gen-cert: extract domains from CSR if --domains is empty

hm-edu · Jan 10, 2025 · 51203e9 · 51203e9
1 parent c88d476
commit 51203e9
Show file tree

Hide file tree

Showing 2 changed files with 44 additions and 13 deletions.
diff --git a/client/client.go b/client/client.go
@@ -93,6 +93,23 @@ func WithRefreshInterval(interval time.Duration) Option {
 	}
 }
 
+func ParseCSR(csr []byte) (*x509.CertificateRequest, error) {
+	block, _ := pem.Decode([]byte(csr))
+	if block == nil || block.Type != "CERTIFICATE REQUEST" {
+		return nil, errors.New("failed to decode PEM block containing CSR")
+	}
+	csrParsed, err := x509.ParseCertificateRequest(block.Bytes)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse CSR: %v", err)
+	}
+
+	if err := csrParsed.CheckSignature(); err != nil {
+		return nil, fmt.Errorf("CSR signature is invalid: %v", err)
+	}
+
+	return csrParsed, nil
+}
+
 func (c *Client) SessionRefresh(force bool) error {
 	return c.prepareClient(c.user, c.password, c.totp, force)
 }
@@ -340,20 +357,10 @@ func (c *Client) RequestCertificate(domains []string, csr string, transactionTyp
 	}
 
 	// Ensure that the CSR is in the correct format so we parse it and transform it again
-	// Parse the CSR
-	block, _ := pem.Decode([]byte(csr))
-	if block == nil || block.Type != "CERTIFICATE REQUEST" {
-		return nil, errors.New("failed to decode PEM block containing CSR")
-	}
-	csrParsed, err := x509.ParseCertificateRequest(block.Bytes)
+	csrParsed, err := ParseCSR([]byte(csr))
 	if err != nil {
-		return nil, fmt.Errorf("failed to parse CSR: %v", err)
-	}
-
-	if err := csrParsed.CheckSignature(); err != nil {
-		return nil, fmt.Errorf("CSR signature is invalid: %v", err)
+		return nil, err
 	}
-
 	// Write the CSR as a PEM encoded string again
 	csr = string(pem.EncodeToMemory(&pem.Block{
 		Type:  "CERTIFICATE REQUEST",

diff --git a/cmd/genCert.go b/cmd/genCert.go
@@ -101,6 +101,30 @@ var genCertCmd = &cobra.Command{
 			genCertConfig.Csr = string(x)
 		}
 
+		// Extract domains from CSR
+		if len(genCertConfig.Domains) == 0 {
+			slog.Info("--domains empty, reading from CSR")
+			csr, err := client.ParseCSR([]byte(genCertConfig.Csr))
+			if err != nil {
+				slog.Error("failed to parse CSR to extract domains", slog.Any("error", err))
+				os.Exit(1)
+			}
+			dnsnames := csr.DNSNames
+			if csr.Subject.CommonName != "" {
+				var found bool
+				for _, x := range dnsnames {
+					if x == csr.Subject.CommonName {
+						found = true
+						break
+					}
+				}
+				if !found {
+					dnsnames = append(dnsnames, csr.Subject.CommonName)
+				}
+			}
+			genCertConfig.Domains = dnsnames
+		}
+
 		requester, err := client.NewClient(genCertConfig.RequesterEmail, genCertConfig.RequesterPassword, genCertConfig.RequesterTOTPSeed, client.WithDebug(debug))
 		if err != nil {
 			slog.Error("failed to create requester client", slog.Any("error", err))
@@ -173,7 +197,7 @@ func init() {
 		}
 	}
 
-	for _, s := range []string{"domains", "requester-email", "requester-password", "validator-email", "validator-password", "validator-totp-seed"} {
+	for _, s := range []string{"requester-email", "requester-password", "validator-email", "validator-password", "validator-totp-seed"} {
 		err := genCertCmd.MarkFlagRequired(s)
 		if err != nil {
 			slog.Error("Failed to mark flag required", slog.Any("error", err))