Use subjectAltName X509v3 extension

author: Andrew Cady <d@jerkface.net> 2016-01-22 23:39:59 -0500
committer: Andrew Cady <d@jerkface.net> 2016-01-22 23:39:59 -0500
commit: 60cc8e93ae7a647c5f5da5ee8628c6aca5b58d02 (patch)
tree: ab8f040cd93e3089ecd0f56b943a720da0f93393
parent: 7c7a91bfb50528a199b0b29d7dbab6b78028889a (diff)
2 files changed, 22 insertions, 1 deletions
diff --git a/acme.hs b/acme.hs
index a7ccd3a..2731b15 100644
--- a/acme.hs
+++ b/acme.hs
@@ -117,8 +117,29 @@ genReq domainKeyFile domain = withOpenSSL $ do
  setSubjectName req [("CN", domain)]
  setVersion req 0
  setPublicKey req pub
+  when False $
+    -- This certificate seems well-formed ('openssl req' can parse it) but Let's Encrypt rejects it.
+    void $ addExtensions req
+             [ nidSubjectAltName %%% "DNS:" ++ domain
+             , nidKeyUsage %%% "critical,digitalSignature,keyEncipherment"
+             ]
+  -- This, on the other hand, is accepted:
+  void $ addExtensions req [nidSubjectAltName %%% "DNS:" ++ domain]
+  -- Trying to name other domains, though, results in this:
+  --
+  -- void $ addExtensions req [nidSubjectAltName %%% "DNS:" ++ domain ++ ", DNS:www." ++ domain]
+  --
+  -- urn:acme:error:unauthorized ---- Error creating new cert :: Authorizations
+  -- for these names not found or expired: www.fifty.childrenofmay.org
  signX509Req req priv (Just dig)
  writeX509ReqDER req
+  where
+    nidKeyUsage = 83
+    nidSubjectAltName = 85
+    (%%%) = (,)
+    infixr 0 %%%
 readKeyFile :: FilePath -> IO (Maybe Keys)
 readKeyFile = readFile >=> readKeys
diff --git a/stack.yaml b/stack.yaml
index a4a966d..df9bc13 100644
--- a/stack.yaml
+++ b/stack.yaml
@@ -8,7 +8,7 @@ packages:
 - '.'
 - location:
    git: git@github.com:afcady/HSOpenSSL.git
-    commit: d120a92678da80cf8a992cc2b80c147730a05f83
+    commit: 11f5c83fbe44d6c1c496be4cc3017fd925ba26e2
  extra-dep: true
 # Packages to be pulled from upstream that are not in the resolver (e.g., acme-missiles-0.3)
author	Andrew Cady <d@jerkface.net>	2016-01-22 23:39:59 -0500
committer	Andrew Cady <d@jerkface.net>	2016-01-22 23:39:59 -0500
commit	60cc8e93ae7a647c5f5da5ee8628c6aca5b58d02 (patch)
tree	ab8f040cd93e3089ecd0f56b943a720da0f93393
parent	7c7a91bfb50528a199b0b29d7dbab6b78028889a (diff)

diff --git a/acme.hs b/acme.hs index a7ccd3a..2731b15 100644 --- a/acme.hs +++ b/acme.hs
@@ -117,8 +117,29 @@ genReq domainKeyFile domain = withOpenSSL $ do
117	setSubjectName req [("CN", domain)]	117	setSubjectName req [("CN", domain)]
118	setVersion req 0	118	setVersion req 0
119	setPublicKey req pub	119	setPublicKey req pub
		120	when False $
		121	-- This certificate seems well-formed ('openssl req' can parse it) but Let's Encrypt rejects it.
		122	void $ addExtensions req
		123	[ nidSubjectAltName %%% "DNS:" ++ domain
		124	, nidKeyUsage %%% "critical,digitalSignature,keyEncipherment"
		125	]
		126
		127	-- This, on the other hand, is accepted:
		128	void $ addExtensions req [nidSubjectAltName %%% "DNS:" ++ domain]
		129
		130	-- Trying to name other domains, though, results in this:
		131	--
		132	-- void $ addExtensions req [nidSubjectAltName %%% "DNS:" ++ domain ++ ", DNS:www." ++ domain]
		133	--
		134	-- urn:acme:error:unauthorized ---- Error creating new cert :: Authorizations
		135	-- for these names not found or expired: www.fifty.childrenofmay.org
120	signX509Req req priv (Just dig)	136	signX509Req req priv (Just dig)
121	writeX509ReqDER req	137	writeX509ReqDER req
		138	where
		139	nidKeyUsage = 83
		140	nidSubjectAltName = 85
		141	(%%%) = (,)
		142	infixr 0 %%%
122		143
123	readKeyFile :: FilePath -> IO (Maybe Keys)	144	readKeyFile :: FilePath -> IO (Maybe Keys)
124	readKeyFile = readFile >=> readKeys	145	readKeyFile = readFile >=> readKeys


diff --git a/stack.yaml b/stack.yaml index a4a966d..df9bc13 100644 --- a/stack.yaml +++ b/stack.yaml
@@ -8,7 +8,7 @@ packages:
8	- '.'	8	- '.'
9	- location:	9	- location:
10	git: git@github.com:afcady/HSOpenSSL.git	10	git: git@github.com:afcady/HSOpenSSL.git
11	commit: d120a92678da80cf8a992cc2b80c147730a05f83	11	commit: 11f5c83fbe44d6c1c496be4cc3017fd925ba26e2
12	extra-dep: true	12	extra-dep: true
13		13
14	# Packages to be pulled from upstream that are not in the resolver (e.g., acme-missiles-0.3)	14	# Packages to be pulled from upstream that are not in the resolver (e.g., acme-missiles-0.3)