Skip to content

Commit e4d9b5b

Browse files
joevanwanzeeleKFjoevanwanzeeleKF
committed
strict signing can now occur without providing DNS SANs parameter
1 parent b2b9088 commit e4d9b5b

File tree

1 file changed

+16
-15
lines changed

1 file changed

+16
-15
lines changed

path_certs.go

Lines changed: 16 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -266,37 +266,38 @@ func (b *keyfactorBackend) pathSign(ctx context.Context, req *logical.Request, d
266266
arg, _ := json.Marshal(req.Data)
267267
b.Logger().Debug(string(arg))
268268

269-
// validate DNS SANS (required)
269+
// validate DNS SANS (optional)
270270
var dns_sans []string
271271
b.Logger().Debug("parsing dns_sans...")
272272
dns_sans_string, ok := data.GetOk("dns_sans")
273273

274-
if !ok || dns_sans_string == nil || dns_sans_string == "" {
275-
return nil, fmt.Errorf("dns_sans must be provided to issue certificate")
276-
}
277-
dns_sans_string = dns_sans_string.(string)
278-
dns_sans = strings.Split(dns_sans_string.(string), ",")
279-
280-
b.Logger().Debug(fmt.Sprintf("dns_sans = %s", dns_sans))
274+
if ok && dns_sans_string != nil && dns_sans_string == "" {
275+
dns_sans_string = dns_sans_string.(string)
276+
dns_sans = strings.Split(dns_sans_string.(string), ",")
277+
b.Logger().Debug(fmt.Sprintf("dns_sans = %s", dns_sans))
281278

282-
b.Logger().Trace("checking to make sure all DNS SANs are allowed by role..")
279+
b.Logger().Trace("checking to make sure all DNS SANs are allowed by role..")
283280

284-
// check the provided DNS sans against allowed domains
285-
valid, err_resp = checkAllowedDomains(role, roleName, dns_sans)
286-
if err_resp != nil && !valid {
287-
b.Logger().Error(err_resp.Error())
288-
return logical.ErrorResponse("DNS_SAN(s) not allowed for role: %s", err_resp.Error()), err_resp
281+
// check the provided DNS sans against allowed domains
282+
valid, err_resp = checkAllowedDomains(role, roleName, dns_sans)
283+
if err_resp != nil && !valid {
284+
b.Logger().Error(err_resp.Error())
285+
return logical.ErrorResponse("DNS_SAN(s) not allowed for role: %s", err_resp.Error()), err_resp
286+
}
287+
} else {
288+
b.Logger().Debug("no DNS SANs provided")
289289
}
290290

291291
// ip sans (optional)
292292
var ip_sans []string
293-
294293
b.Logger().Debug("parsing ip_sans...")
295294
ip_sans_string, ok := data.GetOk("ip_sans")
296295

297296
if ok && ip_sans_string != nil && ip_sans_string.(string) != "" {
298297
b.Logger().Trace(fmt.Sprintf("passed ip_sans: %s", ip_sans_string.(string)))
299298
ip_sans = strings.Split(ip_sans_string.(string), ",")
299+
} else {
300+
b.Logger().Debug("no IP SANs provided")
300301
}
301302

302303
// get the CA name

0 commit comments

Comments
 (0)