SubjectAlternativeName should be critical for empty subject

Required by Java as well as the Baseline Requirements, RFC5280, etc.

If the subject field of the certificate is an empty SEQUENCE, this
extension MUST be marked critical, as specified in RFC 5280, Section
4.2.1.6. Otherwise, this extension MUST NOT be marked critical.

acme4j-client/src/main/java/org/shredzone/acme4j/util/CertificateUtils.java

@@ -270,7 +270,8 @@ public final class CertificateUtils {
                 var extensions = attr[0].getAttrValues().toArray();
                 if (extensions.length > 0 && extensions[0] instanceof Extensions) {
                     var san = GeneralNames.fromExtensions((Extensions) extensions[0], Extension.subjectAlternativeName);
-                    certBuilder.addExtension(Extension.subjectAlternativeName, false, san);
+                    var critical = csr.getSubject().getRDNs().length == 0;
+                    certBuilder.addExtension(Extension.subjectAlternativeName, critical, san);
                 }
             }
 

acme4j-client/src/test/java/org/shredzone/acme4j/util/CSRBuilderTest.java

@@ -218,6 +218,7 @@ public class CSRBuilderTest {
         builder.addIdentifiers(Identifier.dns("ide2.nt"), Identifier.ip("192.168.5.6"));
         builder.addIdentifiers(Arrays.asList(Identifier.dns("ide3.nt"), Identifier.ip("192.168.5.7")));
 
+        builder.setCommonName("abc.de");
         builder.setCountry("XX");
         builder.setLocality("Testville");
         builder.setOrganization("Testing Co");