Address feedback

jprenken · jprenken · commit 3ad889fd4367 · 2025-03-14T18:45:32.000-07:00
diff --git a/csr/csr.go b/csr/csr.go
@@ -101,7 +101,9 @@ type names struct {
 // compatibility with prior Let's Encrypt behaviour. The resulting SANs will
 // always include the original CN, if any.
 //
-// Deprecated: TODO(#7311): Use identifier.FromCSR instead.
+// TODO(#7311): For callers that don't care about CNs, use identifier.FromCSR.
+// For the rest, either revise the names struct to hold identifiers instead of
+// strings, or add an ipSANs field (and rename SANs to dnsSANs).
 func NamesFromCSR(csr *x509.CertificateRequest) names {
 	// Produce a new "sans" slice with the same memory address as csr.DNSNames
 	// but force a new allocation if an append happens so that we don't
diff --git a/identifier/identifier.go b/identifier/identifier.go
@@ -5,10 +5,8 @@ package identifier
 
 import (
 	"crypto/x509"
-	"fmt"
 	"net/netip"
 	"slices"
-	"sort"
 	"strings"
 
 	corepb "github.com/letsencrypt/boulder/core/proto"
@@ -92,16 +90,23 @@ func NewIP(ip netip.Addr) ACMEIdentifier {
 }
 
 // FromCert extracts the Subject Alternative Names from a certificate, and
-// returns a slice of ACMEIdentifiers and an error. It does not extract the
-// Subject Common Name.
+// returns a slice of ACMEIdentifiers and an error.
 //
-// FromCSR is similar but handles CSRs, and is kept separate so that it's always
-// clear we are handling an untrusted CSR.
+// FromCSR is similar, but handles CSRs.
 func FromCert(cert *x509.Certificate) []ACMEIdentifier {
 	var sans []ACMEIdentifier
 	for _, name := range cert.DNSNames {
 		sans = append(sans, NewDNS(name))
 	}
+	if cert.Subject.CommonName != "" {
+		// Boulder won't generate certificates with a CN that's not also present
+		// in the SANs, but such a certificate is possible. If appended, this is
+		// deduplicated later with Normalize(). We assume the CN is a DNSName,
+		// because CNs are untyped strings without metadata, and we will never
+		// configure a Boulder profile to issue a certificate that contains both
+		// an IP address identifier and a CN.
+		sans = append(sans, NewDNS(cert.Subject.CommonName))
+	}
 
 	for _, ip := range cert.IPAddresses {
 		sans = append(sans, ACMEIdentifier{
@@ -143,16 +148,29 @@ func FromCSR(csr *x509.CertificateRequest) []ACMEIdentifier {
 	return Normalize(sans)
 }
 
-// Normalize returns the set of all unique ACME identifiers in the
-// input after all of them are lowercased. The returned identifier values will
-// be in their lowercased form and sorted alphabetically by value.
+// Normalize returns the set of all unique ACME identifiers in the input after
+// all of them are lowercased. The returned identifier values will be in their
+// lowercased form and sorted alphabetically by value. DNS identifiers will
+// precede IP address identifiers.
 func Normalize(idents []ACMEIdentifier) []ACMEIdentifier {
 	for i := range idents {
 		idents[i].Value = strings.ToLower(idents[i].Value)
 	}
 
-	sort.Slice(idents, func(i, j int) bool {
-		return fmt.Sprintf("%s:%s", idents[i].Type, idents[i].Value) < fmt.Sprintf("%s:%s", idents[j].Type, idents[j].Value)
+	slices.SortFunc(idents, func(a, b ACMEIdentifier) int {
+		if a.Type == b.Type {
+			if a.Value == b.Value {
+				return 0
+			}
+			if a.Value < b.Value {
+				return -1
+			}
+			return 1
+		}
+		if a.Type == "dns" && b.Type == "ip" {
+			return -1
+		}
+		return 1
 	})
 
 	return slices.Compact(idents)
diff --git a/identifier/identifier_test.go b/identifier/identifier_test.go
@@ -10,67 +10,126 @@ import (
 	"github.com/letsencrypt/boulder/test"
 )
 
-func TestNormalize(t *testing.T) {
-	idents := []ACMEIdentifier{
-		{Type: "DNS", Value: "foobar.com"},
-		{Type: "DNS", Value: "fooBAR.com"},
-		{Type: "DNS", Value: "baz.com"},
-		{Type: "DNS", Value: "foobar.com"},
-		{Type: "DNS", Value: "bar.com"},
-		{Type: "DNS", Value: "bar.com"},
-		{Type: "DNS", Value: "a.com"},
-	}
-	expected := []ACMEIdentifier{
-		{Type: "DNS", Value: "a.com"},
-		{Type: "DNS", Value: "bar.com"},
-		{Type: "DNS", Value: "baz.com"},
-		{Type: "DNS", Value: "foobar.com"},
-	}
-	u := Normalize(idents)
-	test.AssertDeepEquals(t, expected, u)
-}
-
-// TestFromCSR covers TestFromCert as well, because their logic is exactly the same.
-func TestFromCSR(t *testing.T) {
+// TestFromCertAndCSR covers both FromCert and FromCSR; their logic is exactly the same.
+func TestFromCertAndCSR(t *testing.T) {
 	cases := []struct {
 		name           string
-		csr            *x509.CertificateRequest
+		subject        pkix.Name
+		dnsNames       []string
+		ipAddresses    []net.IP
 		expectedIdents []ACMEIdentifier
 	}{
 		{
-			"no explicit CN",
-			&x509.CertificateRequest{DNSNames: []string{"a.com"}},
-			[]ACMEIdentifier{NewDNS("a.com")},
+			name:           "no explicit CN",
+			dnsNames:       []string{"a.com"},
+			expectedIdents: []ACMEIdentifier{NewDNS("a.com")},
+		},
+		{
+			name:           "explicit uppercase CN",
+			subject:        pkix.Name{CommonName: "A.com"},
+			dnsNames:       []string{"a.com"},
+			expectedIdents: []ACMEIdentifier{NewDNS("a.com")},
+		},
+		{
+			name:           "no explicit CN, uppercase SAN",
+			dnsNames:       []string{"A.com"},
+			expectedIdents: []ACMEIdentifier{NewDNS("a.com")},
 		},
 		{
-			"explicit uppercase CN",
-			&x509.CertificateRequest{Subject: pkix.Name{CommonName: "A.com"}, DNSNames: []string{"a.com"}},
-			[]ACMEIdentifier{NewDNS("a.com")},
+			name:           "duplicate SANs",
+			dnsNames:       []string{"b.com", "b.com", "a.com", "a.com"},
+			expectedIdents: []ACMEIdentifier{NewDNS("a.com"), NewDNS("b.com")},
 		},
 		{
-			"no explicit CN, uppercase SAN",
-			&x509.CertificateRequest{DNSNames: []string{"A.com"}},
-			[]ACMEIdentifier{NewDNS("a.com")},
+			name:           "explicit CN not found in SANs",
+			subject:        pkix.Name{CommonName: "a.com"},
+			dnsNames:       []string{"b.com"},
+			expectedIdents: []ACMEIdentifier{NewDNS("a.com"), NewDNS("b.com")},
+		},
+		{
+			name:           "mix of DNSNames and IPAddresses",
+			dnsNames:       []string{"a.com"},
+			ipAddresses:    []net.IP{{192, 168, 1, 1}},
+			expectedIdents: []ACMEIdentifier{NewDNS("a.com"), NewIP(netip.MustParseAddr("192.168.1.1"))},
+		},
+	}
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			cert := &x509.Certificate{Subject: tc.subject, DNSNames: tc.dnsNames, IPAddresses: tc.ipAddresses}
+			csr := &x509.CertificateRequest{Subject: tc.subject, DNSNames: tc.dnsNames, IPAddresses: tc.ipAddresses}
+			test.AssertDeepEquals(t, FromCert(cert), tc.expectedIdents)
+			test.AssertDeepEquals(t, FromCSR(csr), tc.expectedIdents)
+		})
+	}
+}
+
+func TestNormalize(t *testing.T) {
+	cases := []struct {
+		name     string
+		idents   []ACMEIdentifier
+		expected []ACMEIdentifier
+	}{
+		{
+			name: "convert to lowercase",
+			idents: []ACMEIdentifier{
+				{Type: TypeDNS, Value: "AlPha.example.coM"},
+				{Type: TypeIP, Value: "fe80::CAFE"},
+			},
+			expected: []ACMEIdentifier{
+				{Type: TypeDNS, Value: "alpha.example.com"},
+				{Type: TypeIP, Value: "fe80::cafe"},
+			},
 		},
 		{
-			"duplicate SANs",
-			&x509.CertificateRequest{DNSNames: []string{"b.com", "b.com", "a.com", "a.com"}},
-			[]ACMEIdentifier{NewDNS("a.com"), NewDNS("b.com")},
+			name: "sort",
+			idents: []ACMEIdentifier{
+				{Type: TypeDNS, Value: "foobar.com"},
+				{Type: TypeDNS, Value: "bar.com"},
+				{Type: TypeDNS, Value: "baz.com"},
+				{Type: TypeDNS, Value: "a.com"},
+				{Type: TypeIP, Value: "fe80::cafe"},
+				{Type: TypeIP, Value: "2001:db8::1dea"},
+				{Type: TypeIP, Value: "192.168.1.1"},
+			},
+			expected: []ACMEIdentifier{
+				{Type: TypeDNS, Value: "a.com"},
+				{Type: TypeDNS, Value: "bar.com"},
+				{Type: TypeDNS, Value: "baz.com"},
+				{Type: TypeDNS, Value: "foobar.com"},
+				{Type: TypeIP, Value: "192.168.1.1"},
+				{Type: TypeIP, Value: "2001:db8::1dea"},
+				{Type: TypeIP, Value: "fe80::cafe"},
+			},
 		},
 		{
-			"explicit CN not found in SANs",
-			&x509.CertificateRequest{Subject: pkix.Name{CommonName: "a.com"}, DNSNames: []string{"b.com"}},
-			[]ACMEIdentifier{NewDNS("a.com"), NewDNS("b.com")},
+			name: "de-duplicate",
+			idents: []ACMEIdentifier{
+				{Type: TypeDNS, Value: "AlPha.example.coM"},
+				{Type: TypeIP, Value: "fe80::CAFE"},
+				{Type: TypeDNS, Value: "alpha.example.com"},
+				{Type: TypeIP, Value: "fe80::cafe"},
+				NewIP(netip.MustParseAddr("fe80:0000:0000:0000:0000:0000:0000:cafe")),
+			},
+			expected: []ACMEIdentifier{
+				{Type: TypeDNS, Value: "alpha.example.com"},
+				{Type: TypeIP, Value: "fe80::cafe"},
+			},
 		},
 		{
-			"mix of DNSNames and IPAddresses",
-			&x509.CertificateRequest{DNSNames: []string{"a.com"}, IPAddresses: []net.IP{{192, 168, 1, 1}}},
-			[]ACMEIdentifier{NewDNS("a.com"), NewIP(netip.MustParseAddr("192.168.1.1"))},
+			name: "DNS before IP",
+			idents: []ACMEIdentifier{
+				{Type: TypeIP, Value: "fe80::cafe"},
+				{Type: TypeDNS, Value: "alpha.example.com"},
+			},
+			expected: []ACMEIdentifier{
+				{Type: TypeDNS, Value: "alpha.example.com"},
+				{Type: TypeIP, Value: "fe80::cafe"},
+			},
 		},
 	}
 	for _, tc := range cases {
 		t.Run(tc.name, func(t *testing.T) {
-			test.AssertDeepEquals(t, FromCSR(tc.csr), tc.expectedIdents)
+			test.AssertDeepEquals(t, tc.expected, Normalize(tc.idents))
 		})
 	}
 }
