shithub: riscv

--- a/sys/src/libsec/port/x509.c

+++ b/sys/src/libsec/port/x509.c

@@ -2741,9 +2741,10 @@

 static Ints15 oid_subjectAltName = {4, 2, 5, 29, 17 };

+static Ints15 oid_extensionRequest = { 7, 1, 2, 840, 113549, 1, 9, 14};

 static Elist*

-mkextensions(char *alts)

+mkextensions(char *alts, int req)

 	Elist *sl, *xl;

@@ -2750,8 +2751,12 @@

 	xl = nil;

 	if((sl = mkaltnames(alts)) != nil)

 		xl = mkextel(mkseq(sl), (Ints*)&oid_subjectAltName, xl);

-	if(xl != nil)

+	if(xl != nil){

+		if(req) return mkel(mkcont(mkseq(

+			mkel(mkoid((Ints*)&oid_extensionRequest),

+			mkel(mkset(mkel(mkseq(xl), nil)), nil))), 0), nil);

 		return mkel(mkcont(mkseq(xl), 3), nil);

+	}

 	return nil;

@@ -2807,7 +2812,7 @@

 			mkel(mkalg(ALG_rsaEncryption),

 			mkel(mkbits(pkbytes->data, pkbytes->len),

 			nil))),

-		mkextensions(alts)))))))));

+		mkextensions(alts, 0)))))))));

 	freebytes(pkbytes);

 	if(encode(e, &certinfobytes) != ASN_OK)

 		goto errret;

@@ -2875,7 +2880,7 @@

 			mkel(mkalg(ALG_rsaEncryption),

 			mkel(mkbits(pkbytes->data, pkbytes->len),

 			nil))),

-		mkextensions(alts)))));

+		mkextensions(alts, 1)))));

 	freebytes(pkbytes);

 	if(encode(e, &certinfobytes) != ASN_OK)

 		goto errret;