From bcb451c9757b7c4a419c3afadf3d72a8db35b229 Mon Sep 17 00:00:00 2001 From: Aaron Gable Date: Mon, 6 Nov 2023 10:33:57 -0800 Subject: [PATCH] Invert RequireCommonName into AllowNoCommonName --- csr/csr.go | 2 +- features/featureflag_string.go | 4 ++-- features/features.go | 11 ++++++----- test/config-next/ca-a.json | 2 +- test/config-next/ca-b.json | 2 +- test/config-next/ra.json | 2 +- test/config-next/wfe2.json | 2 +- test/integration/issuance_test.go | 6 +++--- wfe2/wfe.go | 2 +- 9 files changed, 17 insertions(+), 16 deletions(-) diff --git a/csr/csr.go b/csr/csr.go index e429fee1cec..96b71bd22f5 100644 --- a/csr/csr.go +++ b/csr/csr.go @@ -75,7 +75,7 @@ func VerifyCSR(ctx context.Context, csr *x509.CertificateRequest, maxNames int, if len(names.SANs) == 0 && names.CN == "" { return invalidNoDNS } - if names.CN == "" && features.Enabled(features.RequireCommonName) { + if names.CN == "" && !features.Enabled(features.AllowNoCommonName) { return invalidAllSANTooLong } if len(names.CN) > maxCNLength { diff --git a/features/featureflag_string.go b/features/featureflag_string.go index 277223c41ce..bf947cfc442 100644 --- a/features/featureflag_string.go +++ b/features/featureflag_string.go @@ -26,11 +26,11 @@ func _() { _ = x[CertCheckerRequiresValidations-15] _ = x[CertCheckerRequiresCorrespondence-16] _ = x[AsyncFinalize-17] - _ = x[RequireCommonName-18] + _ = x[AllowNoCommonName-18] _ = x[CAAAfterValidation-19] } -const _FeatureFlag_name = "unusedStoreRevokerInfoROCSPStage6ROCSPStage7StoreLintingCertificateInsteadOfPrecertificateCAAValidationMethodsCAAAccountURILeaseCRLShardsEnforceMultiVAMultiVAFullResultsECDSAForAllServeRenewalInfoAllowUnrecognizedFeaturesExpirationMailerUsesJoinCertCheckerChecksValidationsCertCheckerRequiresValidationsCertCheckerRequiresCorrespondenceAsyncFinalizeRequireCommonNameCAAAfterValidation" +const _FeatureFlag_name = "unusedStoreRevokerInfoROCSPStage6ROCSPStage7StoreLintingCertificateInsteadOfPrecertificateCAAValidationMethodsCAAAccountURILeaseCRLShardsEnforceMultiVAMultiVAFullResultsECDSAForAllServeRenewalInfoAllowUnrecognizedFeaturesExpirationMailerUsesJoinCertCheckerChecksValidationsCertCheckerRequiresValidationsCertCheckerRequiresCorrespondenceAsyncFinalizeAllowNoCommonNameCAAAfterValidation" var _FeatureFlag_index = [...]uint16{0, 6, 22, 33, 44, 90, 110, 123, 137, 151, 169, 180, 196, 221, 245, 273, 303, 336, 349, 366, 384} diff --git a/features/features.go b/features/features.go index c95889b2463..ff65253f26f 100644 --- a/features/features.go +++ b/features/features.go @@ -67,13 +67,14 @@ const ( // for the cert URL to appear. AsyncFinalize - // RequireCommonName defaults to true, and causes the CA to fail to issue a - // certificate if there is no CommonName in the certificate. When false, the - // CA will be willing to issue certificates with no CN. + // AllowNoCommonName defaults to false, and causes the CA to fail to issue a + // certificate if we can't put a CommonName in it. When true, the + // CA will be willing to issue certificates with no CN if and only if there + // is no SAN short enough to be hoisted into the CN. // // According to the BRs Section 7.1.4.2.2(a), the commonName field is // Deprecated, and its inclusion is discouraged but not (yet) prohibited. - RequireCommonName + AllowNoCommonName // CAAAfterValidation causes the VA to only kick off CAA checks after the base // domain control validation has completed and succeeded. This makes @@ -100,7 +101,7 @@ var features = map[FeatureFlag]bool{ CertCheckerRequiresValidations: false, CertCheckerRequiresCorrespondence: false, AsyncFinalize: false, - RequireCommonName: true, + AllowNoCommonName: false, LeaseCRLShards: false, CAAAfterValidation: false, diff --git a/test/config-next/ca-a.json b/test/config-next/ca-a.json index 80825038038..2feac67ed1f 100644 --- a/test/config-next/ca-a.json +++ b/test/config-next/ca-a.json @@ -113,7 +113,7 @@ "ctLogListFile": "test/ct-test-srv/log_list.json", "features": { "ECDSAForAll": true, - "RequireCommonName": false + "AllowNoCommonName": true } }, "pa": { diff --git a/test/config-next/ca-b.json b/test/config-next/ca-b.json index 80825038038..2feac67ed1f 100644 --- a/test/config-next/ca-b.json +++ b/test/config-next/ca-b.json @@ -113,7 +113,7 @@ "ctLogListFile": "test/ct-test-srv/log_list.json", "features": { "ECDSAForAll": true, - "RequireCommonName": false + "AllowNoCommonName": true } }, "pa": { diff --git a/test/config-next/ra.json b/test/config-next/ra.json index 99c9aad2594..0f4e2d9d562 100644 --- a/test/config-next/ra.json +++ b/test/config-next/ra.json @@ -106,7 +106,7 @@ "features": { "StoreRevokerInfo": true, "AsyncFinalize": true, - "RequireCommonName": false + "AllowNoCommonName": true }, "ctLogs": { "stagger": "500ms", diff --git a/test/config-next/wfe2.json b/test/config-next/wfe2.json index 6c3d972f85d..c69e8294c06 100644 --- a/test/config-next/wfe2.json +++ b/test/config-next/wfe2.json @@ -131,7 +131,7 @@ }, "features": { "ServeRenewalInfo": true, - "RequireCommonName": false + "AllowNoCommonName": true } }, "syslog": { diff --git a/test/integration/issuance_test.go b/test/integration/issuance_test.go index 4fc72ab8036..8c21e52c5fb 100644 --- a/test/integration/issuance_test.go +++ b/test/integration/issuance_test.go @@ -78,7 +78,7 @@ func TestFirstCSRSANHoistedToCN(t *testing.T) { // TestCommonNameSANsTooLong tests that, when the names in an order and CSR are // too long to be hoisted into the CN, the correct behavior results (depending -// on the state of the RequireCommonName feature flag). +// on the state of the AllowNoCommonName feature flag). func TestCommonNameSANsTooLong(t *testing.T) { t.Parallel() @@ -97,13 +97,13 @@ func TestCommonNameSANsTooLong(t *testing.T) { // Issue a cert using a CSR with no CN set. ir, err := authAndIssue(client, key, []string{san1, san2}, false) - // By default, the RequireCommonName flag is true, so issuance should have failed. + // By default, the AllowNoCommonName flag is false, so issuance should have failed. if !strings.Contains(os.Getenv("BOULDER_CONFIG_DIR"), "test/config-next") { test.AssertError(t, err, "issuing cert with no CN") return } - // But in config-next, the RequireCommonName flag is false, so issuance should + // But in config-next, the AllowNoCommonName flag is true, so issuance should // have succeeded. test.AssertNotError(t, err, "failed to issue test cert") cert := ir.certs[0] diff --git a/wfe2/wfe.go b/wfe2/wfe.go index f47b2f27d1b..55241641d4f 100644 --- a/wfe2/wfe.go +++ b/wfe2/wfe.go @@ -2098,7 +2098,7 @@ func (wfe *WebFrontEndImpl) NewOrder( hasValidCNLen = true } } - if !hasValidCNLen && features.Enabled(features.RequireCommonName) { + if !hasValidCNLen && !features.Enabled(features.AllowNoCommonName) { wfe.sendError(response, logEvent, probs.RejectedIdentifier("NewOrder request did not include a SAN short enough to fit in CN"), nil)