fix: verify custom display_name extension is present

acme/order.go

@@ -322,14 +322,22 @@ func (o *Order) subject(csr *x509.CertificateRequest) (subject x509util.Subject,
 			// TODO: temporarily using a custom OIDC for carrying the display name without having it listed as a DNS SAN.
 			// reusing LDAP's OID for diplay name see http://oid-info.com/get/2.16.840.1.113730.3.1.241
 			displayNameOid := asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 1}
+			var foundDisplayName = false
 			for _, entry := range csr.Subject.Names {
 				if entry.Type.Equal(displayNameOid) {
+					foundDisplayName = true
 					displayName := entry.Value.(string)
 					if displayName != wireID.Name {
 						return subject, NewErrorISE("expected displayName %v, found %v", wireID.Name, displayName)
 					}
 				}
 			}
+			if !foundDisplayName {
+				return subject, NewErrorISE("CSR must contain the display name in 2.16.840.1.113730.3.1.241 OID")
+			}
+			/*if csr.Subject.CommonName != wireID.Name {
+				return subject, NewErrorISE("expected CN %v, found %v", wireID.Name, csr.Subject.CommonName)
+			}*/
 
 			if len(csr.Subject.Organization) == 0 || !strings.EqualFold(csr.Subject.Organization[0], wireID.Domain) {
 				return subject, NewErrorISE("expected Organization [%s], found %v", wireID.Domain, csr.Subject.Organization)