From a6fb2d4880c55cddfbe5b88a3ef36c014a886ee4 Mon Sep 17 00:00:00 2001
From: Mehdi Bendriss <bendrissmehdi@gmail.com>
Date: Tue, 13 Aug 2024 16:43:51 +0100
Subject: [PATCH] Sort the DNS Names in the SANs (#4624)

---
 .../opensearch/security/ssl/DefaultSecurityKeyStore.java   | 7 ++++++-
 .../security/ssl/SecuritySSLReloadCertsActionTests.java    | 4 ++--
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/src/main/java/org/opensearch/security/ssl/DefaultSecurityKeyStore.java b/src/main/java/org/opensearch/security/ssl/DefaultSecurityKeyStore.java
index b697bbedff..9be2582b7f 100644
--- a/src/main/java/org/opensearch/security/ssl/DefaultSecurityKeyStore.java
+++ b/src/main/java/org/opensearch/security/ssl/DefaultSecurityKeyStore.java
@@ -34,11 +34,13 @@
 import java.util.Arrays;
 import java.util.Collection;
 import java.util.Collections;
+import java.util.Comparator;
 import java.util.Date;
 import java.util.HashSet;
 import java.util.List;
 import java.util.Objects;
 import java.util.Set;
+import java.util.TreeSet;
 import java.util.function.Function;
 import java.util.stream.Collectors;
 import java.util.stream.Stream;
@@ -1186,7 +1188,10 @@ public String getSubjectAlternativeNames(X509Certificate cert) {
                 ? cert.getSubjectAlternativeNames()
                 : null;
             if (altNames != null) {
-                Collection<List<?>> sans = new ArrayList<>();
+                Comparator<List<?>> comparator = Comparator.comparing((List<?> altName) -> (Integer) altName.get(0))
+                    .thenComparing((List<?> altName) -> (String) altName.get(1));
+
+                Set<List<?>> sans = new TreeSet<>(comparator);
                 for (List<?> altName : altNames) {
                     Integer type = (Integer) altName.get(0);
                     // otherName requires parsing to string
diff --git a/src/test/java/org/opensearch/security/ssl/SecuritySSLReloadCertsActionTests.java b/src/test/java/org/opensearch/security/ssl/SecuritySSLReloadCertsActionTests.java
index 9669f17c7f..244967cf76 100644
--- a/src/test/java/org/opensearch/security/ssl/SecuritySSLReloadCertsActionTests.java
+++ b/src/test/java/org/opensearch/security/ssl/SecuritySSLReloadCertsActionTests.java
@@ -54,7 +54,7 @@ public class SecuritySSLReloadCertsActionTests extends SingleClusterTest {
             "subject_dn",
             "CN=node-1.example.com,OU=SSL,O=Test,L=Test,C=DE",
             "san",
-            "[[8, 1.2.3.4.5.5], [0, [2.5.4.3, node-1.example.com]], [2, node-1.example.com], [2, localhost], [7, 127.0.0.1]]",
+            "[[0, [2.5.4.3, node-1.example.com]], [2, localhost], [2, node-1.example.com], [7, 127.0.0.1], [8, 1.2.3.4.5.5]]",
             "not_before",
             "2023-04-14T13:22:53Z",
             "not_after",
@@ -69,7 +69,7 @@ public class SecuritySSLReloadCertsActionTests extends SingleClusterTest {
             "subject_dn",
             "CN=node-1.example.com,OU=SSL,O=Test,L=Test,C=DE",
             "san",
-            "[[8, 1.2.3.4.5.5], [0, [2.5.4.3, node-1.example.com]], [2, node-1.example.com], [2, localhost], [7, 127.0.0.1]]",
+            "[[0, [2.5.4.3, node-1.example.com]], [2, localhost], [2, node-1.example.com], [7, 127.0.0.1], [8, 1.2.3.4.5.5]]",
             "not_before",
             "2023-04-14T13:23:00Z",
             "not_after",