Verify that a CSR specifies IP SANs before checking whether it's allowed

builtin/logical/pki/backend_test.go

@@ -225,7 +225,7 @@ func TestBackend_RSARoles_CSR(t *testing.T) {
 
 	stepCount = len(testCase.Steps)
 
-	testCase.Steps = append(testCase.Steps, generateRoleSteps(t, false)...)
+	testCase.Steps = append(testCase.Steps, generateRoleSteps(t, true)...)
 	if len(os.Getenv("VAULT_VERBOSE_PKITESTS")) > 0 {
 		for i, v := range testCase.Steps {
 			fmt.Printf("Step %d:\n%+v\n\n", i+stepCount, v)
@@ -1787,6 +1787,12 @@ func generateRoleSteps(t *testing.T, useCSRs bool) []logicaltest.TestStep {
 	}
 	// IP SAN tests
 	{
+		roleVals.UseCSRSANs = true
+		roleVals.AllowIPSANs = false
+		issueTestStep.ErrorOk = false
+		addTests(nil)
+
+		roleVals.UseCSRSANs = false
 		issueVals.IPSANs = "127.0.0.1,::1"
 		issueTestStep.ErrorOk = true
 		addTests(nil)

builtin/logical/pki/cert_util.go

@@ -634,11 +634,13 @@ func generateCreationBundle(b *backend,
 	var ipAltInt interface{}
 	{
 		if csr != nil && role.UseCSRSANs {
-			if !role.AllowIPSANs {
-				return nil, errutil.UserError{Err: fmt.Sprintf(
-					"IP Subject Alternative Names are not allowed in this role, but was provided some via CSR")}
+			if len(csr.IPAddresses) > 0 {
+				if !role.AllowIPSANs {
+					return nil, errutil.UserError{Err: fmt.Sprintf(
+						"IP Subject Alternative Names are not allowed in this role, but was provided some via CSR")}
+				}
+				ipAddresses = csr.IPAddresses
 			}
-			ipAddresses = csr.IPAddresses
 		} else {
 			ipAltInt, ok = data.GetOk("ip_sans")
 			if ok {