Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for certificates with client and server auth and URL SANs #166

Merged
merged 6 commits into from
Jul 5, 2019
Merged

Add support for certificates with client and server auth and URL SANs #166

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
e63fb5b
Support URIs as alternate subject names
May 28, 2019
c77f211
Add extended key usage server auth to client certs to facilitate Serv…
Jun 17, 2019
d72ac57
Implement review comments, require spiffe URI scheme
Jun 17, 2019
5dd95e1
Request URIs to have scheme and host
Jun 17, 2019
0000c25
Fix error message for incorrect URLs
robertpanzer Jun 17, 2019
fbb34f6
Fix error message for incorrect URLs
robertpanzer Jun 17, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 4 additions & 1 deletion cert.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ import (
"math/big"
"net"
"net/mail"
"net/url"
"os"
"os/user"
"path/filepath"
Expand Down Expand Up @@ -70,13 +71,15 @@ func (m *mkcert) makeCert(hosts []string) {
tpl.IPAddresses = append(tpl.IPAddresses, ip)
} else if email, err := mail.ParseAddress(h); err == nil && email.Address == h {
tpl.EmailAddresses = append(tpl.EmailAddresses, h)
} else if uriName, err := url.Parse(h); err == nil && uriName.Scheme != "" {
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm a bit worried this will catch things some people want as hostnames. Anything with a : will parse as an URI with Scheme != "", and sometimes people use : in hostnames, for example.

Are there other filters we can apply while still working for your use case?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For my concrete use case I want Spiffe URIs, so checking for value URLs plus the prefix spiffe:// would be fine too (for me)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll update the PR to require the scheme spiffe.

Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No need to make it Spiffe specific. Looks like those are URLs with the full ://, so we can just check Scheme != "" && Host != "" (because without :// only Scheme and Opaque get populated).

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! Just updated the PR with this check.

tpl.URIs = append(tpl.URIs, uriName)
} else {
tpl.DNSNames = append(tpl.DNSNames, h)
}
}

if m.client {
tpl.ExtKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth}
tpl.ExtKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth}
} else if len(tpl.IPAddresses) > 0 || len(tpl.DNSNames) > 0 {
tpl.ExtKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}
}
Expand Down
4 changes: 4 additions & 0 deletions main.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ import (
"log"
"net"
"net/mail"
"net/url"
"os"
"path/filepath"
"regexp"
Expand Down Expand Up @@ -194,6 +195,9 @@ func (m *mkcert) Run(args []string) {
if email, err := mail.ParseAddress(name); err == nil && email.Address == name {
continue
}
if _, err := url.Parse(name); err == nil {
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is missing the extra validation that happens in cert.go.

continue
}
punycode, err := idna.ToASCII(name)
if err != nil {
log.Fatalf("ERROR: %q is not a valid hostname, IP, or email: %s", name, err)
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here and below, update the error.

Expand Down