a simple resolution for handling subjectAltName multiple DNS: names

kares · kares · commit 6230c5989a0d · 2016-11-04T18:43:19.000+01:00
#102
diff --git a/src/main/java/org/jruby/ext/openssl/X509ExtensionFactory.java b/src/main/java/org/jruby/ext/openssl/X509ExtensionFactory.java
@@ -42,6 +42,7 @@
 import org.bouncycastle.asn1.DEROctetString;
 import org.bouncycastle.asn1.DLSequence;
 import org.bouncycastle.asn1.x509.GeneralName;
+import org.bouncycastle.asn1.x509.GeneralNames;
 
 import org.jruby.Ruby;
 import org.jruby.RubyArray;
@@ -458,8 +459,13 @@ private ASN1Encodable parseIssuerAltName(final ThreadContext context, final Stri
 
     private static ASN1Encodable parseSubjectAltName(final String valuex) throws IOException {
         if ( valuex.startsWith(DNS_) ) {
-            final String dns = valuex.substring(DNS_.length());
-            return new GeneralName(GeneralName.dNSName, dns);
+            final String[] vals = valuex.split(",");
+            final GeneralName[] names = new GeneralName[vals.length];
+            for ( int i = 0; i < vals.length; i++ ) {
+                final String dns = vals[i].substring(DNS_.length());
+                names[i] = new GeneralName(GeneralName.dNSName, dns);
+            }
+            return new GeneralNames(names);
         }
         if ( valuex.startsWith(DNS_Name_) ) {
             final String dns = valuex.substring(DNS_Name_.length());
diff --git a/src/test/ruby/x509/test_x509ext.rb b/src/test/ruby/x509/test_x509ext.rb
@@ -126,4 +126,34 @@ def test_to_der_is_the_same_for_non_critical
     assert ext1.to_der != ext2.to_der
   end
 
+  def test_subject_alt_name_sign_to_pem
+    domain_list = 'test.example.com,test2.example.com,example.com,www.example.com'
+
+    rsa_key = OpenSSL::PKey::RSA.new(2048)
+    csr = OpenSSL::X509::Request.new
+    csr.subject = OpenSSL::X509::Name.new [ ["C", 'AU'], ["ST", "NSW"], ["O", 'org'], ["CN", 'www.example.com'] ]
+    csr.public_key = rsa_key.public_key
+
+    extensions = OpenSSL::ASN1::Set [ OpenSSL::ASN1::Sequence([ subject_alt_name(domain_list) ]) ]
+    csr.add_attribute(OpenSSL::X509::Attribute.new('extReq', extensions))
+    csr.add_attribute(OpenSSL::X509::Attribute.new('msExtReq', extensions))
+
+    csr.sign rsa_key, OpenSSL::Digest::SHA256.new
+
+    puts csr.to_text if $VERBOSE
+
+    csr = OpenSSL::X509::Request.new pem = csr.to_pem
+    assert_equal 2, csr.attributes.length
+    ext_set = csr.attributes.first.value ; seq = ext_set.first.value
+    assert_equal 'subjectAltName', seq.first.value.first.value
+    dns = seq.first.value.last.value
+    assert dns =~ /test.example.com.*?test2.example.com.*?example.com.*?www.example.com/
+  end
+
+  def subject_alt_name(domains)
+    ef = OpenSSL::X509::ExtensionFactory.new
+    ef.create_extension("subjectAltName", domains.split(',').map { |d| "DNS: #{d}" }.join(','))
+  end
+  private :subject_alt_name
+
 end
