5 | "crypto" |
6 | 6 | "crypto/x509" |
7 | 7 | "errors" |
| 8 | + "net/netip" |
8 | 9 | "strings" |
9 | 10 |
|
10 | 11 | "github.com/letsencrypt/boulder/core" |
@@ -86,20 +87,27 @@ func VerifyCSR(ctx context.Context, csr *x509.CertificateRequest, maxNames int, |
86 | 87 | } |
87 | 88 |
|
88 | 89 | // CNFromCSR returns the lower-cased Subject Common Name from the CSR, if a |
89 | | -// short enough CN was provided. If it was too long, there will be no CN. If |
90 | | -// none was provided, the CN will be the first SAN that is short enough, which |
91 | | -// is done only for backwards compatibility with prior Let's Encrypt behaviour. |
| 90 | +// short enough CN was provided. If it was too long or appears to be an IP, |
| 91 | +// there will be no CN. If none was provided, the CN will be the first SAN that |
| 92 | +// is short enough, which is done only for backwards compatibility with prior |
| 93 | +// Let's Encrypt behaviour. |
92 | 94 | func CNFromCSR(csr *x509.CertificateRequest) string { |
93 | 95 | if len(csr.Subject.CommonName) > maxCNLength { |
94 | 96 | return "" |
95 | 97 | } |
96 | 98 |
|
97 | 99 | if csr.Subject.CommonName != "" { |
| 100 | + _, err := netip.ParseAddr(csr.Subject.CommonName) |
| 101 | + if err == nil { // inverted; we're looking for successful parsing here |
| 102 | + return "" |
| 103 | + } |
| 104 | + |
98 | 105 | return strings.ToLower(csr.Subject.CommonName) |
99 | 106 | } |
100 | 107 |
|
101 | | - // If there's no CN already, but we want to set one, promote the first SAN |
102 | | - // which is shorter than the maximum acceptable CN length (if any). |
| 108 | + // If there's no CN already, but we want to set one, promote the first dnsName |
| 109 | + // SAN which is shorter than the maximum acceptable CN length (if any). We |
| 110 | + // will never promote an ipAddress SAN to the CN. |
103 | 111 | for _, name := range csr.DNSNames { |
104 | 112 | if len(name) <= maxCNLength { |
105 | 113 | return strings.ToLower(name) |
|
0 commit comments