Sort the DNS Names in the SANs (opensearch-project#4624)

cwperks · Aug 13, 2024 · a6fb2d4 · a6fb2d4
1 parent 66a2840
commit a6fb2d4
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 3 deletions.
diff --git a/src/main/java/org/opensearch/security/ssl/DefaultSecurityKeyStore.java b/src/main/java/org/opensearch/security/ssl/DefaultSecurityKeyStore.java
@@ -34,11 +34,13 @@
 import java.util.Arrays;
 import java.util.Collection;
 import java.util.Collections;
+import java.util.Comparator;
 import java.util.Date;
 import java.util.HashSet;
 import java.util.List;
 import java.util.Objects;
 import java.util.Set;
+import java.util.TreeSet;
 import java.util.function.Function;
 import java.util.stream.Collectors;
 import java.util.stream.Stream;
@@ -1186,7 +1188,10 @@ public String getSubjectAlternativeNames(X509Certificate cert) {
                 ? cert.getSubjectAlternativeNames()
                 : null;
             if (altNames != null) {
-                Collection<List<?>> sans = new ArrayList<>();
+                Comparator<List<?>> comparator = Comparator.comparing((List<?> altName) -> (Integer) altName.get(0))
+                    .thenComparing((List<?> altName) -> (String) altName.get(1));
+
+                Set<List<?>> sans = new TreeSet<>(comparator);
                 for (List<?> altName : altNames) {
                     Integer type = (Integer) altName.get(0);
                     // otherName requires parsing to string

diff --git a/src/test/java/org/opensearch/security/ssl/SecuritySSLReloadCertsActionTests.java b/src/test/java/org/opensearch/security/ssl/SecuritySSLReloadCertsActionTests.java
@@ -54,7 +54,7 @@ public class SecuritySSLReloadCertsActionTests extends SingleClusterTest {
             "subject_dn",
             "CN=node-1.example.com,OU=SSL,O=Test,L=Test,C=DE",
             "san",
-            "[[8, 1.2.3.4.5.5], [0, [2.5.4.3, node-1.example.com]], [2, node-1.example.com], [2, localhost], [7, 127.0.0.1]]",
+            "[[0, [2.5.4.3, node-1.example.com]], [2, localhost], [2, node-1.example.com], [7, 127.0.0.1], [8, 1.2.3.4.5.5]]",
             "not_before",
             "2023-04-14T13:22:53Z",
             "not_after",
@@ -69,7 +69,7 @@ public class SecuritySSLReloadCertsActionTests extends SingleClusterTest {
             "subject_dn",
             "CN=node-1.example.com,OU=SSL,O=Test,L=Test,C=DE",
             "san",
-            "[[8, 1.2.3.4.5.5], [0, [2.5.4.3, node-1.example.com]], [2, node-1.example.com], [2, localhost], [7, 127.0.0.1]]",
+            "[[0, [2.5.4.3, node-1.example.com]], [2, localhost], [2, node-1.example.com], [7, 127.0.0.1], [8, 1.2.3.4.5.5]]",
             "not_before",
             "2023-04-14T13:23:00Z",
             "not_after",