From e0223ea4f319232a2bb8ae412a94ee5ad1bd7d5b Mon Sep 17 00:00:00 2001
From: Andrew Cady <d@jerkface.net>
Date: Mon, 11 Apr 2016 03:31:54 -0400
Subject: Properly check for added subdomains

Regardless of whether the certificate isn't near expiration, if any name
in the configuration file isn't in the certificate, a new certificate
will be generated.
---
 acme-certify.hs | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/acme-certify.hs b/acme-certify.hs
index af11042..94891d0 100644
--- a/acme-certify.hs
+++ b/acme-certify.hs
@@ -206,14 +206,16 @@ needToFetch cs@CertSpec{..} = runExceptT $ do
   exists <- liftIO $ doesFileExist certFile
   unless exists $ throwError NoExistingCert
 
+  -- TODO: parse with cryptonite
   cert <- liftIO $ readFile certFile >>= readX509
   expiration <- liftIO $ getNotAfter cert
   now <- liftIO getCurrentTime
 
-  -- TODO: check X509v3 subjectAltName list within certificate
-  objList <- liftIO $ readSignedObject certFile
-  sc <- maybe (throwError InvalidExistingCert) return $ preview (folded . _Right) objList
-  liftIO $ print $ certAltNames sc
+  signedCert <- (liftIO (readSignedObject certFile) >>=) $
+                maybe (throwError InvalidExistingCert) return . preview (folded . _Right)
+  let wantedDomains = domainToString . fst <$> csDomains
+      haveDomains = certAltNames signedCert
+  unless (null $ wantedDomains \\ haveDomains) $ throwError SubDomainsAdded
 
   if | expiration < now                      -> throwError Expired
      | expiration < addUTCTime graceTime now -> throwError NearExpiration
-- 
cgit v1.2.3