Merge pull request #118 from smallstep/iid-common-names

Add subject to the list of SANs in cloud providers

Gopkg.toml

@@ -74,3 +74,7 @@ required = [
 [[constraint]]
   branch = "master"
   name = "github.com/smallstep/certinfo"
+
+[[constraint]]
+  branch = "master"
+  name = "github.com/smallstep/zcrypto"

command/ca/ca.go

@@ -15,6 +15,11 @@ import (
 	"github.com/urfave/cli"
 )
 
+// sharedContext is used to share information between commands.
+var sharedContext = struct {
+	DisableCustomSANs bool
+}{}
+
 // init creates and registers the ca command
 func init() {
 	cmd := cli.Command{

command/ca/certificate.go

@@ -352,22 +352,36 @@ func (f *certificateFlow) CreateSignRequest(tok, subject string, sans []string)
 	case token.AWS:
 		doc := jwt.Payload.Amazon.InstanceIdentityDocument
 		if len(ips) == 0 && len(dnsNames) == 0 {
-			ips = append(ips, net.ParseIP(doc.PrivateIP))
-			dnsNames = append(dnsNames,
+			defaultSANs := []string{
+				doc.PrivateIP,
 				fmt.Sprintf("ip-%s.%s.compute.internal", strings.Replace(doc.PrivateIP, ".", "-", -1), doc.Region),
-			)
+			}
+			if !sharedContext.DisableCustomSANs {
+				defaultSANs = append(defaultSANs, subject)
+			}
+			dnsNames, ips = splitSANs(defaultSANs)
 		}
 	case token.GCP:
 		ce := jwt.Payload.Google.ComputeEngine
-		if len(dnsNames) == 0 {
-			dnsNames = append(dnsNames,
+		if len(ips) == 0 && len(dnsNames) == 0 {
+			defaultSANs := []string{
 				fmt.Sprintf("%s.c.%s.internal", ce.InstanceName, ce.ProjectID),
 				fmt.Sprintf("%s.%s.c.%s.internal", ce.InstanceName, ce.Zone, ce.ProjectID),
-			)
+			}
+			if !sharedContext.DisableCustomSANs {
+				defaultSANs = append(defaultSANs, subject)
+			}
+			dnsNames, ips = splitSANs(defaultSANs)
 		}
 	case token.Azure:
-		if len(dnsNames) == 0 {
-			dnsNames = append(dnsNames, jwt.Payload.Azure.VirtualMachine)
+		if len(ips) == 0 && len(dnsNames) == 0 {
+			defaultSANs := []string{
+				jwt.Payload.Azure.VirtualMachine,
+			}
+			if !sharedContext.DisableCustomSANs {
+				defaultSANs = append(defaultSANs, subject)
+			}
+			dnsNames, ips = splitSANs(defaultSANs)
 		}
 	default: // Use common name in the token
 		subject = jwt.Payload.Subject

command/ca/offline.go

@@ -239,10 +239,13 @@ func (c *offlineCA) GenerateToken(ctx *cli.Context, typ int, subject string, san
 		}
 		return strings.TrimSpace(string(out)), nil
 	case *provisioner.GCP: // Do the identity request to get the token
+		sharedContext.DisableCustomSANs = p.DisableCustomSANs
 		return p.GetIdentityToken(subject, c.CaURL())
 	case *provisioner.AWS: // Do the identity request to get the token
+		sharedContext.DisableCustomSANs = p.DisableCustomSANs
 		return p.GetIdentityToken(subject, c.CaURL())
 	case *provisioner.Azure: // Do the identity request to get the token
+		sharedContext.DisableCustomSANs = p.DisableCustomSANs
 		return p.GetIdentityToken(subject, c.CaURL())
 	}
 

command/ca/token.go

@@ -350,10 +350,13 @@ func newTokenFlow(ctx *cli.Context, typ int, subject string, sans []string, caUR
 		}
 		return strings.TrimSpace(string(out)), nil
 	case *provisioner.GCP: // Do the identity request to get the token
+		sharedContext.DisableCustomSANs = p.DisableCustomSANs
 		return p.GetIdentityToken(subject, caURL)
 	case *provisioner.AWS: // Do the identity request to get the token
+		sharedContext.DisableCustomSANs = p.DisableCustomSANs
 		return p.GetIdentityToken(subject, caURL)
 	case *provisioner.Azure: // Do the identity request to get the token
+		sharedContext.DisableCustomSANs = p.DisableCustomSANs
 		return p.GetIdentityToken(subject, caURL)
 	}