From fe3061c8bb246c3a73ff370866abecd36f9085f4 Mon Sep 17 00:00:00 2001
From: Adam Chalkley <atc0005@users.noreply.github.com>
Date: Fri, 13 Dec 2024 06:17:51 -0600
Subject: [PATCH] SANs List validation early exit when list is empty

Exit early if no list provided and the option to ignore this
validation check (default setting) is specified.
---
 internal/certs/validation-sans.go | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/internal/certs/validation-sans.go b/internal/certs/validation-sans.go
index 4fa02b5..5430cb1 100644
--- a/internal/certs/validation-sans.go
+++ b/internal/certs/validation-sans.go
@@ -106,7 +106,7 @@ func ValidateSANsList(
 	//
 	// NOTE: While configuration validation is expected to prevent this
 	// scenario we explicitly guard against it.
-	case len(requiredEntries) == 0:
+	case len(requiredEntries) == 0 && !validationOptions.IgnoreValidationResultSANs:
 		return SANsListValidationResult{
 			certChain:         certChain,
 			leafCert:          leafCert,
@@ -119,6 +119,17 @@ func ValidateSANsList(
 			priorityModifier: priorityModifierMaximum,
 		}
 
+	// If we're not given a list to process AND we are asked to ignore this,
+	// abort early.
+	case len(requiredEntries) == 0 && validationOptions.IgnoreValidationResultSANs:
+		return SANsListValidationResult{
+			certChain:         certChain,
+			leafCert:          leafCert,
+			validationOptions: validationOptions,
+			err:               nil,
+			ignored:           validationOptions.IgnoreValidationResultSANs,
+			priorityModifier:  priorityModifierBaseline,
+		}
 	}
 
 	// Assuming that the DNSNames slice is NOT already lowercase, so forcing