From 6b1f8a17311fa64b3fa81336644eb9d86e3d5d83 Mon Sep 17 00:00:00 2001
From: Andrew Gabbitas <agabbitas@letsencrypt.org>
Date: Wed, 10 Mar 2021 00:01:32 -0700
Subject: [PATCH] Address review comments

- Move profile.Subject() to inline where used
- Reorder if/else in cert.go
---
 cmd/ceremony/cert.go | 28 +++++++++++++---------------
 1 file changed, 13 insertions(+), 15 deletions(-)

diff --git a/cmd/ceremony/cert.go b/cmd/ceremony/cert.go
index f627a2030f7..d8cce298120 100644
--- a/cmd/ceremony/cert.go
+++ b/cmd/ceremony/cert.go
@@ -96,17 +96,7 @@ func (profile *certProfile) Subject() pkix.Name {
 }
 
 func (profile *certProfile) verifyProfile(ct certType) error {
-	if ct != requestCert {
-		if profile.NotBefore == "" {
-			return errors.New("not-before is required")
-		}
-		if profile.NotAfter == "" {
-			return errors.New("not-after is required")
-		}
-		if profile.SignatureAlgorithm == "" {
-			return errors.New("signature-algorithm is required")
-		}
-	} else {
+	if ct == requestCert {
 		if profile.NotBefore != "" {
 			return errors.New("not-before cannot be set for a CSR")
 		}
@@ -131,6 +121,16 @@ func (profile *certProfile) verifyProfile(ct certType) error {
 		if profile.KeyUsages != nil {
 			return errors.New("key-usages cannot be set for a CSR")
 		}
+	} else {
+		if profile.NotBefore == "" {
+			return errors.New("not-before is required")
+		}
+		if profile.NotAfter == "" {
+			return errors.New("not-after is required")
+		}
+		if profile.SignatureAlgorithm == "" {
+			return errors.New("signature-algorithm is required")
+		}
 	}
 	if profile.CommonName == "" {
 		return errors.New("common-name is required")
@@ -266,12 +266,11 @@ func makeTemplate(randReader io.Reader, profile *certProfile, pubKey []byte, ct
 		return nil, errors.New("at least one key usage must be set")
 	}
 
-	templateSubject := profile.Subject()
 	cert := &x509.Certificate{
 		SerialNumber:          big.NewInt(0).SetBytes(serial),
 		BasicConstraintsValid: true,
 		IsCA:                  true,
-		Subject:               templateSubject,
+		Subject:               profile.Subject(),
 		OCSPServer:            ocspServer,
 		CRLDistributionPoints: crlDistributionPoints,
 		IssuingCertificateURL: issuingCertificateURL,
@@ -341,9 +340,8 @@ func (fr *failReader) Read([]byte) (int, error) {
 }
 
 func generateCSR(profile *certProfile, signer crypto.Signer) ([]byte, error) {
-	csrSubject := profile.Subject()
 	csrDER, err := x509.CreateCertificateRequest(&failReader{}, &x509.CertificateRequest{
-		Subject: csrSubject,
+		Subject: profile.Subject(),
 	}, signer)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create and sign CSR: %s", err)