From 49045a1150cea77436a04608594e3dbbcd614efc Mon Sep 17 00:00:00 2001 From: Mariano Cano Date: Tue, 31 Oct 2023 16:44:18 -0700 Subject: [PATCH] Change CommonName validator in JWK This commit changes the common name validator in the JWK provisioner to accept either the token subject or any of the sans in the token. --- authority/provisioner/jwk.go | 2 +- authority/provisioner/jwk_test.go | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/authority/provisioner/jwk.go b/authority/provisioner/jwk.go index c98d78f2..3a7512b8 100644 --- a/authority/provisioner/jwk.go +++ b/authority/provisioner/jwk.go @@ -190,7 +190,7 @@ func (p *JWK) AuthorizeSign(ctx context.Context, token string) ([]SignOption, er newProvisionerExtensionOption(TypeJWK, p.Name, p.Key.KeyID).WithControllerOptions(p.ctl), profileDefaultDuration(p.ctl.Claimer.DefaultTLSCertDuration()), // validators - commonNameValidator(claims.Subject), + commonNameSliceValidator(append([]string{claims.Subject}, claims.SANs...)), defaultPublicKeyValidator{}, newDefaultSANsValidator(ctx, claims.SANs), newValidityValidator(p.ctl.Claimer.MinTLSCertDuration(), p.ctl.Claimer.MaxTLSCertDuration()), diff --git a/authority/provisioner/jwk_test.go b/authority/provisioner/jwk_test.go index bffe1141..c688e914 100644 --- a/authority/provisioner/jwk_test.go +++ b/authority/provisioner/jwk_test.go @@ -309,8 +309,8 @@ func TestJWK_AuthorizeSign(t *testing.T) { assert.Len(t, 0, v.KeyValuePairs) case profileDefaultDuration: assert.Equals(t, time.Duration(v), tt.prov.ctl.Claimer.DefaultTLSCertDuration()) - case commonNameValidator: - assert.Equals(t, string(v), "subject") + case commonNameSliceValidator: + assert.Equals(t, []string(v), append([]string{"subject"}, tt.sans...)) case defaultPublicKeyValidator: case *validityValidator: assert.Equals(t, v.min, tt.prov.ctl.Claimer.MinTLSCertDuration())