Add ability to exclude adding the CN to SANs.

Fixes #1220
2025-11-02 03:27:54 +00:00 · 2016-03-17 16:28:40 -04:00
parent 2d48377014
commit 5b0d85dbf3
3 changed files with 61 additions and 9 deletions
--- a/builtin/logical/pki/backend_test.go
+++ b/builtin/logical/pki/backend_test.go
@@ -557,6 +557,48 @@ func generateURLSteps(t *testing.T, caCert, caKey string, intdata, reqdata map[s
 					return fmt.Errorf("expected\n%#v\ngot\n%#v\n", expected.CRLDistributionPoints, cert.CRLDistributionPoints)
 				case !reflect.DeepEqual(expected.OCSPServers, cert.OCSPServer):
 					return fmt.Errorf("expected\n%#v\ngot\n%#v\n", expected.OCSPServers, cert.OCSPServer)
+				case !reflect.DeepEqual([]string{"Intermediate Cert"}, cert.DNSNames):
+					return fmt.Errorf("expected\n%#v\ngot\n%#v\n", []string{"Intermediate Cert"}, cert.DNSNames)
+				}
+
+				return nil
+			},
+		},
+
+		// Same as above but exclude adding to sans
+		logicaltest.TestStep{
+			Operation: logical.UpdateOperation,
+			Path:      "root/sign-intermediate",
+			Data: map[string]interface{}{
+				"common_name":          "Intermediate Cert",
+				"csr":                  string(csrPem2048),
+				"format":               "der",
+				"exclude_cn_from_sans": true,
+			},
+			Check: func(resp *logical.Response) error {
+				certString := resp.Data["certificate"].(string)
+				if certString == "" {
+					return fmt.Errorf("no certificate returned")
+				}
+				certBytes, _ := base64.StdEncoding.DecodeString(certString)
+				certs, err := x509.ParseCertificates(certBytes)
+				if err != nil {
+					return fmt.Errorf("returned cert cannot be parsed: %v", err)
+				}
+				if len(certs) != 1 {
+					return fmt.Errorf("unexpected returned length of certificates: %d", len(certs))
+				}
+				cert := certs[0]
+
+				switch {
+				case !reflect.DeepEqual(expected.IssuingCertificates, cert.IssuingCertificateURL):
+					return fmt.Errorf("expected\n%#v\ngot\n%#v\n", expected.IssuingCertificates, cert.IssuingCertificateURL)
+				case !reflect.DeepEqual(expected.CRLDistributionPoints, cert.CRLDistributionPoints):
+					return fmt.Errorf("expected\n%#v\ngot\n%#v\n", expected.CRLDistributionPoints, cert.CRLDistributionPoints)
+				case !reflect.DeepEqual(expected.OCSPServers, cert.OCSPServer):
+					return fmt.Errorf("expected\n%#v\ngot\n%#v\n", expected.OCSPServers, cert.OCSPServer)
+				case !reflect.DeepEqual([]string(nil), cert.DNSNames):
+					return fmt.Errorf("expected\n%#v\ngot\n%#v\n", []string(nil), cert.DNSNames)
 				}

 				return nil
--- a/builtin/logical/pki/cert_util.go
+++ b/builtin/logical/pki/cert_util.go
@@ -559,15 +559,17 @@ func generateCreationBundle(b *backend,
 	dnsNames := []string{}
 	emailAddresses := []string{}
 	{
-		if strings.Contains(cn, "@") {
-			// Note: emails are not disallowed if the role's email protection
-			// flag is false, because they may well be included for
-			// informational purposes; it is up to the verifying party to
-			// ensure that email addresses in a subject alternate name can be
-			// used for the purpose for which they are presented
-			emailAddresses = append(emailAddresses, cn)
-		} else {
-			dnsNames = append(dnsNames, cn)
+		if !data.Get("exclude_cn_from_sans").(bool) {
+			if strings.Contains(cn, "@") {
+				// Note: emails are not disallowed if the role's email protection
+				// flag is false, because they may well be included for
+				// informational purposes; it is up to the verifying party to
+				// ensure that email addresses in a subject alternate name can be
+				// used for the purpose for which they are presented
+				emailAddresses = append(emailAddresses, cn)
+			} else {
+				dnsNames = append(dnsNames, cn)
+			}
 		}
 		cnAltInt, ok := data.GetOk("alt_names")
 		if ok {
--- a/builtin/logical/pki/fields.go
+++ b/builtin/logical/pki/fields.go
@@ -5,6 +5,14 @@ import "github.com/hashicorp/vault/logical/framework"
 // addIssueAndSignCommonFields adds fields common to both CA and non-CA issuing
 // and signing
 func addIssueAndSignCommonFields(fields map[string]*framework.FieldSchema) map[string]*framework.FieldSchema {
+	fields["exclude_cn_from_sans"] = &framework.FieldSchema{
+		Type:    framework.TypeBool,
+		Default: false,
+		Description: `If true, the Common Name will not be
+included in DNS or Email Subject Alternate Names.
+Defaults to false (CN is included).`,
+	}
+
 	fields["format"] = &framework.FieldSchema{
 		Type:    framework.TypeString,
 		Default: "pem",