github
/
acme4j
mirror of https://github.com/shred/acme4j
1
0
Fork 0
Code Issues Releases Wiki Activity

SubjectAlternativeName should be critical for empty subject 

Required by Java as well as the Baseline Requirements, RFC5280, etc.

If the subject field of the certificate is an empty SEQUENCE, this
extension MUST be marked critical, as specified in RFC 5280, Section
4.2.1.6. Otherwise, this extension MUST NOT be marked critical.
pull/147/head
Matthew McPherrin 2023-11-08 22:04:35 -05:00 committed by Richard Körber
parent 1cf53b6cf4
commit 78ccae6bc9
2 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
acme4j-client/src/main/java/org/shredzone/acme4j/util/CertificateUtils.java
View File

@ -270,7 +270,8 @@ public final class CertificateUtils {
var extensions = attr[0].getAttrValues().toArray();
if (extensions.length > 0 && extensions[0] instanceof Extensions) {
var san = GeneralNames.fromExtensions((Extensions) extensions[0], Extension.subjectAlternativeName);
certBuilder.addExtension(Extension.subjectAlternativeName, false, san);
var critical = csr.getSubject().getRDNs().length == 0;
certBuilder.addExtension(Extension.subjectAlternativeName, critical, san);
}
}

1
acme4j-client/src/test/java/org/shredzone/acme4j/util/CSRBuilderTest.java
View File

@ -218,6 +218,7 @@ public class CSRBuilderTest {
builder.addIdentifiers(Identifier.dns("ide2.nt"), Identifier.ip("192.168.5.6"));
builder.addIdentifiers(Arrays.asList(Identifier.dns("ide3.nt"), Identifier.ip("192.168.5.7")));
builder.setCommonName("abc.de");
builder.setCountry("XX");
builder.setLocality("Testville");
builder.setOrganization("Testing Co");