From bc0875bd7bf908078f91ad67e97d9fa20c93ae54 Mon Sep 17 00:00:00 2001
From: Herman Slatman <hermanslatman@hotmail.com>
Date: Mon, 13 Dec 2021 16:14:39 +0100
Subject: [PATCH] Disallow email address and URLs in the CSR

Before this commit `step` would allow email addresses and URLs
in the CSR. This doesn't fit nicely with the rest of ACME, in which
identifiers need to be authorized before a certificate is issued.
---
 acme/order.go      |  4 ++++
 acme/order_test.go | 34 ++++++++++++++++++++++++++++++++++
 2 files changed, 38 insertions(+)

diff --git a/acme/order.go b/acme/order.go
index 366d1a5e..1ef0409c 100644
--- a/acme/order.go
+++ b/acme/order.go
@@ -200,6 +200,10 @@ func (o *Order) sans(csr *x509.CertificateRequest) ([]x509util.SubjectAlternativ
 
 	var sans []x509util.SubjectAlternativeName
 
+	if len(csr.EmailAddresses) > 0 || len(csr.URIs) > 0 {
+		return sans, NewError(ErrorBadCSRType, "Only DNS names and IP addresses are allowed")
+	}
+
 	// order the DNS names and IP addresses, so that they can be compared against the canonicalized CSR
 	orderNames := make([]string, numberOfIdentifierType(DNS, o.Identifiers))
 	orderIPs := make([]net.IP, numberOfIdentifierType(IP, o.Identifiers))
diff --git a/acme/order_test.go b/acme/order_test.go
index 73f72065..cb57fff9 100644
--- a/acme/order_test.go
+++ b/acme/order_test.go
@@ -6,6 +6,7 @@ import (
 	"crypto/x509/pkix"
 	"encoding/json"
 	"net"
+	"net/url"
 	"reflect"
 	"testing"
 	"time"
@@ -1280,6 +1281,39 @@ func TestOrder_sans(t *testing.T) {
 			},
 			err: nil,
 		},
+		{
+			name: "fail/invalid-alternative-name-email",
+			fields: fields{
+				Identifiers: []Identifier{},
+			},
+			csr: &x509.CertificateRequest{
+				Subject: pkix.Name{
+					CommonName: "foo.internal",
+				},
+				EmailAddresses: []string{"test@example.com"},
+			},
+			want: []x509util.SubjectAlternativeName{},
+			err:  NewError(ErrorBadCSRType, "Only DNS names and IP addresses are allowed"),
+		},
+		{
+			name: "fail/invalid-alternative-name-uri",
+			fields: fields{
+				Identifiers: []Identifier{},
+			},
+			csr: &x509.CertificateRequest{
+				Subject: pkix.Name{
+					CommonName: "foo.internal",
+				},
+				URIs: []*url.URL{
+					{
+						Scheme: "https://",
+						Host:   "smallstep.com",
+					},
+				},
+			},
+			want: []x509util.SubjectAlternativeName{},
+			err:  NewError(ErrorBadCSRType, "Only DNS names and IP addresses are allowed"),
+		},
 		{
 			name: "fail/error-names-length-mismatch",
 			fields: fields{