a/certmagic
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Debug log when creating CSR

Browse Source
This commit is contained in:
Matthew Holt 2024-09-04 15:23:55 -06:00
parent 3bad5b6bb5
commit 80bb9a843f
1 changed files with 24 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
config.go
View File

@ -990,23 +990,26 @@ func (cfg *Config) generateCSR(privateKey crypto.PrivateKey, sans []string, useC
csrTemplate := new(x509.CertificateRequest) csrTemplate := new(x509.CertificateRequest)
for _, name := range sans { for _, name := range sans {
// identifiers should be converted to punycode before going into the CSR
// (convert IDNs to ASCII according to RFC 5280 section 7)
normalizedName, err := idna.ToASCII(name)
if err != nil {
return nil, fmt.Errorf("converting identifier '%s' to ASCII: %v", name, err)
}
// TODO: This is a temporary hack to support ZeroSSL API... // TODO: This is a temporary hack to support ZeroSSL API...
if useCN && csrTemplate.Subject.CommonName == "" && len(name) <= 64 { if useCN && csrTemplate.Subject.CommonName == "" && len(normalizedName) <= 64 {
csrTemplate.Subject.CommonName = name csrTemplate.Subject.CommonName = normalizedName
continue continue
} }
if ip := net.ParseIP(name); ip != nil {
if ip := net.ParseIP(normalizedName); ip != nil {
csrTemplate.IPAddresses = append(csrTemplate.IPAddresses, ip) csrTemplate.IPAddresses = append(csrTemplate.IPAddresses, ip)
} else if strings.Contains(name, "@") { } else if strings.Contains(normalizedName, "@") {
csrTemplate.EmailAddresses = append(csrTemplate.EmailAddresses, name) csrTemplate.EmailAddresses = append(csrTemplate.EmailAddresses, normalizedName)
} else if u, err := url.Parse(name); err == nil && strings.Contains(name, "/") { } else if u, err := url.Parse(normalizedName); err == nil && strings.Contains(normalizedName, "/") {
csrTemplate.URIs = append(csrTemplate.URIs, u) csrTemplate.URIs = append(csrTemplate.URIs, u)
} else { } else {
// convert IDNs to ASCII according to RFC 5280 section 7
normalizedName, err := idna.ToASCII(name)
if err != nil {
return nil, fmt.Errorf("converting identifier '%s' to ASCII: %v", name, err)
}
csrTemplate.DNSNames = append(csrTemplate.DNSNames, normalizedName) csrTemplate.DNSNames = append(csrTemplate.DNSNames, normalizedName)
} }
} }
@ -1015,6 +1018,16 @@ func (cfg *Config) generateCSR(privateKey crypto.PrivateKey, sans []string, useC
csrTemplate.ExtraExtensions = append(csrTemplate.ExtraExtensions, mustStapleExtension) csrTemplate.ExtraExtensions = append(csrTemplate.ExtraExtensions, mustStapleExtension)
} }
// IP addresses aren't printed here because I'm too lazy to marshal them as strings, but
// we at least print the incoming SANs so it should be obvious what became IPs
cfg.Logger.Debug("created CSR",
zap.Strings("identifiers", sans),
zap.Strings("san_dns_names", csrTemplate.DNSNames),
zap.Strings("san_emails", csrTemplate.EmailAddresses),
zap.String("common_name", csrTemplate.Subject.CommonName),
zap.Int("extra_extensions", len(csrTemplate.ExtraExtensions)),
)
csrDER, err := x509.CreateCertificateRequest(rand.Reader, csrTemplate, privateKey) csrDER, err := x509.CreateCertificateRequest(rand.Reader, csrTemplate, privateKey)
if err != nil { if err != nil {
return nil, err return nil, err