1 files changed, 37 insertions, 0 deletions

diff --git a/src/ssl_mbedtls.cc b/src/ssl_mbedtls.cc
index 10de993..876b076 100644
--- a/src/ssl_mbedtls.cc
+++ b/src/ssl_mbedtls.cc
@@ -2,10 +2,13 @@
 
 #include "common.hh"
 
+#include <cstring>
+#include <mbedtls/asn1write.h>
 #include <mbedtls/certs.h>
 #include <mbedtls/ctr_drbg.h>
 #include <mbedtls/entropy.h>
 #include <mbedtls/error.h>
+#include <mbedtls/oid.h>
 #include <mbedtls/pk.h>
 #include <mbedtls/rsa.h>
 #include <mbedtls/ssl.h>
@@ -433,6 +436,35 @@ private:
   }
 };
 
+int mbedtls_x509write_crt_set_subject_alt_name(
+    mbedtls_x509write_cert* ctx, const char* name) {
+  unsigned char buf[256];
+  unsigned char *c = buf + sizeof(buf);
+  int ret;
+  size_t len = 0;
+  size_t namelen;
+
+  if (name == NULL)
+    return MBEDTLS_ERR_X509_BAD_INPUT_DATA;
+
+  namelen = strlen(name);
+  MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_raw_buffer(&c, buf,
+      reinterpret_cast<const unsigned char*>(name), namelen));
+  MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(&c, buf, namelen));
+  MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(&c, buf,
+      MBEDTLS_ASN1_CONTEXT_SPECIFIC | 2));
+
+  MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(&c, buf, len));
+  MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(&c, buf,
+      MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE));
+
+  return mbedtls_x509write_crt_set_extension(
+      ctx,
+      MBEDTLS_OID_SUBJECT_ALT_NAME,
+      MBEDTLS_OID_SIZE(MBEDTLS_OID_SUBJECT_ALT_NAME),
+      1, c, len);
+}
+
 }  // namespace
 
 // static
@@ -571,6 +603,11 @@ bool SSLCert::generate(Logger* logger, SSLEntropy* entropy,
     goto error;
   }
 
+  if (mbedtls_x509write_crt_set_subject_alt_name(&crt, host.c_str())) {
+    logerr(logger, ret, "Unable to set subject alt name");
+    goto error;
+  }
+
   if (mbedtls_mpi_fill_random(
           &serial, 32, mbedtls_ctr_drbg_random,
           static_cast<SSLEntropyImpl*>(entropy)->random())) {