From bdad2ffa0c28b8e9c696ddf56af4ec7e02ce4e97 Mon Sep 17 00:00:00 2001
From: Mark van Holsteijn <mark.van.holsteijn@gmail.com>
Date: Tue, 28 Dec 2021 18:05:50 +0100
Subject: [PATCH] fix: use all hosts in array as cache key

---
 signer.go | 15 +++++----------
 1 file changed, 5 insertions(+), 10 deletions(-)

diff --git a/signer.go b/signer.go
index 7b862f44..7b6240d6 100644
--- a/signer.go
+++ b/signer.go
@@ -14,8 +14,9 @@ import (
 	"net"
 	"runtime"
 	"sort"
-	"time"
+	"strings"
 	"sync"
+	"time"
 )
 
 func hashSorted(lst []string) []byte {
@@ -41,12 +42,8 @@ var hostMap sync.Map //map[string]*tls.Certificate
 func signHost(ca tls.Certificate, hosts []string) (cert *tls.Certificate, err error) {
 	var x509ca *x509.Certificate
 
-	// FIXME: There is a bug here. If hosts[] is ever more than one element long, there will be potential for host mismatches.
-	if len(hosts) == 0 {
-		return
-	}
-
-	cachedCert, ok := hostMap.Load(hosts[0])
+	cacheKey := strings.Join(hosts, ":")
+	cachedCert, ok := hostMap.Load(cacheKey)
 
 	if ok {
 		cert = cachedCert.(*tls.Certificate)
@@ -117,9 +114,7 @@ func signHost(ca tls.Certificate, hosts []string) (cert *tls.Certificate, err er
 	}
 
 	// Cache the certificate for later.
-	for _, h := range hosts {
-		hostMap.Store(h, tlsCert)
-	}
+	hostMap.Store(cacheKey, tlsCert)
 
 	return tlsCert, nil
 }