From e887ccaa0797fb3a29e4f1348a39da9f2e0358be Mon Sep 17 00:00:00 2001
From: Herman Slatman <hermanslatman@hotmail.com>
Date: Thu, 3 Feb 2022 14:21:23 +0100
Subject: [PATCH] Ensure the CA TLS certificate represents IPv6 DNS names as IP
 in cert

If an IPv6 domain name (i.e. [::1]) is provided manually in the `ca.json`,
this commit will ensure that it's represented as an IP SAN in the TLS
certificate. Before this change, the IPv6 would become a DNS SAN.
---
 authority/tls.go | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/authority/tls.go b/authority/tls.go
index cc049655..18d4657c 100644
--- a/authority/tls.go
+++ b/authority/tls.go
@@ -10,6 +10,7 @@ import (
 	"encoding/json"
 	"encoding/pem"
 	"fmt"
+	"net"
 	"net/http"
 	"strings"
 	"time"
@@ -508,8 +509,19 @@ func (a *Authority) GetTLSCertificate() (*tls.Certificate, error) {
 		return fatal(errors.New("private key is not a crypto.Signer"))
 	}
 
+	// prepare the sans: IPv6 DNS hostname representations are converted to their IP representation
+	sans := make([]string, len(a.config.DNSNames))
+	for i, san := range a.config.DNSNames {
+		if strings.HasPrefix(san, "[") && strings.HasSuffix(san, "]") {
+			if ip := net.ParseIP(san[1 : len(san)-1]); ip != nil {
+				san = ip.String()
+			}
+		}
+		sans[i] = san
+	}
+
 	// Create initial certificate request.
-	cr, err := x509util.CreateCertificateRequest("Step Online CA", a.config.DNSNames, signer)
+	cr, err := x509util.CreateCertificateRequest("Step Online CA", sans, signer)
 	if err != nil {
 		return fatal(err)
 	}