Implement Case-insensitive SNI matching

2018-11-26 03:38:03 -06:00 · 2018-11-26 03:38:03 -06:00 · 5b3762be08
commit 5b3762be08
parent 3b01488c8d
6 changed files with 139 additions and 9 deletions
--- a/tls/certificate.go
+++ b/tls/certificate.go
@ -154,13 +154,13 @@ func (c *Certificate) AppendCertificates(certs map[string]map[string]*tls.Certif

 	var SANs []string
 	if parsedCert.Subject.CommonName != "" {
-		SANs = append(SANs, parsedCert.Subject.CommonName)
+		SANs = append(SANs, strings.ToLower(parsedCert.Subject.CommonName))
 	}
 	if parsedCert.DNSNames != nil {
 		sort.Strings(parsedCert.DNSNames)
 		for _, dnsName := range parsedCert.DNSNames {
 			if dnsName != parsedCert.Subject.CommonName {
-				SANs = append(SANs, dnsName)
+				SANs = append(SANs, strings.ToLower(dnsName))
 			}
 		}

@ -168,7 +168,7 @@ func (c *Certificate) AppendCertificates(certs map[string]map[string]*tls.Certif
 	if parsedCert.IPAddresses != nil {
 		for _, ip := range parsedCert.IPAddresses {
 			if ip.String() != parsedCert.Subject.CommonName {
-				SANs = append(SANs, ip.String())
+				SANs = append(SANs, strings.ToLower(ip.String()))
 			}
 		}

--- a/tls/certificate_store_test.go
+++ b/tls/certificate_store_test.go
@ -20,6 +20,7 @@ func TestGetBestCertificate(t *testing.T) {
 		domainToCheck string
 		dynamicCert   string
 		expectedCert  string
+		uppercase     bool
 	}{
 		{
 			desc:          "Empty Store, returns no certs",
@ -45,6 +46,13 @@ func TestGetBestCertificate(t *testing.T) {
 			dynamicCert:   "*.snitest.com",
 			expectedCert:  "*.snitest.com",
 		},
+		{
+			desc:          "Best Match with dynamic wildcard only, case insensitive",
+			domainToCheck: "bar.www.snitest.com",
+			dynamicCert:   "*.www.snitest.com",
+			expectedCert:  "*.www.snitest.com",
+			uppercase:     true,
+		},
 	}

 	for _, test := range testCases {
@ -54,9 +62,9 @@ func TestGetBestCertificate(t *testing.T) {
 			dynamicMap := map[string]*tls.Certificate{}

 			if test.dynamicCert != "" {
-				cert, err := loadTestCert(test.dynamicCert)
+				cert, err := loadTestCert(test.dynamicCert, test.uppercase)
 				require.NoError(t, err)
-				dynamicMap[test.dynamicCert] = cert
+				dynamicMap[strings.ToLower(test.dynamicCert)] = cert
 			}

 			store := &CertificateStore{
@ -66,7 +74,7 @@ func TestGetBestCertificate(t *testing.T) {

 			var expected *tls.Certificate
 			if test.expectedCert != "" {
-				cert, err := loadTestCert(test.expectedCert)
+				cert, err := loadTestCert(test.expectedCert, test.uppercase)
 				require.NoError(t, err)
 				expected = cert
 			}
@ -81,10 +89,15 @@ func TestGetBestCertificate(t *testing.T) {
 	}
 }

-func loadTestCert(certName string) (*tls.Certificate, error) {
+func loadTestCert(certName string, uppercase bool) (*tls.Certificate, error) {
+	replacement := "wildcard"
+	if uppercase {
+		replacement = "uppercase_wildcard"
+	}
+
 	staticCert, err := tls.LoadX509KeyPair(
-		fmt.Sprintf("../integration/fixtures/https/%s.cert", strings.Replace(certName, "*", "wildcard", -1)),
-		fmt.Sprintf("../integration/fixtures/https/%s.key", strings.Replace(certName, "*", "wildcard", -1)),
+		fmt.Sprintf("../integration/fixtures/https/%s.cert", strings.Replace(certName, "*", replacement, -1)),
+		fmt.Sprintf("../integration/fixtures/https/%s.key", strings.Replace(certName, "*", replacement, -1)),
 	)
 	if err != nil {
 		return nil, err