From 27f60a7e7840f43c6bf24f028bfc5c96742822aa Mon Sep 17 00:00:00 2001
From: WiltonCarvalho <45881665+WiltonCarvalho@users.noreply.github.com>
Date: Sat, 18 May 2024 21:38:08 +0000
Subject: [PATCH] feat: Add support for subjectAlternativeName from CSR

---
 .../service/DefaultPkiOperations.kt           | 24 +++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/src/main/kotlin/org/nordix/simplepki/application/service/DefaultPkiOperations.kt b/src/main/kotlin/org/nordix/simplepki/application/service/DefaultPkiOperations.kt
index 51cf8f5..aec3623 100644
--- a/src/main/kotlin/org/nordix/simplepki/application/service/DefaultPkiOperations.kt
+++ b/src/main/kotlin/org/nordix/simplepki/application/service/DefaultPkiOperations.kt
@@ -29,6 +29,9 @@ import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder
 import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder
 import org.bouncycastle.pkcs.PKCS10CertificationRequest
 import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequest
+import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers
+import org.bouncycastle.asn1.x509.Extensions
+import org.bouncycastle.asn1.x509.GeneralNames
 import org.nordix.simplepki.domain.model.PkiEntity
 import org.nordix.simplepki.domain.model.PkiOperations
 import org.nordix.simplepki.domain.model.RevocationEntry
@@ -64,6 +67,13 @@ internal class DefaultPkiOperations(private val clock: Clock) : PkiOperations {
             .addExtension(Extension.basicConstraints, true, CertificateSettings.NON_CA_BASIC_CONSTRAINTS)
             .addExtension(Extension.keyUsage, true, CertificateSettings.NON_CA_KEY_USAGES)
             .addExtension(Extension.extendedKeyUsage, true, CertificateSettings.EXTENDED_KEY_USAGES)
+
+        // Add the Subject Alternative Name (SAN) extension if present in the CSR
+        val sanExtension = getSubjectAlternativeNames(csr)
+        if (sanExtension != null) {
+            certificateBuilder.addExtension(Extension.subjectAlternativeName, false, sanExtension)
+        }
+
         val signer = JcaContentSignerBuilder(CertificateSettings.SIGNATURE_ALGORITHM)
             .build(ca.privateKey)
         return JcaX509CertificateConverter()
@@ -84,4 +94,18 @@ internal class DefaultPkiOperations(private val clock: Clock) : PkiOperations {
         return JcaX509CRLConverter()
             .getCRL(crlHolder)
     }
+
+    private fun getSubjectAlternativeNames(csr: PKCS10CertificationRequest): GeneralNames? {
+        val attributes = csr.attributes
+        for (attribute in attributes) {
+            if (attribute.attrType == PKCSObjectIdentifiers.pkcs_9_at_extensionRequest) {
+                val extensions = Extensions.getInstance(attribute.attrValues.getObjectAt(0))
+                val sanExtension = extensions.getExtension(Extension.subjectAlternativeName)
+                if (sanExtension != null) {
+                    return GeneralNames.getInstance(sanExtension.parsedValue)
+                }
+            }
+        }
+        return null
+    }
 }