From f54344c044c60d6510efaee3fa1fd3e7e2bed825 Mon Sep 17 00:00:00 2001
From: Erich Eckner <git@eckner.net>
Date: Thu, 12 Mar 2020 11:35:55 +0100
Subject: sign-request: check *all* addresses of a given san - one working
 address is sufficient

---
 sign-request.in | 26 ++++++++++++++++++++++----
 1 file changed, 22 insertions(+), 4 deletions(-)

diff --git a/sign-request.in b/sign-request.in
index 331815f..191bbea 100755
--- a/sign-request.in
+++ b/sign-request.in
@@ -87,13 +87,31 @@ while read -r csr; do
   ok_sans=$(
     printf '%s\n' "${cn}" "${sans}" \
     | while read -r san; do
-      if ! curl --connect-timeout 10 -Ss --insecure "${csr%%://*}"'://'"${san}/${csr#*//*/}" \
-        | diff -q - "${csr_local}"; then
+      resolved=false
+      for address in $(
+        dig +short "${san}" A \
+        | grep -x '\([0-9]\+\.\)\{3\}[0-9]\+'
+        dig +short "${san}" AAAA \
+        | grep -x '[0-9a-f:]\+' \
+        | sed 's/^.*$/[\0]/'
+      ); do
+        if curl -Ss \
+          --resolve "${san}:80:${address}" \
+          --resolve "${san}:443:${address}" \
+          --connect-timeout 10 \
+          --insecure \
+          "${csr%%://*}"'://'"${san}/${csr#*//*/}" \
+          | diff -q - "${csr_local}"; then
+          resolved=true
+          break
+        fi
+      done
+      if ${resolved}; then
+        printf '%s\n' "${san}"
+      else
         >&2 printf 'invalid san "%s" - skipping\n' "${san}"
         rm "${csr_local}"
-        break
       fi
-      printf '%s\n' "${san}"
     done
   )
   if [ ! -f "${csr_local}" ]; then
-- 
cgit v1.2.3-54-g00ecf