// TODO: limit what IP addresses can be used? Only private? Only certain ranges (i.e. only allow the specific ranges by default, configuration for all?)
// TODO: can DNS already be limited to a certain domain? That would probably be nice to have too, but maybe not as part of this PR
@ -221,6 +225,23 @@ func (o *Order) sans(csr *x509.CertificateRequest) ([]x509util.SubjectAlternativ
// Note that with certificate templates we are not going to check for the
// absence of other SANs as they will only be set if the templates allows
// them.
iflen(csr.DNSNames)!=len(orderNames){
returnsans,NewError(ErrorBadCSRType,"CSR names do not match identifiers exactly: "+
"CSR names = %v, Order names = %v",csr.DNSNames,orderNames)
}
fori:=rangecsr.DNSNames{
ifcsr.DNSNames[i]!=orderNames[i]{
returnsans,NewError(ErrorBadCSRType,"CSR names do not match identifiers exactly: "+
"CSR names = %v, Order names = %v",csr.DNSNames,orderNames)
}
sans[index]=x509util.SubjectAlternativeName{
Type:x509util.DNSType,
Value:csr.DNSNames[i],
}
index++
}
iflen(csr.IPAddresses)!=len(orderIPs){
returnsans,NewError(ErrorBadCSRType,"number of CSR IPs do not match identifiers exactly: "+
"CSR IPs = %v, Order IPs = %v",csr.IPAddresses,orderIPs)
@ -231,31 +252,31 @@ func (o *Order) sans(csr *x509.CertificateRequest) ([]x509util.SubjectAlternativ
returnsans,NewError(ErrorBadCSRType,"CSR IPs do not match identifiers exactly: "+
"CSR IPs = %v, Order IPs = %v",csr.IPAddresses,orderIPs)
}
sans[i]=x509util.SubjectAlternativeName{
sans[index]=x509util.SubjectAlternativeName{
Type:x509util.IPType,
Value:csr.IPAddresses[i].String(),
}
index++
}
iflen(csr.DNSNames)!=len(orderNames){
returnsans,NewError(ErrorBadCSRType,"CSR names do not match identifiers exactly: "+
"CSR names = %v, Order names = %v",csr.DNSNames,orderNames)
}
returnsans,nil
}
fori:=rangecsr.DNSNames{
ifcsr.DNSNames[i]!=orderNames[i]{
returnsans,NewError(ErrorBadCSRType,"CSR names do not match identifiers exactly: "+
"CSR names = %v, Order names = %v",csr.DNSNames,orderNames)
}
sans[i]=x509util.SubjectAlternativeName{
Type:x509util.DNSType,
Value:csr.DNSNames[i],
// numberOfIdentifierType returns the number of Identifiers that