identifier: Add FromCert & FromCSR; move Normalize from core (#8065)

jprenken · web-flow · commit b4308df0cc0c · 2025-03-19T17:03:59.000-04:00
Part of #7311
diff --git a/core/util.go b/core/util.go
@@ -21,7 +21,6 @@ import (
 	"path"
 	"reflect"
 	"regexp"
-	"slices"
 	"sort"
 	"strings"
 	"time"
@@ -32,8 +31,6 @@ import (
 	"google.golang.org/grpc/status"
 	"google.golang.org/protobuf/types/known/durationpb"
 	"google.golang.org/protobuf/types/known/timestamppb"
-
-	"github.com/letsencrypt/boulder/identifier"
 )
 
 const Unspecified = "Unspecified"
@@ -322,21 +319,6 @@ func UniqueLowerNames(names []string) (unique []string) {
 	return
 }
 
-// NormalizeIdentifiers returns the set of all unique ACME identifiers in the
-// input after all of them are lowercased. The returned identifier values will
-// be in their lowercased form and sorted alphabetically by value.
-func NormalizeIdentifiers(identifiers []identifier.ACMEIdentifier) []identifier.ACMEIdentifier {
-	for i := range identifiers {
-		identifiers[i].Value = strings.ToLower(identifiers[i].Value)
-	}
-
-	sort.Slice(identifiers, func(i, j int) bool {
-		return fmt.Sprintf("%s:%s", identifiers[i].Type, identifiers[i].Value) < fmt.Sprintf("%s:%s", identifiers[j].Type, identifiers[j].Value)
-	})
-
-	return slices.Compact(identifiers)
-}
-
 // HashNames returns a hash of the names requested. This is intended for use
 // when interacting with the orderFqdnSets table and rate limiting.
 func HashNames(names []string) []byte {
diff --git a/core/util_test.go b/core/util_test.go
@@ -20,7 +20,6 @@ import (
 	"google.golang.org/protobuf/types/known/durationpb"
 	"google.golang.org/protobuf/types/known/timestamppb"
 
-	"github.com/letsencrypt/boulder/identifier"
 	"github.com/letsencrypt/boulder/test"
 )
 
@@ -255,26 +254,6 @@ func TestUniqueLowerNames(t *testing.T) {
 	test.AssertDeepEquals(t, []string{"a.com", "bar.com", "baz.com", "foobar.com"}, u)
 }
 
-func TestNormalizeIdentifiers(t *testing.T) {
-	idents := []identifier.ACMEIdentifier{
-		{Type: "DNS", Value: "foobar.com"},
-		{Type: "DNS", Value: "fooBAR.com"},
-		{Type: "DNS", Value: "baz.com"},
-		{Type: "DNS", Value: "foobar.com"},
-		{Type: "DNS", Value: "bar.com"},
-		{Type: "DNS", Value: "bar.com"},
-		{Type: "DNS", Value: "a.com"},
-	}
-	expected := []identifier.ACMEIdentifier{
-		{Type: "DNS", Value: "a.com"},
-		{Type: "DNS", Value: "bar.com"},
-		{Type: "DNS", Value: "baz.com"},
-		{Type: "DNS", Value: "foobar.com"},
-	}
-	u := NormalizeIdentifiers(idents)
-	test.AssertDeepEquals(t, expected, u)
-}
-
 func TestValidSerial(t *testing.T) {
 	notLength32Or36 := "A"
 	length32 := strings.Repeat("A", 32)
diff --git a/csr/csr.go b/csr/csr.go
@@ -100,6 +100,10 @@ type names struct {
 // will be the first SAN that is short enough, which is done only for backwards
 // compatibility with prior Let's Encrypt behaviour. The resulting SANs will
 // always include the original CN, if any.
+//
+// TODO(#7311): For callers that don't care about CNs, use identifier.FromCSR.
+// For the rest, either revise the names struct to hold identifiers instead of
+// strings, or add an ipSANs field (and rename SANs to dnsSANs).
 func NamesFromCSR(csr *x509.CertificateRequest) names {
 	// Produce a new "sans" slice with the same memory address as csr.DNSNames
 	// but force a new allocation if an append happens so that we don't
diff --git a/identifier/identifier.go b/identifier/identifier.go
@@ -9,7 +9,11 @@
 package identifier
 
 import (
+	"crypto/x509"
+	"net"
 	"net/netip"
+	"slices"
+	"strings"
 
 	corepb "github.com/letsencrypt/boulder/core/proto"
 )
@@ -94,3 +98,70 @@ func NewIP(ip netip.Addr) ACMEIdentifier {
 		Value: ip.String(),
 	}
 }
+
+// fromX509 extracts the Subject Alternative Names from a certificate or CSR's fields, and
+// returns a slice of ACMEIdentifiers.
+func fromX509(commonName string, dnsNames []string, ipAddresses []net.IP) []ACMEIdentifier {
+	var sans []ACMEIdentifier
+	for _, name := range dnsNames {
+		sans = append(sans, NewDNS(name))
+	}
+	if commonName != "" {
+		// Boulder won't generate certificates with a CN that's not also present
+		// in the SANs, but such a certificate is possible. If appended, this is
+		// deduplicated later with Normalize(). We assume the CN is a DNSName,
+		// because CNs are untyped strings without metadata, and we will never
+		// configure a Boulder profile to issue a certificate that contains both
+		// an IP address identifier and a CN.
+		sans = append(sans, NewDNS(commonName))
+	}
+
+	for _, ip := range ipAddresses {
+		sans = append(sans, ACMEIdentifier{
+			Type:  TypeIP,
+			Value: ip.String(),
+		})
+	}
+
+	return Normalize(sans)
+}
+
+// FromCert extracts the Subject Common Name and Subject Alternative Names from
+// a certificate, and returns a slice of ACMEIdentifiers.
+func FromCert(cert *x509.Certificate) []ACMEIdentifier {
+	return fromX509(cert.Subject.CommonName, cert.DNSNames, cert.IPAddresses)
+}
+
+// FromCSR extracts the Subject Common Name and Subject Alternative Names from a
+// CSR, and returns a slice of ACMEIdentifiers.
+func FromCSR(csr *x509.CertificateRequest) []ACMEIdentifier {
+	return fromX509(csr.Subject.CommonName, csr.DNSNames, csr.IPAddresses)
+}
+
+// Normalize returns the set of all unique ACME identifiers in the input after
+// all of them are lowercased. The returned identifier values will be in their
+// lowercased form and sorted alphabetically by value. DNS identifiers will
+// precede IP address identifiers.
+func Normalize(idents []ACMEIdentifier) []ACMEIdentifier {
+	for i := range idents {
+		idents[i].Value = strings.ToLower(idents[i].Value)
+	}
+
+	slices.SortFunc(idents, func(a, b ACMEIdentifier) int {
+		if a.Type == b.Type {
+			if a.Value == b.Value {
+				return 0
+			}
+			if a.Value < b.Value {
+				return -1
+			}
+			return 1
+		}
+		if a.Type == "dns" && b.Type == "ip" {
+			return -1
+		}
+		return 1
+	})
+
+	return slices.Compact(idents)
+}
diff --git a/identifier/identifier_test.go b/identifier/identifier_test.go
@@ -0,0 +1,147 @@
+package identifier
+
+import (
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"net"
+	"net/netip"
+	"slices"
+	"testing"
+)
+
+// TestFromX509 tests FromCert and FromCSR, which are fromX509's public
+// wrappers.
+func TestFromX509(t *testing.T) {
+	cases := []struct {
+		name        string
+		subject     pkix.Name
+		dnsNames    []string
+		ipAddresses []net.IP
+		want        []ACMEIdentifier
+	}{
+		{
+			name:     "no explicit CN",
+			dnsNames: []string{"a.com"},
+			want:     []ACMEIdentifier{NewDNS("a.com")},
+		},
+		{
+			name:     "explicit uppercase CN",
+			subject:  pkix.Name{CommonName: "A.com"},
+			dnsNames: []string{"a.com"},
+			want:     []ACMEIdentifier{NewDNS("a.com")},
+		},
+		{
+			name:     "no explicit CN, uppercase SAN",
+			dnsNames: []string{"A.com"},
+			want:     []ACMEIdentifier{NewDNS("a.com")},
+		},
+		{
+			name:     "duplicate SANs",
+			dnsNames: []string{"b.com", "b.com", "a.com", "a.com"},
+			want:     []ACMEIdentifier{NewDNS("a.com"), NewDNS("b.com")},
+		},
+		{
+			name:     "explicit CN not found in SANs",
+			subject:  pkix.Name{CommonName: "a.com"},
+			dnsNames: []string{"b.com"},
+			want:     []ACMEIdentifier{NewDNS("a.com"), NewDNS("b.com")},
+		},
+		{
+			name:        "mix of DNSNames and IPAddresses",
+			dnsNames:    []string{"a.com"},
+			ipAddresses: []net.IP{{192, 168, 1, 1}},
+			want:        []ACMEIdentifier{NewDNS("a.com"), NewIP(netip.MustParseAddr("192.168.1.1"))},
+		},
+	}
+	for _, tc := range cases {
+		t.Run("cert/"+tc.name, func(t *testing.T) {
+			t.Parallel()
+			got := FromCert(&x509.Certificate{Subject: tc.subject, DNSNames: tc.dnsNames, IPAddresses: tc.ipAddresses})
+			if !slices.Equal(got, tc.want) {
+				t.Errorf("FromCert() got %#v, but want %#v", got, tc.want)
+			}
+		})
+		t.Run("csr/"+tc.name, func(t *testing.T) {
+			t.Parallel()
+			got := FromCSR(&x509.CertificateRequest{Subject: tc.subject, DNSNames: tc.dnsNames, IPAddresses: tc.ipAddresses})
+			if !slices.Equal(got, tc.want) {
+				t.Errorf("FromCSR() got %#v, but want %#v", got, tc.want)
+			}
+		})
+	}
+}
+
+func TestNormalize(t *testing.T) {
+	cases := []struct {
+		name   string
+		idents []ACMEIdentifier
+		want   []ACMEIdentifier
+	}{
+		{
+			name: "convert to lowercase",
+			idents: []ACMEIdentifier{
+				{Type: TypeDNS, Value: "AlPha.example.coM"},
+				{Type: TypeIP, Value: "fe80::CAFE"},
+			},
+			want: []ACMEIdentifier{
+				{Type: TypeDNS, Value: "alpha.example.com"},
+				{Type: TypeIP, Value: "fe80::cafe"},
+			},
+		},
+		{
+			name: "sort",
+			idents: []ACMEIdentifier{
+				{Type: TypeDNS, Value: "foobar.com"},
+				{Type: TypeDNS, Value: "bar.com"},
+				{Type: TypeDNS, Value: "baz.com"},
+				{Type: TypeDNS, Value: "a.com"},
+				{Type: TypeIP, Value: "fe80::cafe"},
+				{Type: TypeIP, Value: "2001:db8::1dea"},
+				{Type: TypeIP, Value: "192.168.1.1"},
+			},
+			want: []ACMEIdentifier{
+				{Type: TypeDNS, Value: "a.com"},
+				{Type: TypeDNS, Value: "bar.com"},
+				{Type: TypeDNS, Value: "baz.com"},
+				{Type: TypeDNS, Value: "foobar.com"},
+				{Type: TypeIP, Value: "192.168.1.1"},
+				{Type: TypeIP, Value: "2001:db8::1dea"},
+				{Type: TypeIP, Value: "fe80::cafe"},
+			},
+		},
+		{
+			name: "de-duplicate",
+			idents: []ACMEIdentifier{
+				{Type: TypeDNS, Value: "AlPha.example.coM"},
+				{Type: TypeIP, Value: "fe80::CAFE"},
+				{Type: TypeDNS, Value: "alpha.example.com"},
+				{Type: TypeIP, Value: "fe80::cafe"},
+				NewIP(netip.MustParseAddr("fe80:0000:0000:0000:0000:0000:0000:cafe")),
+			},
+			want: []ACMEIdentifier{
+				{Type: TypeDNS, Value: "alpha.example.com"},
+				{Type: TypeIP, Value: "fe80::cafe"},
+			},
+		},
+		{
+			name: "DNS before IP",
+			idents: []ACMEIdentifier{
+				{Type: TypeIP, Value: "fe80::cafe"},
+				{Type: TypeDNS, Value: "alpha.example.com"},
+			},
+			want: []ACMEIdentifier{
+				{Type: TypeDNS, Value: "alpha.example.com"},
+				{Type: TypeIP, Value: "fe80::cafe"},
+			},
+		},
+	}
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+			got := Normalize(tc.idents)
+			if !slices.Equal(got, tc.want) {
+				t.Errorf("Got %#v, but want %#v", got, tc.want)
+			}
+		})
+	}
+}
diff --git a/wfe2/wfe.go b/wfe2/wfe.go
@@ -2200,7 +2200,7 @@ func (wfe *WebFrontEndImpl) validateCertificateProfileName(profile string) error
 }
 
 func (wfe *WebFrontEndImpl) checkIdentifiersPaused(ctx context.Context, orderIdentifiers []identifier.ACMEIdentifier, regID int64) ([]string, error) {
-	uniqueOrderIdents := core.NormalizeIdentifiers(orderIdentifiers)
+	uniqueOrderIdents := identifier.Normalize(orderIdentifiers)
 	var idents []*corepb.Identifier
 	for _, ident := range uniqueOrderIdents {
 		idents = append(idents, &corepb.Identifier{

Original file line number	Diff line number	Diff line change
`@@ -2200,7 +2200,7 @@ func (wfe *WebFrontEndImpl) validateCertificateProfileName(profile string) error`
`2200`	`2200`	`}`
`2201`	`2201`
`2202`	`2202`	`func (wfe *WebFrontEndImpl) checkIdentifiersPaused(ctx context.Context, orderIdentifiers []identifier.ACMEIdentifier, regID int64) ([]string, error) {`
`2203`		`- uniqueOrderIdents := core.NormalizeIdentifiers(orderIdentifiers)`
	`2203`	`+ uniqueOrderIdents := identifier.Normalize(orderIdentifiers)`
`2204`	`2204`	`var idents []*corepb.Identifier`
`2205`	`2205`	`for _, ident := range uniqueOrderIdents {`
`2206`	`2206`	`idents = append(idents, &corepb.Identifier{`