From 4b79405dace6bf5e527fda034e2c5ac8e7fd4a82 Mon Sep 17 00:00:00 2001
From: Mariano Cano <mariano.cano@gmail.com>
Date: Wed, 21 Sep 2022 15:54:28 -0700
Subject: [PATCH] Check constraints and policy for leaf certificates too

---
 authority/tls.go | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/authority/tls.go b/authority/tls.go
index f9ab705b..5f0bdd26 100644
--- a/authority/tls.go
+++ b/authority/tls.go
@@ -630,6 +630,18 @@ func (a *Authority) GetTLSCertificate() (*tls.Certificate, error) {
 	certTpl.NotBefore = now.Add(-1 * time.Minute)
 	certTpl.NotAfter = now.Add(24 * time.Hour)
 
+	// Policy and constraints require this fields to be set. At this moment they
+	// are only present in the extra extension.
+	certTpl.DNSNames = cr.DNSNames
+	certTpl.IPAddresses = cr.IPAddresses
+	certTpl.EmailAddresses = cr.EmailAddresses
+	certTpl.URIs = cr.URIs
+
+	// Fail if name constraints or policy does not allow the server names.
+	if err := a.isAllowedToSignX509Certificate(certTpl); err != nil {
+		return fatal(err)
+	}
+
 	resp, err := a.x509CAService.CreateCertificate(&casapi.CreateCertificateRequest{
 		Template:       certTpl,
 		CSR:            cr,