forgot to fix this and range over the certs

identity.go

@@ -846,8 +846,11 @@ func (e *AddressError) Unwrap() error {
 func ValidFor(id Identity, hostnameOrIp string) error {
 	var err error
 	// Check server certificate
-	if len(id.ServerCert()) > 0 {
-		err = id.ServerCert()[0].Leaf.VerifyHostname(hostnameOrIp)
+	for _, c := range id.ServerCert() {
+		err = c.Leaf.VerifyHostname(hostnameOrIp)
+		if err == nil {
+			return nil
+		}
 	}
 
 	// Check client certificate if server cert validation fails
@@ -858,6 +861,10 @@ func ValidFor(id Identity, hostnameOrIp string) error {
 	if err != nil {
 		return &AddressError{BaseErr: ErrInvalidAddressForIdentity, Host: hostnameOrIp, ValidFor: getUniqueAddresses(id)}
 	}
+	if len(id.ServerCert()) == 0 && id.Cert() == nil {
+		return &AddressError{BaseErr: ErrInvalidAddressForIdentity, Host: hostnameOrIp}
+	}
+
 	return nil
 }
 

token_test.go

@@ -247,3 +247,41 @@ func TestValidFor_NonWildcardCert(t *testing.T) {
 	err := id.ValidFor("ctrl.example.com")
 	require.ErrorIs(t, err, ErrInvalidAddressForIdentity)
 }
+
+func TestValidFor_ClientCertOnly(t *testing.T) {
+	leaf := &x509.Certificate{}
+	leaf.DNSNames = append(leaf.DNSNames, validDNS)
+	leaf.IPAddresses = append(leaf.IPAddresses, net.ParseIP(validIP4))
+	leaf.IPAddresses = append(leaf.IPAddresses, net.ParseIP(validIP6))
+
+	tlsCert := &tls.Certificate{Leaf: leaf}
+	mi := &mockIdentity{
+		serverCerts: []*tls.Certificate{tlsCert},
+		clientCert:  tlsCert,
+	}
+	id := &TokenId{
+		Identity: mi,
+		Token:    "",
+		Data:     nil,
+	}
+
+	require.NoError(t, id.ValidFor(validDNS))
+	require.NoError(t, id.ValidFor(validIP4))
+	require.NoError(t, id.ValidFor(validIP6))
+	require.ErrorIs(t, id.ValidFor(invalidDNS), ErrInvalidAddressForIdentity)
+}
+
+func TestValidFor_NoServerNoClient(t *testing.T) {
+	mi := &mockIdentity{
+		serverCerts: []*tls.Certificate{},
+		clientCert:  nil,
+	}
+	id := &TokenId{
+		Identity: mi,
+		Token:    "",
+		Data:     nil,
+	}
+
+	err := id.ValidFor("ctrl.example.com")
+	require.ErrorIs(t, err, ErrInvalidAddressForIdentity)
+}