in internal/cloudsql/tls_verify.go [131:157]
func verifyCn(cn instance.ConnName, cert *x509.Certificate) error {
// Reject CN check if the certificate CN field is empty
if cert.Subject.CommonName == "" {
return errtype.NewDialError(
fmt.Sprintf(
"certificate CN was empty, expected %q",
cert.Subject.CommonName,
),
cn.String(),
nil,
)
}
// Verify the CN field matches the instance name
certInstanceName := fmt.Sprintf("%s:%s", cn.Project(), cn.Name())
if cert.Subject.CommonName != certInstanceName {
return errtype.NewDialError(
fmt.Sprintf(
"certificate had CN %q, expected %q",
cert.Subject.CommonName, certInstanceName,
),
cn.String(),
nil,
)
}
return nil
}