Verify DNS SANs if PermittedDNSDomains is set

builtin/credential/cert/path_login.go

@@ -439,12 +439,29 @@ func validateConnState(roots *x509.CertPool, cs *tls.ConnectionState) ([][]*x509
 		}
 	}
 
-	chains, err := certs[0].Verify(opts)
-	if err != nil {
-		if _, ok := err.(x509.UnknownAuthorityError); ok {
-			return nil, nil
+	var chains [][]*x509.Certificate
+	var err error
+	switch {
+	case len(certs[0].DNSNames) > 0:
+		for _, dnsName := range certs[0].DNSNames {
+			opts.DNSName = dnsName
+			chains, err = certs[0].Verify(opts)
+			if err != nil {
+				if _, ok := err.(x509.UnknownAuthorityError); ok {
+					return nil, nil
+				}
+				return nil, errors.New("failed to verify client's certificate: " + err.Error())
+			}
+		}
+	default:
+		chains, err = certs[0].Verify(opts)
+		if err != nil {
+			if _, ok := err.(x509.UnknownAuthorityError); ok {
+				return nil, nil
+			}
+			return nil, errors.New("failed to verify client's certificate: " + err.Error())
 		}
-		return nil, errors.New("failed to verify client's certificate: " + err.Error())
 	}
+
 	return chains, nil
 }

website/source/api/auth/cert/index.html.md

@@ -299,7 +299,11 @@ $ curl \
 ## Login with TLS Certificate Method
 
 Log in and fetch a token. If there is a valid chain to a CA configured in the
-method and all role constraints are matched, a token will be issued.
+method and all role constraints are matched, a token will be issued. If the
+certificate has DNS SANs in it, each of those will be verified. If Common Name
+is required to be verified, then it should be a fully qualified DNS domain name
+and must be duplicated as a DNS SAN (see
+https://tools.ietf.org/html/rfc6125#section-2.3)
 
 | Method   | Path                         | Produces               |
 | :------- | :--------------------------- | :--------------------- |