From 78ccae6bc987473a313c25b746f3f84ec30095c7 Mon Sep 17 00:00:00 2001
From: Matthew McPherrin <mattm@letsencrypt.org>
Date: Wed, 8 Nov 2023 22:04:35 -0500
Subject: [PATCH] SubjectAlternativeName should be critical for empty subject

Required by Java as well as the Baseline Requirements, RFC5280, etc.

If the subject field of the certificate is an empty SEQUENCE, this
extension MUST be marked critical, as specified in RFC 5280, Section
4.2.1.6. Otherwise, this extension MUST NOT be marked critical.
---
 .../main/java/org/shredzone/acme4j/util/CertificateUtils.java  | 3 ++-
 .../test/java/org/shredzone/acme4j/util/CSRBuilderTest.java    | 1 +
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/acme4j-client/src/main/java/org/shredzone/acme4j/util/CertificateUtils.java b/acme4j-client/src/main/java/org/shredzone/acme4j/util/CertificateUtils.java
index ba2d7bc2..c269c01b 100644
--- a/acme4j-client/src/main/java/org/shredzone/acme4j/util/CertificateUtils.java
+++ b/acme4j-client/src/main/java/org/shredzone/acme4j/util/CertificateUtils.java
@@ -270,7 +270,8 @@ public final class CertificateUtils {
                 var extensions = attr[0].getAttrValues().toArray();
                 if (extensions.length > 0 && extensions[0] instanceof Extensions) {
                     var san = GeneralNames.fromExtensions((Extensions) extensions[0], Extension.subjectAlternativeName);
-                    certBuilder.addExtension(Extension.subjectAlternativeName, false, san);
+                    var critical = csr.getSubject().getRDNs().length == 0;
+                    certBuilder.addExtension(Extension.subjectAlternativeName, critical, san);
                 }
             }
 
diff --git a/acme4j-client/src/test/java/org/shredzone/acme4j/util/CSRBuilderTest.java b/acme4j-client/src/test/java/org/shredzone/acme4j/util/CSRBuilderTest.java
index a1393ebe..071e9c16 100644
--- a/acme4j-client/src/test/java/org/shredzone/acme4j/util/CSRBuilderTest.java
+++ b/acme4j-client/src/test/java/org/shredzone/acme4j/util/CSRBuilderTest.java
@@ -218,6 +218,7 @@ public class CSRBuilderTest {
         builder.addIdentifiers(Identifier.dns("ide2.nt"), Identifier.ip("192.168.5.6"));
         builder.addIdentifiers(Arrays.asList(Identifier.dns("ide3.nt"), Identifier.ip("192.168.5.7")));
 
+        builder.setCommonName("abc.de");
         builder.setCountry("XX");
         builder.setLocality("Testville");
         builder.setOrganization("Testing Co");