certutil: only add non-empty DNSNames to certificates (#361)

Author: AndersonQ

testing/certutil/certutil.go

@@ -186,7 +186,10 @@ func GenerateGenericChildCert(
 		cn = fmt.Sprintf("[%s] %s", cfg.cnPrefix, cn)
 	}
 
-	dnsNames := append(cfg.dnsNames, name)
+	var dnsNames []string
+	if name != "" {
+		dnsNames = append(cfg.dnsNames, name)
+	}
 	notBefore, notAfter := makeNotBeforeAndAfter()
 	certTemplate := &x509.Certificate{
 		DNSNames:     dnsNames,

testing/certutil/certutil_test.go

@@ -18,8 +18,12 @@
 package certutil
 
 import (
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
 	"crypto/x509"
 	"encoding/pem"
+	"net"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
@@ -84,3 +88,24 @@ func TestCertificates(t *testing.T) {
 		})
 	}
 }
+
+func TestGenerateGenericChildCert_dns_cannot_be_empty(t *testing.T) {
+	rootKey, rootCACert, _, err := NewRootCA()
+	require.NoError(t, err, "could not create root CA certificate")
+
+	priv, err := ecdsa.GenerateKey(elliptic.P384(), rand.Reader)
+	require.NoError(t, err, "failed to generate EC key")
+
+	tlsCert, _, err := GenerateGenericChildCert(
+		"",
+		[]net.IP{net.ParseIP("127.0.0.1")},
+		priv,
+		&priv.PublicKey,
+		rootKey,
+		rootCACert)
+	require.NoError(t, err, "failed to generate child certificate")
+
+	for _, dns := range tlsCert.Leaf.DNSNames {
+		assert.NotEmpty(t, dns, "DNSNames contains an empty name")
+	}
+}

testing/proxytest/proxytest_test.go

@@ -51,7 +51,7 @@ func TestProxy(t *testing.T) {
 
 	type setup struct {
 		fakeBackendServer      *httptest.Server
-		generateTestHttpClient func(t *testing.T, proxy *Proxy) *http.Client
+		generateTestHTTPClient func(t *testing.T, proxy *Proxy) *http.Client
 	}
 	type testRequest struct {
 		method string
@@ -73,7 +73,7 @@ func TestProxy(t *testing.T) {
 			name: "Basic scenario, no TLS",
 			setup: setup{
 				fakeBackendServer:      createFakeBackendServer(),
-				generateTestHttpClient: nil,
+				generateTestHTTPClient: nil,
 			},
 			proxyOptions:  nil,
 			proxyStartTLS: false,
@@ -94,7 +94,7 @@ func TestProxy(t *testing.T) {
 			name: "TLS scenario, server cert validation",
 			setup: setup{
 				fakeBackendServer: createFakeBackendServer(),
-				generateTestHttpClient: func(t *testing.T, proxy *Proxy) *http.Client {
+				generateTestHTTPClient: func(t *testing.T, proxy *Proxy) *http.Client {
 					proxyURL, err := url.Parse(proxy.URL)
 					require.NoErrorf(t, err, "failed to parse proxy URL %q", proxy.URL)
 
@@ -135,7 +135,7 @@ func TestProxy(t *testing.T) {
 			name: "mTLS scenario, client and server cert validation",
 			setup: setup{
 				fakeBackendServer: createFakeBackendServer(),
-				generateTestHttpClient: func(t *testing.T, proxy *Proxy) *http.Client {
+				generateTestHTTPClient: func(t *testing.T, proxy *Proxy) *http.Client {
 					proxyURL, err := url.Parse(proxy.URL)
 					require.NoErrorf(t, err, "failed to parse proxy URL %q", proxy.URL)
 
@@ -224,8 +224,8 @@ func TestProxy(t *testing.T) {
 			require.NoError(t, err, "error creating request")
 
 			var client *http.Client
-			if tt.setup.generateTestHttpClient != nil {
-				client = tt.setup.generateTestHttpClient(t, proxy)
+			if tt.setup.generateTestHTTPClient != nil {
+				client = tt.setup.generateTestHTTPClient(t, proxy)
 			} else {
 				// basic HTTP client using the proxy
 				client = &http.Client{Transport: &http.Transport{Proxy: http.ProxyURL(proxyURL)}}
@@ -244,7 +244,7 @@ func TestProxy(t *testing.T) {
 }
 
 func TestHTTPSProxy(t *testing.T) {
-	targetHost := "not-a-server.co"
+	targetHost := "not-a-server.example"
 	proxy, client, target := prepareMTLSProxyAndTargetServer(t, targetHost)
 	t.Cleanup(func() {
 		proxy.Close()
@@ -276,7 +276,7 @@ func TestHTTPSProxy(t *testing.T) {
 		},
 		{
 			name:   "request_failure",
-			target: "https://any.not.target.will.do",
+			target: "https://any.not.target.will.do.example",
 			assertFn: func(t *testing.T, got *http.Response, err error) {
 				assert.NoError(t, err, "request to an invalid host should not fail, but succeed with a HTTP error")
 				assert.Equal(t, http.StatusBadGateway, got.StatusCode)