Fix subjectAlternativeName (SAN) generation for CSRs. CA/B Forum baseline

requirements require that it's used in certificates so it makes sense to
generate a CSR compliant with this, additionally it replaces rather than
adds to the name in the certificate's subject which we weren't handling
correctly. Diff from wolf at wolfsden/cz, ok florian@

diff --git a/usr.sbin/acme-client/keyproc.c b/usr.sbin/acme-client/keyproc.c
index 1b58b45..96ece27 100644 (file)
--- a/usr.sbin/acme-client/keyproc.c
+++ b/usr.sbin/acme-client/keyproc.c
@@ -1,4 +1,4 @@
-/*     $Id: keyproc.c,v 1.15 2019/06/15 16:16:31 florian Exp $ */
+/*     $Id: keyproc.c,v 1.16 2021/09/17 20:02:24 sthen Exp $ */
 /*
  * Copyright (c) 2016 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -174,53 +174,51 @@ keyproc(int netsock, const char *keyfile, const char **alts, size_t altsz,
         * TODO: is this the best way of doing this?
         */
 
-       if (altsz > 1) {
-               nid = NID_subject_alt_name;
-               if ((exts = sk_X509_EXTENSION_new_null()) == NULL) {
-                       warnx("sk_X509_EXTENSION_new_null");
+       nid = NID_subject_alt_name;
+       if ((exts = sk_X509_EXTENSION_new_null()) == NULL) {
+               warnx("sk_X509_EXTENSION_new_null");
+               goto out;
+       }
+       /* Initialise to empty string. */
+       if ((sans = strdup("")) == NULL) {
+               warn("strdup");
+               goto out;
+       }
+       sansz = strlen(sans) + 1;
+
+       /*
+        * For each SAN entry, append it to the string.
+        * We need a single SAN entry for all of the SAN
+        * domains: NOT an entry per domain!
+        */
+
+       for (i = 0; i < altsz; i++) {
+               cc = asprintf(&san, "%sDNS:%s",
+                   i ? "," : "", alts[i]);
+               if (cc == -1) {
+                       warn("asprintf");
                        goto out;
                }
-               /* Initialise to empty string. */
-               if ((sans = strdup("")) == NULL) {
-                       warn("strdup");
+               pp = recallocarray(sans, sansz, sansz + strlen(san), 1);
+               if (pp == NULL) {
+                       warn("recallocarray");
                        goto out;
                }
-               sansz = strlen(sans) + 1;
-
-               /*
-                * For each SAN entry, append it to the string.
-                * We need a single SAN entry for all of the SAN
-                * domains: NOT an entry per domain!
-                */
-
-               for (i = 1; i < altsz; i++) {
-                       cc = asprintf(&san, "%sDNS:%s",
-                           i > 1 ? "," : "", alts[i]);
-                       if (cc == -1) {
-                               warn("asprintf");
-                               goto out;
-                       }
-                       pp = recallocarray(sans, sansz, sansz + strlen(san), 1);
-                       if (pp == NULL) {
-                               warn("recallocarray");
-                               goto out;
-                       }
-                       sans = pp;
-                       sansz += strlen(san);
-                       strlcat(sans, san, sansz);
-                       free(san);
-                       san = NULL;
-               }
+               sans = pp;
+               sansz += strlen(san);
+               strlcat(sans, san, sansz);
+               free(san);
+               san = NULL;
+       }
 
-               if (!add_ext(exts, nid, sans)) {
-                       warnx("add_ext");
-                       goto out;
-               } else if (!X509_REQ_add_extensions(x, exts)) {
-                       warnx("X509_REQ_add_extensions");
-                       goto out;
-               }
-               sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
+       if (!add_ext(exts, nid, sans)) {
+               warnx("add_ext");
+               goto out;
+       } else if (!X509_REQ_add_extensions(x, exts)) {
+               warnx("X509_REQ_add_extensions");
+               goto out;
        }
+       sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
 
        /* Sign the X509 request using SHA256. */