From 276978ac4a0861dd85eb57809f56b222dc1037de Mon Sep 17 00:00:00 2001
From: Aaron Gable <aaron@letsencrypt.org>
Date: Mon, 17 Apr 2023 11:56:33 -0700
Subject: [PATCH] Lowercase CN in all code paths (#6824)

When returning a CN from csr.NamesFromCSR, ensure that we call
strings.ToLower on that name in all return paths. This prevents us from
running into lint failures (and therefore refusing to issue) when an
applicant submits a CSR containing uppercase SANs and no explicit CN.
---
 csr/csr.go      | 2 +-
 csr/csr_test.go | 8 ++++++++
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/csr/csr.go b/csr/csr.go
index 6e5dd248195..e429fee1cec 100644
--- a/csr/csr.go
+++ b/csr/csr.go
@@ -123,7 +123,7 @@ func NamesFromCSR(csr *x509.CertificateRequest) names {
 	// which is shorter than the the maximum acceptable CN length (if any).
 	for _, name := range sans {
 		if len(name) <= maxCNLength {
-			return names{SANs: core.UniqueLowerNames(sans), CN: name}
+			return names{SANs: core.UniqueLowerNames(sans), CN: strings.ToLower(name)}
 		}
 	}
 
diff --git a/csr/csr_test.go b/csr/csr_test.go
index 377a49e991a..286d19f8dc1 100644
--- a/csr/csr_test.go
+++ b/csr/csr_test.go
@@ -184,6 +184,14 @@ func TestNamesFromCSR(t *testing.T) {
 			"a.com",
 			[]string{"a.com"},
 		},
+		{
+			"no explicit CN, uppercase SAN",
+			&x509.CertificateRequest{DNSNames: []string{
+				"A.com",
+			}},
+			"a.com",
+			[]string{"a.com"},
+		},
 		{
 			"no explicit CN, too long leading SANs",
 			&x509.CertificateRequest{DNSNames: []string{