Merge pull request #72 from jgnagy/fix/better-support-for-cert-manager

Improve detection of SANS for cert-manager

Author: jgnagy

lib/bullion.rb

@@ -69,7 +69,11 @@ class ConfigError < Error; end
   MetricsRegistry = Prometheus::Client.registry
 
   def self.ca_key
-    @ca_key ||= OpenSSL::PKey::RSA.new(File.read(config.ca.key_path), config.ca.secret)
+    @ca_key ||= begin
+      OpenSSL::PKey::RSA.new(File.read(config.ca.key_path), config.ca.secret)
+    rescue OpenSSL::PKey::RSAError
+      OpenSSL::PKey::EC.new(File.read(config.ca.key_path), config.ca.secret)
+    end
   end
 
   def self.ca_cert_file

lib/bullion/helpers/acme.rb

@@ -119,13 +119,13 @@ def acme_csr_valid?(order_csr)
         csr_attrs = extract_csr_attrs(csr)
         csr_sans = extract_csr_sans(csr_attrs)
         csr_domains = extract_csr_domains(csr_sans)
-        csr_cn = cn_from_csr(csr)
+        csr_cn = cn_from_csr(csr) || csr_domains.first
 
         # Make sure the CSR has a valid public key
         raise Bullion::Acme::Errors::BadCsr unless csr.verify(csr.public_key)
 
         return false unless order.ready_status?
-        raise Bullion::Acme::Errors::BadCsr unless csr_domains.include?(csr_cn)
+        raise Bullion::Acme::Errors::BadCsr if csr_cn && !csr_domains.include?(csr_cn)
         raise Bullion::Acme::Errors::BadCsr unless csr_domains.sort == order.domains.sort
 
         true

lib/bullion/helpers/ssl.rb

@@ -127,31 +127,14 @@ def manage_csr_extensions(csr, new_cert)
         )
 
         # Alternate Names
-        cn = cn_from_csr(csr)
-        existing_sans = filter_sans(csr_sans(csr))
-        valid_alts = (["DNS:#{cn}"] + [*existing_sans]).uniq
+        valid_alts = build_valid_alt_names(csr)
 
         new_cert.add_extension(ef.create_extension("subjectAltName", valid_alts.join(",")))
 
         # return the updated cert and any subject alternate names added
         [new_cert, valid_alts]
       end
 
-      def csr_sans(csr)
-        raw_attributes = csr.attributes
-        return [] unless raw_attributes
-
-        seq = extract_csr_attrs(csr)
-        return [] unless seq
-
-        values = extract_san_values(seq)
-        return [] unless values
-
-        values = OpenSSL::ASN1.decode(values).value
-
-        values.select { |v| v.tag == 2 }.map { |v| "DNS:#{v.value}" }
-      end
-
       def extract_csr_attrs(csr)
         csr.attributes.select { |a| a.oid == "extReq" }.map { |a| a.value.map(&:value) }
       end
@@ -161,8 +144,9 @@ def extract_csr_sans(csr_attrs)
       end
 
       def extract_csr_domains(csr_sans)
-        csr_decoded_sans = OpenSSL::ASN1.decode(csr_sans.first.value[1].value)
-        csr_decoded_sans.select { |v| v.tag == 2 }.map(&:value)
+        subject_alt_names = csr_sans.first.value.find { |v| v.tag == 4 }
+        csr_decoded_sans = OpenSSL::ASN1.decode(subject_alt_names.value)
+        csr_decoded_sans.value.select { |v| v.tag == 2 }.map(&:value)
       end
 
       def extract_san_values(sequence)
@@ -184,13 +168,33 @@ def filter_sans(potential_sans)
       end
 
       def cn_from_csr(csr)
-        if csr.subject.to_s
-          cns = csr.subject.to_s.split("/").grep(/^CN=/)
+        return unless csr.subject.to_s
 
-          return cns.first.split("=").last if cns && !cns.empty?
-        end
+        cns = csr.subject.to_s.split("/").grep(/^CN=/)
+
+        cns.first.split("=").last if cns && !cns.empty?
+      end
+
+      def cn_or_first_san_from_csr(csr)
+        cn = cn_from_csr(csr)
+        return cn if cn
+
+        csr_attrs = extract_csr_attrs(csr)
+        csr_sans = extract_csr_sans(csr_attrs)
+        extract_csr_domains(csr_sans).first
+      end
+
+      def domains_from_csr(csr)
+        csr_attrs = extract_csr_attrs(csr)
+        csr_sans = extract_csr_sans(csr_attrs)
+        extract_csr_domains(csr_sans)
+      end
 
-        csr_sans(csr).first.split(":").last
+      def build_valid_alt_names(csr)
+        cn = cn_or_first_san_from_csr(csr)
+        csr_domains = domains_from_csr(csr)
+        existing_sans = filter_sans(csr_domains).map { |d| "DNS:#{d}" }
+        (["DNS:#{cn}"] + [*existing_sans]).uniq
       end
 
       # Signs an ACME CSR
@@ -206,7 +210,7 @@ def sign_csr(csr, username)
         csr_cert.not_after = csr_cert.not_before + (3 * 30 * 24 * 60 * 60)
 
         # Force a subject if the cert doesn't have one
-        cert.subject = simple_subject(cn_from_csr(csr)) unless cert.subject
+        cert.subject = simple_subject(cn_or_first_san_from_csr(csr)) unless cert.subject
 
         csr_cert.subject = simple_subject(cert.subject.to_s)