From b4db1ce47a800603e489b93a69f04e5a61379a64 Mon Sep 17 00:00:00 2001
From: Emmanuel Bosquet <bjokac@gmail.com>
Date: Tue, 13 Feb 2024 15:44:55 +0100
Subject: [PATCH] change signature of get_cn_and_san_attributes

---
 command/src/certificate.rs | 20 ++++++++++----------
 command/src/state.rs       |  2 +-
 lib/src/tls.rs             |  9 ++++-----
 3 files changed, 15 insertions(+), 16 deletions(-)

diff --git a/command/src/certificate.rs b/command/src/certificate.rs
index c81d99553..32ade6352 100644
--- a/command/src/certificate.rs
+++ b/command/src/certificate.rs
@@ -1,4 +1,4 @@
-use std::{collections::HashSet, fmt, str::FromStr};
+use std::{fmt, str::FromStr};
 
 use hex::{FromHex, FromHexError};
 use serde::de::{self, Visitor};
@@ -56,13 +56,10 @@ pub fn parse_x509(pem_bytes: &[u8]) -> Result<X509Certificate, CertificateError>
 
 /// Retrieve from the pem (as bytes) the common name (a.k.a `CN`) and the
 /// subject alternate names (a.k.a `SAN`)
-pub fn get_cn_and_san_attributes(pem_bytes: &[u8]) -> Result<HashSet<String>, CertificateError> {
-    let x509 = parse_x509(pem_bytes)
-        .map_err(|err| CertificateError::InvalidCertificate(err.to_string()))?;
-
-    let mut names: HashSet<String> = HashSet::new();
+pub fn get_cn_and_san_attributes(x509: &X509Certificate) -> Vec<String> {
+    let mut names: Vec<String> = Vec::new();
     for name in x509.subject().iter_by_oid(&OID_X509_COMMON_NAME) {
-        names.insert(
+        names.push(
             name.as_str()
                 .map(String::from)
                 .unwrap_or_else(|_| String::from_utf8_lossy(name.as_slice()).to_string()),
@@ -74,13 +71,14 @@ pub fn get_cn_and_san_attributes(pem_bytes: &[u8]) -> Result<HashSet<String>, Ce
             if let ParsedExtension::SubjectAlternativeName(san) = extension.parsed_extension() {
                 for name in &san.general_names {
                     if let GeneralName::DNSName(name) = name {
-                        names.insert(name.to_string());
+                        names.push(name.to_string());
                     }
                 }
             }
         }
     }
-    Ok(names)
+    names.dedup();
+    names
 }
 
 // -----------------------------------------------------------------------------
@@ -264,7 +262,9 @@ impl CertificateAndKey {
     pub fn get_overriding_names(&self) -> Result<Vec<String>, CertificateError> {
         if self.names.is_empty() {
             let pem = parse_pem(self.certificate.as_bytes())?;
-            let overriding_names = get_cn_and_san_attributes(&pem.contents)?;
+            let x509 = parse_x509(&pem.contents)?;
+
+            let overriding_names = get_cn_and_san_attributes(&x509);
 
             Ok(overriding_names.into_iter().collect())
         } else {
diff --git a/command/src/state.rs b/command/src/state.rs
index c96748dd2..c5d31be84 100644
--- a/command/src/state.rs
+++ b/command/src/state.rs
@@ -13,7 +13,7 @@ use std::{
 use prost::{DecodeError, Message};
 
 use crate::{
-    certificate::{self, calculate_fingerprint, CertificateError, Fingerprint},
+    certificate::{calculate_fingerprint, CertificateError, Fingerprint},
     proto::{
         command::{
             request::RequestType, ActivateListener, AddBackend, AddCertificate, CertificateAndKey,
diff --git a/lib/src/tls.rs b/lib/src/tls.rs
index 586536cf9..299498f94 100644
--- a/lib/src/tls.rs
+++ b/lib/src/tls.rs
@@ -22,7 +22,9 @@ use rustls::{
 };
 use sha2::{Digest, Sha256};
 use sozu_command::{
-    certificate::{parse_pem, parse_x509, CertificateError, Fingerprint},
+    certificate::{
+        get_cn_and_san_attributes, parse_pem, parse_x509, CertificateError, Fingerprint,
+    },
     proto::command::{AddCertificate, CertificateAndKey, ReplaceCertificate, SocketAddress},
 };
 
@@ -86,6 +88,7 @@ impl TryFrom<&AddCertificate> for CertifiedKeyWrapper {
             parse_pem(cert.certificate.as_bytes()).map_err(CertificateResolverError::ParsePem)?;
 
         let x509 = parse_x509(&pem.contents).map_err(CertificateResolverError::ParseX509)?;
+        let overriding_names = get_cn_and_san_attributes(&x509);
 
         let expiration = add
             .expired_at
@@ -118,10 +121,6 @@ impl TryFrom<&AddCertificate> for CertifiedKeyWrapper {
             _ => return Err(CertificateResolverError::EmptyKeys),
         };
 
-        let overriding_names = cert
-            .get_overriding_names()
-            .map_err(CertificateResolverError::ParseOverridingNames)?;
-
         match any_supported_type(&private_key) {
             Ok(signing_key) => {
                 let stored_certificate = CertifiedKeyWrapper {