Add helper for extracting SANs from certificate

- Model SAN as type SubjectAlternativeName
- Add SubjectAlternativeName to csr and certificate builders

2 files changed, 28 insertions, 2 deletions

diff --git a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/tls/Pkcs10CsrTest.java b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/tls/Pkcs10CsrTest.java
index bb2e80ba705..ea60511f39c 100644
--- a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/tls/Pkcs10CsrTest.java
+++ b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/tls/Pkcs10CsrTest.java
@@ -7,6 +7,7 @@ import java.security.KeyPair;
 import java.util.Arrays;
 import java.util.List;
 
+import static com.yahoo.vespa.athenz.tls.SubjectAlternativeName.Type.DNS_NAME;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertTrue;
 
@@ -19,8 +20,8 @@ public class Pkcs10CsrTest {
     public void can_read_subject_alternative_names() {
         X500Principal subject = new X500Principal("CN=subject");
         KeyPair keypair = KeyUtils.generateKeypair(KeyAlgorithm.RSA, 2048);
-        String san1 = "san1.com";
-        String san2 = "san2.com";
+        SubjectAlternativeName san1 = new SubjectAlternativeName(DNS_NAME, "san1.com");
+        SubjectAlternativeName san2 = new SubjectAlternativeName(DNS_NAME, "san2.com");
         Pkcs10Csr csr = Pkcs10CsrBuilder.fromKeypair(subject, keypair, SignatureAlgorithm.SHA256_WITH_RSA)
                 .addSubjectAlternativeName(san1)
                 .addSubjectAlternativeName(san2)
diff --git a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/tls/X509CertificateUtilsTest.java b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/tls/X509CertificateUtilsTest.java
index 847f49bf537..cc203011c0b 100644
--- a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/tls/X509CertificateUtilsTest.java
+++ b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/tls/X509CertificateUtilsTest.java
@@ -1,5 +1,6 @@
 package com.yahoo.vespa.athenz.tls;
 
+import org.hamcrest.Matchers;
 import org.junit.Test;
 
 import javax.security.auth.x500.X500Principal;
@@ -7,8 +8,12 @@ import java.security.KeyPair;
 import java.security.cert.X509Certificate;
 import java.time.Instant;
 import java.time.temporal.ChronoUnit;
+import java.util.List;
 
+import static com.yahoo.vespa.athenz.tls.SubjectAlternativeName.Type.DNS_NAME;
 import static org.hamcrest.CoreMatchers.containsString;
+import static org.hamcrest.CoreMatchers.equalTo;
+import static org.hamcrest.Matchers.is;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertThat;
 
@@ -38,4 +43,24 @@ public class X509CertificateUtilsTest {
     }
 
 
+    @Test
+    public void can_list_subject_alternative_names() {
+        KeyPair keypair = KeyUtils.generateKeypair(KeyAlgorithm.RSA, 2048);
+        X500Principal subject = new X500Principal("CN=myservice");
+        SubjectAlternativeName san = new SubjectAlternativeName(DNS_NAME, "dns-san");
+        X509Certificate cert = X509CertificateBuilder
+                .fromKeypair(
+                        keypair,
+                        subject,
+                        Instant.now(),
+                        Instant.now().plus(1, ChronoUnit.DAYS),
+                        SignatureAlgorithm.SHA256_WITH_RSA,
+                        1)
+                .addSubjectAlternativeName(san)
+                .build();
+
+        List<SubjectAlternativeName> sans = X509CertificateUtils.getSubjectAlternativeNames(cert);
+        assertThat(sans.size(), is(1));
+        assertThat(sans.get(0), equalTo(san));
+    }
 }
\ No newline at end of file